diff options
| author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2020-06-03 12:56:58 +0200 |
|---|---|---|
| committer | Shelley Vohr <shelley.vohr@gmail.com> | 2020-06-30 09:34:05 -0700 |
| commit | b1f6584f8e33f8541f18de0a474c069312824eb7 (patch) | |
| tree | ec67462a8ec04f3ecd788c03dfb0225bf0baac45 | |
| parent | 2b5898eebc20918ebe7389b14918a1a4782c921c (diff) | |
| download | node-new-b1f6584f8e33f8541f18de0a474c069312824eb7.tar.gz | |
src,build: add --openssl-default-cipher-list
This commit adds a configuration option named
openssl-default-cipher-list which takes a colon separated string
specifying ciphers that should be used as the default ciphers instead of
the ones defined in node_constants.
The motivation for this is a use case where Fedora/RHEL would like
to be able to specify a default cipher in the format PROFILE=SYSTEM.
This would enable Fedora/RHEL to have a system wide security level for
all applications.
PR-URL: https://github.com/nodejs/node/pull/33708
Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
| -rwxr-xr-x | configure.py | 10 | ||||
| -rw-r--r-- | doc/api/tls.md | 55 | ||||
| -rw-r--r-- | node.gyp | 6 | ||||
| -rw-r--r-- | src/node_constants.h | 6 |
4 files changed, 50 insertions, 27 deletions
diff --git a/configure.py b/configure.py index 285dfb2250..87d99f75be 100755 --- a/configure.py +++ b/configure.py @@ -170,6 +170,11 @@ parser.add_option("--link-module", "e.g. /root/x/y.js will be referenced via require('root/x/y'). " "Can be used multiple times") +parser.add_option('--openssl-default-cipher-list', + action='store', + dest='openssl_default_cipher_list', + help='Use the specified cipher list as the default cipher list') + parser.add_option("--openssl-no-asm", action="store_true", dest="openssl_no_asm", @@ -1302,6 +1307,8 @@ def configure_openssl(o): without_ssl_error('--openssl-no-asm') if options.openssl_fips: without_ssl_error('--openssl-fips') + if options.openssl_default_cipher_list: + without_ssl_error('--openssl-default-cipher-list') return if options.use_openssl_ca_store: @@ -1311,6 +1318,9 @@ def configure_openssl(o): variables['node_without_node_options'] = b(options.without_node_options) if options.without_node_options: o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS'] + if options.openssl_default_cipher_list: + variables['openssl_default_cipher_list'] = \ + options.openssl_default_cipher_list if not options.shared_openssl and not options.openssl_no_asm: is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch'] diff --git a/doc/api/tls.md b/doc/api/tls.md index e1af553096..cff642443a 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -269,33 +269,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 ## Modifying the Default TLS Cipher suite -Node.js is built with a default suite of enabled and disabled TLS ciphers. -Currently, the default cipher suite is: +Node.js is built with a default suite of enabled and disabled TLS ciphers. This +default cipher list can be configured when building Node.js to allow +distributions to provide their own default list. -```text -TLS_AES_256_GCM_SHA384: -TLS_CHACHA20_POLY1305_SHA256: -TLS_AES_128_GCM_SHA256: -ECDHE-RSA-AES128-GCM-SHA256: -ECDHE-ECDSA-AES128-GCM-SHA256: -ECDHE-RSA-AES256-GCM-SHA384: -ECDHE-ECDSA-AES256-GCM-SHA384: -DHE-RSA-AES128-GCM-SHA256: -ECDHE-RSA-AES128-SHA256: -DHE-RSA-AES128-SHA256: -ECDHE-RSA-AES256-SHA384: -DHE-RSA-AES256-SHA384: -ECDHE-RSA-AES256-SHA256: -DHE-RSA-AES256-SHA256: -HIGH: -!aNULL: -!eNULL: -!EXPORT: -!DES: -!RC4: -!MD5: -!PSK: -!SRP: +The following command can be used to show the default cipher suite: +```console +node -p crypto.constants.defaultCoreCipherList | tr ':' '\n' +TLS_AES_256_GCM_SHA384 +TLS_CHACHA20_POLY1305_SHA256 +TLS_AES_128_GCM_SHA256 +ECDHE-RSA-AES128-GCM-SHA256 +ECDHE-ECDSA-AES128-GCM-SHA256 +ECDHE-RSA-AES256-GCM-SHA384 +ECDHE-ECDSA-AES256-GCM-SHA384 +DHE-RSA-AES128-GCM-SHA256 +ECDHE-RSA-AES128-SHA256 +DHE-RSA-AES128-SHA256 +ECDHE-RSA-AES256-SHA384 +DHE-RSA-AES256-SHA384 +ECDHE-RSA-AES256-SHA256 +DHE-RSA-AES256-SHA256 +HIGH +!aNULL +!eNULL +!EXPORT +!DES +!RC4 +!MD5 +!PSK +!SRP !CAMELLIA ``` @@ -746,6 +746,7 @@ 'variables': { 'openssl_system_ca_path%': '', + 'openssl_default_cipher_list%': '', }, 'defines': [ @@ -762,6 +763,11 @@ 'msvs_disabled_warnings!': [4244], 'conditions': [ + [ 'openssl_default_cipher_list!=""', { + 'defines': [ + 'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"' + ] + }], [ 'error_on_warn=="true"', { 'cflags': ['-Werror'], 'xcode_settings': { diff --git a/src/node_constants.h b/src/node_constants.h index af5aa002eb..d7de705fb8 100644 --- a/src/node_constants.h +++ b/src/node_constants.h @@ -41,6 +41,9 @@ #define RSA_PSS_SALTLEN_AUTO -2 #endif +#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST) +#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST +#else // TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see: // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html #define DEFAULT_CIPHER_LIST_CORE \ @@ -68,7 +71,8 @@ "!PSK:" \ "!SRP:" \ "!CAMELLIA" -#endif +#endif // NODE_OPENSSL_DEFAULT_CIPHER_LIST +#endif // HAVE_OPENSSL namespace node { |