Our docs use both _pseudo-random_ and _pseudorandom_. Standardize on
_pseudorandom_.
PR-URL: https://github.com/nodejs/node/pull/38196
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/37070
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
remark-parse@9.0.0 combined with our html.js tool ends a list if a
multi-line item does not include indentation. Update our docs for this
formatting.
I looked around for a lint rule to enforce this but didn't find one
readily available. (Happy to be shown that I'm wrong about that!) We may
need to write one.
PR-URL: https://github.com/nodejs/node/pull/36049
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
This helps catch broken links as part of the test suite. This also
improves the user experience when browsing the markdown files.
PR-URL: https://github.com/nodejs/node/pull/35191
Fixes: https://github.com/nodejs/node/issues/35189
Reviewed-By: Derek Lewis <DerekNonGeneric@inf.is>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Docs switch between "command line" and "command-line" with no apparent
uniformity. Microsoft Style Guide prescribes "command line" as a noun
and "command-line" as a modifier, which makes a lot of sense to me.
Updating docs as appropriate.
PR-URL: https://github.com/nodejs/node/pull/35198
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
In one context, `<Buffer>` was being interpretted as an HTML tag and not
displayed.
PR-URL: https://github.com/nodejs/node/pull/35032
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
In other api docs, it seems that deprecated classes and methods are
listed along with others, and marked as deprecated. In tls docs,
deprecations were listed at the bottom of the document. This commit
reorders them to what seems to be the standard, and corrects some links
in doc/api/deprecations.md
PR-URL: https://github.com/nodejs/node/pull/34687
Reviewed-By: Rich Trott <rtrott@gmail.com>
Added options: `ticketKeys` and `sessionTimeout`, that are honored by
`createServer`, that calls `createSecureContext`.
This also introduces a minor code simplification.
PR-URL: https://github.com/nodejs/node/pull/33974
Fixes: https://github.com/nodejs/node/issues/20908
Reviewed-By: Alba Mendez <me@alba.sh>
Reviewed-By: Ujjwal Sharma <ryzokuken@disroot.org>
Clarify that the `ctx` argument of the `SNICallback` callback is
optional.
Fixes: https://github.com/nodejs/node/issues/34085
PR-URL: https://github.com/nodejs/node/pull/34097
Reviewed-By: Ujjwal Sharma <ryzokuken@disroot.org>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
We mostly have a single space between the punctuation that ends a
sentence and the start of the next sentence. Change instances with two
spaces to one.
PR-URL: https://github.com/nodejs/node/pull/33995
Reviewed-By: Matheus Marchini <mat@mmarchini.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Add a note warning users that when using tls.connect(),
the `servername` option must be set explicitely to enable
SNI, otherwise the connection could fail.
PR-URL: https://github.com/nodejs/node/pull/33855
Fixes: https://github.com/nodejs/node/issues/28167
Co-authored-by: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Currently, running the example code will produce the following error in
bash:
$ node --tls-cipher-list="ECDHE-RSA-AES128-GCM-SHA256:!RC4" server.js
bash: !RC4: event not found
This commit changes the two examples to use single quotes to avoid the
shell from trying to interpret '!' as the history command.
PR-URL: https://github.com/nodejs/node/pull/33709
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit adds a configuration option named
openssl-default-cipher-list which takes a colon separated string
specifying ciphers that should be used as the default ciphers instead of
the ones defined in node_constants.
The motivation for this is a use case where Fedora/RHEL would like
to be able to specify a default cipher in the format PROFILE=SYSTEM.
This would enable Fedora/RHEL to have a system wide security level for
all applications.
PR-URL: https://github.com/nodejs/node/pull/33708
Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
The server.connections property was runtime deprecated in the
0.9 days. It was replaced with getConnections(). It is not
simply an alias for getConnections() because it fails to take
connections shared with forks into consideration. Let's not
keep it around forever and move it to end of life
Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/33647
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
These are changed to either ```text or ```console.
PR-URL: https://github.com/nodejs/node/pull/33028
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Notable changes:
* ECMAScript Modules - `--experimental-modules` flag removal
* AsyncLocalStorage API (experimental)
* REPL previews
* REPL reverse-i-search
* REPL substring-based search
* Error monitoring
* Monitoring `error` events
* Monitoring uncaught exceptions
* File system APIs
* New function: `fs.readv`
* Optional parameters in `fs.read`
* Console `groupIndentation` option
* `maxStringLength` option for `util.inspect()`
* Stable N-API release 6
* Stable diagnostic reports
* Increase of the default server headers timeout
* New `--trace-sigint` CLI flag
* Various crypto APIs now support Diffie-Hellman secrets
* Added support for the `dns.ALL` flag in `dns.lookup()`
* Added a new experimental API to interact with Source Map V3 data
* Added support for passing a `transferList` along with `workerData` to
the `Worker` constructor
PR-URL: https://github.com/nodejs/node/pull/33197
Prior to this commit, Bash fenced code blocks in Markdown files had
inconsistent info strings. This has been corrected to standardize on
the less-obscure variant.
PR-URL: https://github.com/nodejs/node/pull/33510
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
There's a typo that causes only the first socket to be logged
(i.e. when the warning is emitted).
In addition, server sockets aren't logged because `keylog` events
are not emitted on tls.Server, not the socket. This behaviour is
counterintuitive and has caused more bugs in the past, so make all
sockets (server or client) emit 'keylog'. tls.Server will just
re-emit these events.
Refs: https://github.com/nodejs/node/pull/30055
PR-URL: https://github.com/nodejs/node/pull/33366
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
When cherry-picking release commits for LTS releases into master,
the `REPLACEME` metadata can be taken over as well, to give users
a more accurate view of what is being released on which release line.
This addresses this problem for all previous LTS releases for which
this has not been done.
Fixes: https://github.com/nodejs/node/issues/33001
PR-URL: https://github.com/nodejs/node/pull/33041
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Our docs have a mix of "hostname" and "host name" in prose.
Let's follow the usage of Unix man pages, RFCs, and most
professionally-edited sources, and use "host name" in prose and
"hostname" to refer to the command and in code.
Lint rule forthcoming.
PR-URL: https://github.com/nodejs/node/pull/31326
Refs: https://github.com/nodejs/node/pull/31073
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Add the `pskCallback` client/server option, which resolves an identity
or identity hint to a pre-shared key.
Add the `pskIdentityHint` server option to set the identity hint for the
ServerKeyExchange message.
Co-authored-by: Chris Osborn <chris.osborn@sitelier.com>
Co-authored-by: stephank <gh@stephank.nl>
Co-authored-by: Taylor Zane Glaeser <tzglaeser@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23188
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
OpenSSL has its own legacy names, but knowing the IETF name is useful
when trouble-shooting, or looking for more information on the cipher.
PR-URL: https://github.com/nodejs/node/pull/30637
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
The use of dashes -- in general, but especially in our docs -- can be
problematic. It is used inconsistently and there is always another form
of punctuation that is as good or better for the situation. In an effort
to reduce the number of variations we use to display the same types of
information, remove the various uses of dashes from the documentation.
PR-URL: https://github.com/nodejs/node/pull/30101
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/29984
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Use explicit trailing `[]` for reference markdown links to prevent
implicit links when references are added to documents.
PR-URL: https://github.com/nodejs/node/pull/29808
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Add `privateKeyIdentifier` and `privateKeyEngine` options
to get private key from an OpenSSL engine in tls.createSecureContext().
PR-URL: https://github.com/nodejs/node/pull/28973
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Passes the list down to SSL_CTX_set1_sigalgs_list.
Option to get the list of shared signature algorithms
from a TLS socket added as well for testing.
Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>
PR-URL: https://github.com/nodejs/node/pull/29598
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Convert to asterisks when there are mixed styles in document.
Addresses Markdownlint MD004 rule
PR-URL: https://github.com/nodejs/node/pull/29516
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Addresses Markdownlint MD033 issues.
Altering changlog should usually be avoided, but they don't render
currently.
PR-URL: https://github.com/nodejs/node/pull/29374
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
These are rendered as single breaks.
Addresses Markdownlint MD012 rule.
PR-URL: https://github.com/nodejs/node/pull/29352
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Notable changes:
* crypto:
* Added an oaepHash option to asymmetric encryption which allows
users to specify a hash function when using OAEP padding.
https://github.com/nodejs/node/pull/28335
* deps:
* Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
* Improves the performance of various APIs such as `JSON.parse` and
methods called on frozen arrays.
* Adds the Promise.allSettled method.
* Improves support of `BigInt` in `Intl` methods.
* For more information: https://v8.dev/blog/v8-release-76
* Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
* `UV_FS_O_FILEMAP` has been added for faster access to memory
mapped files on Windows.
* `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
Windows. It previously returned `UV_ENOENT`.
* The `uv_fs_statfs()` API has been added.
* The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
added.
* fs:
* Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
version) methods. They allow to write an array of `ArrayBufferView`s
to a file descriptor. https://github.com/nodejs/node/pull/25925https://github.com/nodejs/node/pull/29186
* http:
* Added three properties to `OutgoingMessage.prototype`:
`writableObjectMode`, `writableLength` and `writableHighWaterMark`
https://github.com/nodejs/node/pull/29018
* stream:
* Added an new property `readableEnded` to readable streams. Its value
is set to `true` when the `'end'` event is emitted.
https://github.com/nodejs/node/pull/28814
* Added an new property `writableEnded` to writable streams. Its value
is set to `true` after `writable.end()` has been called.
https://github.com/nodejs/node/pull/28934
PR-URL: https://github.com/nodejs/node/pull/29210
Make `tls.connect()` support an `allowHalfOpen` option which specifies
whether or not to allow the connection to be half-opened when the
`socket` option is not specified.
PR-URL: https://github.com/nodejs/node/pull/27836
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ouyang Yadong <oyydoibh@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
This commit replaces two long URLs in the TLS documentation
with linked text.
PR-URL: https://github.com/nodejs/node/pull/28580
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Update the API docs to always spell as Unix.
PR-URL: https://github.com/nodejs/node/pull/28576
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Notable changes:
* doc:
* The JSON variant of the API documentation is no longer experimental
(Rich Trott) https://github.com/nodejs/node/pull/27842.
* esm:
* JSON module support is always enabled under
`--experimental-modules`. The `--experimental-json-modules` flag
has been removed (Myles Borins)
https://github.com/nodejs/node/pull/27752.
* http,http2:
* A new flag has been added for overriding the default HTTP server
socket timeout (which is two minutes). Pass
`--http-server-default-timeout=milliseconds`
or `--http-server-default-timeout=0` to respectively change or
disable the timeout. Starting with Node.js 13.0.0, the timeout will
be disabled by default
(Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/27704.
* inspector:
* Added an experimental `--heap-prof` flag to start the V8 heap
profiler on startup and write the heap profile to disk before exit
(Joyee Cheung) https://github.com/nodejs/node/pull/27596.
* stream:
* The `readable.unshift()` method now correctly converts strings to
buffers. Additionally, a new optional argument is accepted to
specify the string's encoding, such as `'utf8'` or `'ascii'`
(Marcos Casagrande) https://github.com/nodejs/node/pull/27194.
* v8:
* The object returned by `v8.getHeapStatistics()` has two new
properties: `number_of_native_contexts` and
`number_of_detached_contexts` (Yuriy Vasiyarov)
https://github.com/nodejs/node/pull/27933.
PR-URL: https://github.com/nodejs/node/pull/28040
Make `tls.connect()` support the `hints` option for feature parity with
`net.connect()`.
PR-URL: https://github.com/nodejs/node/pull/27816
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Within tls.md, the documentation for the response of
tlsSocket.getPeerCertificate() included subjectaltname
documented as an array of values. However these values are
actually returned as a single string of concatenated values.
The documentation has been updated to reflect this.
PR-URL: https://github.com/nodejs/node/pull/27757
Fixes: https://github.com/nodejs/node/issues/27721
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Exposes SSL_CTX_set_keylog_callback in the form of a `keylog` event
that is emitted on clients and servers. This enables easy debugging
of TLS connections with i.e. Wireshark, which is a long-requested
feature.
PR-URL: https://github.com/nodejs/node/pull/27654
Refs: https://github.com/nodejs/node/issues/2363
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Notable changes:
* deps:
* Updated llhttp to 1.1.3. This fixes a bug that made Node.js' HTTP
parser refuse any request URL that contained the "|" (vertical bar)
character. https://github.com/nodejs/node/pull/27595
* tls:
* Added an `enableTrace()` method to `TLSSocket` and an `enableTrace`
option to `tls.createServer()`. When enabled, TSL packet trace
information is written to `stderr`. This can be used to debug TLS
connection problems. https://github.com/nodejs/node/pull/27497https://github.com/nodejs/node/pull/27376
* cli:
* Added a `--trace-tls` command-line flag that enables tracing of TLS
connections without the need to modify existing application code.
https://github.com/nodejs/node/pull/27497
* Added a `--cpu-prof-interval` command-line flag. It can be used to
specify the sampling interval for the CPU profiles generated by
`--cpu-prof`. https://github.com/nodejs/node/pull/27535
* module:
* Added the `createRequire()` method. It allows to create a require
function from a file URL object, a file URL string or an absolute
path string. The existing `createRequireFromPath()` method is now
deprecated https://github.com/nodejs/node/pull/27405.
* Throw on `require('./path.mjs')`. This is technically a breaking
change that should have landed with Node.js 12.0.0. It is necessary
to have this to keep the possibility for a future minor version to
load ES Modules with the require function.
https://github.com/nodejs/node/pull/27417
* repl:
* The REPL now supports multi-line statements using `BigInt` literals
as well as public and private class fields and methods.
https://github.com/nodejs/node/pull/27400
* The REPL now supports tab autocompletion of file paths with `fs`
methods. https://github.com/nodejs/node/pull/26648
* meta:
* Added Christian Clauss (https://github.com/cclauss) to
collaborators. https://github.com/nodejs/node/pull/27554
PR-URL: https://github.com/nodejs/node/pull/27578
This commit adds the enableTrace option to the TLSSocket
constructor. It also plumbs the option through other relevant
APIs.
PR-URL: https://github.com/nodejs/node/pull/27497
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
The reference is confusing because the object is actually of class
SecureContext. There is no object with class "credentials".
See: https://github.com/nodejs/node/issues/20432#issuecomment-441819285
PR-URL: https://github.com/nodejs/node/pull/26908
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
A generic error lacks any of the context or detail of the underlying
OpenSSL error, so throw from C++, and report the OpenSSL error to the
callback.
PR-URL: https://github.com/nodejs/node/pull/26868
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: https://github.com/nodejs/node/pull/26821
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This introduces TLS1.3 support and makes it the default max protocol,
but also supports CLI/NODE_OPTIONS switches to disable it if necessary.
TLS1.3 is a major update to the TLS protocol, with many security
enhancements. It should be preferred over TLS1.2 whenever possible.
TLS1.3 is different enough that even though the OpenSSL APIs are
technically API/ABI compatible, that when TLS1.3 is negotiated, the
timing of protocol records and of callbacks broke assumptions hard-coded
into the 'tls' module.
This change introduces no API incompatibilities when TLS1.2 is
negotiated. It is the intention that it be backported to current and LTS
release lines with the default maximum TLS protocol reset to 'TLSv1.2'.
This will allow users of those lines to explicitly enable TLS1.3 if they
want.
API incompatibilities between TLS1.2 and TLS1.3 are:
- Renegotiation is not supported by TLS1.3 protocol, attempts to call
`.renegotiate()` will always fail.
- Compiling against a system OpenSSL lower than 1.1.1 is no longer
supported (OpenSSL-1.1.0 used to be supported with configure flags).
- Variations of `conn.write('data'); conn.destroy()` have undefined
behaviour according to the streams API. They may or may not send the
'data', and may or may not cause a ERR_STREAM_DESTROYED error to be
emitted. This has always been true, but conditions under which the write
suceeds is slightly but observably different when TLS1.3 is negotiated
vs when TLS1.2 or below is negotiated.
- If TLS1.3 is negotiated, and a server calls `conn.end()` in its
'secureConnection' listener without any data being written, the client
will not receive session tickets (no 'session' events will be emitted,
and `conn.getSession()` will never return a resumable session).
- The return value of `conn.getSession()` API may not return a resumable
session if called right after the handshake. The effect will be that
clients using the legacy `getSession()` API will resume sessions if
TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is
negotiated. See https://github.com/nodejs/node/pull/25831 for more
information.
PR-URL: https://github.com/nodejs/node/pull/26209
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
OpenSSL 1.0.0 returned incorrect version information. OpenSSL 1.1.0
fixed this, but returning the correct information broke our tests, so
was considered semver-major. Because of this, the version was hard-coded
to the OpenSSL 1.0.0 (incorrect) string in 5fe81c8aff.
This is ancient history, start returning the correct cipher version.
PR-URL: https://github.com/nodejs/node/pull/26625
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
OpenSSL has supported async notification of sessions and tickets since
1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using
the async API is optional for TLS1.2 and below, but for TLS1.3 it will
be mandatory. Future-proof applications should start to use async
notification immediately. In the future, for TLS1.3, applications that
don't use the async API will silently, but gracefully, fail to resume
sessions and instead do a full handshake.
See: https://wiki.openssl.org/index.php/TLS1.3#Sessions
PR-URL: https://github.com/nodejs/node/pull/25831
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
There is a description of how to use s_client for testing of
renegotiation limits in the `tls` module documentation. The information
is somewhat out of scope, but it also may be somewhat problematic due to
changes/peculiarities (bugs?) in recent s_client. Remove the text.
Refs: https://github.com/nodejs/node/pull/25381#issuecomment-457067137
PR-URL: https://github.com/nodejs/node/pull/25678
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
If specified, and only when a socket is created internally, the option
will make `socket.setTimeout()` to be called on the created socket with
the given timeout.
This is consistent with the `timeout` option of `net.connect()` and
prevents the `timeout` option of the `https.Agent` from being ignored
when a socket is created.
PR-URL: https://github.com/nodejs/node/pull/25517
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
- DEFAULT_ECDH_CURVE default changed to 'auto' for 10.0.0
- ecdhCurve parameter allowed multiple values and 'auto' from 9.0.0
PR-URL: https://github.com/nodejs/node/pull/25502
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
The API has existed forever and is used in our unit tests. It is
supported for TLS1.3 as well as 1.2 and useful for troubleshooting, so
it should be documented.
PR-URL: https://github.com/nodejs/node/pull/25423
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25174
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Link to the cli docs for --tls-cipher-list, and link to and mention that
NODE_OPTIONS can also be used.
PR-URL: https://github.com/nodejs/node/pull/25174
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.
Fixes: https://github.com/nodejs/node/issues/24761
PR-URL: https://github.com/nodejs/node/pull/24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
TLS client authentication should be tested, including failure scenarios.
PR-URL: https://github.com/nodejs/node/pull/24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Fill in correct pr-url: value in the YAML changelog that was missing
from f512f5ea. The stanza was also sorted in the wrong order, most
recent is supposed to be in the beginning of the changes, not the end.
PR-URL: https://github.com/nodejs/node/pull/24759
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
