summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xconfigure.py10
-rw-r--r--doc/api/tls.md55
-rw-r--r--node.gyp6
-rw-r--r--src/node_constants.h6
4 files changed, 50 insertions, 27 deletions
diff --git a/configure.py b/configure.py
index 285dfb2250..87d99f75be 100755
--- a/configure.py
+++ b/configure.py
@@ -170,6 +170,11 @@ parser.add_option("--link-module",
"e.g. /root/x/y.js will be referenced via require('root/x/y'). "
"Can be used multiple times")
+parser.add_option('--openssl-default-cipher-list',
+ action='store',
+ dest='openssl_default_cipher_list',
+ help='Use the specified cipher list as the default cipher list')
+
parser.add_option("--openssl-no-asm",
action="store_true",
dest="openssl_no_asm",
@@ -1302,6 +1307,8 @@ def configure_openssl(o):
without_ssl_error('--openssl-no-asm')
if options.openssl_fips:
without_ssl_error('--openssl-fips')
+ if options.openssl_default_cipher_list:
+ without_ssl_error('--openssl-default-cipher-list')
return
if options.use_openssl_ca_store:
@@ -1311,6 +1318,9 @@ def configure_openssl(o):
variables['node_without_node_options'] = b(options.without_node_options)
if options.without_node_options:
o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS']
+ if options.openssl_default_cipher_list:
+ variables['openssl_default_cipher_list'] = \
+ options.openssl_default_cipher_list
if not options.shared_openssl and not options.openssl_no_asm:
is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch']
diff --git a/doc/api/tls.md b/doc/api/tls.md
index bfebf5cc26..341460a171 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -269,33 +269,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
## Modifying the Default TLS Cipher suite
-Node.js is built with a default suite of enabled and disabled TLS ciphers.
-Currently, the default cipher suite is:
+Node.js is built with a default suite of enabled and disabled TLS ciphers. This
+default cipher list can be configured when building Node.js to allow
+distributions to provide their own default list.
-```text
-TLS_AES_256_GCM_SHA384:
-TLS_CHACHA20_POLY1305_SHA256:
-TLS_AES_128_GCM_SHA256:
-ECDHE-RSA-AES128-GCM-SHA256:
-ECDHE-ECDSA-AES128-GCM-SHA256:
-ECDHE-RSA-AES256-GCM-SHA384:
-ECDHE-ECDSA-AES256-GCM-SHA384:
-DHE-RSA-AES128-GCM-SHA256:
-ECDHE-RSA-AES128-SHA256:
-DHE-RSA-AES128-SHA256:
-ECDHE-RSA-AES256-SHA384:
-DHE-RSA-AES256-SHA384:
-ECDHE-RSA-AES256-SHA256:
-DHE-RSA-AES256-SHA256:
-HIGH:
-!aNULL:
-!eNULL:
-!EXPORT:
-!DES:
-!RC4:
-!MD5:
-!PSK:
-!SRP:
+The following command can be used to show the default cipher suite:
+```console
+node -p crypto.constants.defaultCoreCipherList | tr ':' '\n'
+TLS_AES_256_GCM_SHA384
+TLS_CHACHA20_POLY1305_SHA256
+TLS_AES_128_GCM_SHA256
+ECDHE-RSA-AES128-GCM-SHA256
+ECDHE-ECDSA-AES128-GCM-SHA256
+ECDHE-RSA-AES256-GCM-SHA384
+ECDHE-ECDSA-AES256-GCM-SHA384
+DHE-RSA-AES128-GCM-SHA256
+ECDHE-RSA-AES128-SHA256
+DHE-RSA-AES128-SHA256
+ECDHE-RSA-AES256-SHA384
+DHE-RSA-AES256-SHA384
+ECDHE-RSA-AES256-SHA256
+DHE-RSA-AES256-SHA256
+HIGH
+!aNULL
+!eNULL
+!EXPORT
+!DES
+!RC4
+!MD5
+!PSK
+!SRP
!CAMELLIA
```
diff --git a/node.gyp b/node.gyp
index 36cab71f56..1ebb8c2cc9 100644
--- a/node.gyp
+++ b/node.gyp
@@ -748,6 +748,7 @@
'variables': {
'openssl_system_ca_path%': '',
+ 'openssl_default_cipher_list%': '',
},
'defines': [
@@ -764,6 +765,11 @@
'msvs_disabled_warnings!': [4244],
'conditions': [
+ [ 'openssl_default_cipher_list!=""', {
+ 'defines': [
+ 'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"'
+ ]
+ }],
[ 'error_on_warn=="true"', {
'cflags': ['-Werror'],
'xcode_settings': {
diff --git a/src/node_constants.h b/src/node_constants.h
index af5aa002eb..d7de705fb8 100644
--- a/src/node_constants.h
+++ b/src/node_constants.h
@@ -41,6 +41,9 @@
#define RSA_PSS_SALTLEN_AUTO -2
#endif
+#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST)
+#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST
+#else
// TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see:
// https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
#define DEFAULT_CIPHER_LIST_CORE \
@@ -68,7 +71,8 @@
"!PSK:" \
"!SRP:" \
"!CAMELLIA"
-#endif
+#endif // NODE_OPENSSL_DEFAULT_CIPHER_LIST
+#endif // HAVE_OPENSSL
namespace node {