Skip to content

Commit

Permalink
tls: add --tls-min-v1.2 CLI switch
Browse files Browse the repository at this point in the history
For 11.x, the default minimum is TLSv1, so it needs a CLI switch to
change the default to the more secure minimum of TLSv1.2.

PR-URL: #26951
Reviewed-By: Rod Vagg <[email protected]>
Reviewed-By: Beth Griggs <[email protected]>
  • Loading branch information
sam-github authored and BethGriggs committed Apr 15, 2019
1 parent 7aeca27 commit bf2c283
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 0 deletions.
8 changes: 8 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,14 @@ added: REPLACEME
Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
with old TLS clients or servers.

### `--tls-min-v1.2`
<!-- YAML
added: REPLACEME
-->

Set default [`minVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1
and TLSv1.1 in favour of TLSv1.2, which is more secure.

### `--tls-min-v1.3`
<!-- YAML
added: REPLACEME
Expand Down
4 changes: 4 additions & 0 deletions doc/node.1
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,10 @@ or servers.
Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
or servers.
.
.It Fl -tls-min-v1.2
Set default minVersion to 'TLSv1.2'. Use to disable support for TLSv1 and
TLSv1.1 in favour of TLSv1.2, which is more secure.
.
.It Fl -tls-min-v1.3
Set default minVersion to 'TLSv1.3'. Use to disable support for TLSv1.2 in
favour of TLSv1.3, which is more secure.
Expand Down
2 changes: 2 additions & 0 deletions lib/tls.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ if (getOptionValue('--tls-min-v1.0'))
exports.DEFAULT_MIN_VERSION = 'TLSv1';
else if (getOptionValue('--tls-min-v1.1'))
exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
else if (getOptionValue('--tls-min-v1.2'))
exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
else if (getOptionValue('--tls-min-v1.3'))
exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
else
Expand Down
4 changes: 4 additions & 0 deletions src/node_options.cc
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
"set default TLS minimum to TLSv1.1 (default: TLSv1)",
&EnvironmentOptions::tls_min_v1_1,
kAllowedInEnvironment);
AddOption("--tls-min-v1.2",
"set default TLS minimum to TLSv1.2 (default: TLSv1)",
&EnvironmentOptions::tls_min_v1_2,
kAllowedInEnvironment);
AddOption("--tls-min-v1.3",
"set default TLS minimum to TLSv1.3 (default: TLSv1)",
&EnvironmentOptions::tls_min_v1_3,
Expand Down
1 change: 1 addition & 0 deletions src/node_options.h
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ class EnvironmentOptions : public Options {

bool tls_min_v1_0 = false;
bool tls_min_v1_1 = false;
bool tls_min_v1_2 = false;
bool tls_min_v1_3 = false;
bool tls_max_v1_2 = false;
bool tls_max_v1_3 = false;
Expand Down
15 changes: 15 additions & 0 deletions test/parallel/test-tls-cli-min-version-1.2.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
// Flags: --tls-min-v1.2
'use strict';
const common = require('../common');
if (!common.hasCrypto) common.skip('missing crypto');

// Check that node `--tls-min-v1.2` is supported.

const assert = require('assert');
const tls = require('tls');

assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');

// Check the min-max version protocol versions against these CLI settings.
require('./test-tls-min-max-version.js');

0 comments on commit bf2c283

Please sign in to comment.