Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
nodejs8
openssl_1_1_1.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssl_1_1_1.patch of Package nodejs8
Backport OpenSSL 1.1.1 support, mostly be disabling TLS 1.3 Upstream commits: commit 8dd8033519658bba2d7b776ec166f889a56bce31 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Sep 12 17:34:24 2018 +0900 tls: workaround handshakedone in renegotiation `SSL_CB_HANDSHAKE_START` and `SSL_CB_HANDSHAKE_DONE` are called sending HelloRequest in OpenSSL-1.1.1. We need to check whether this is in a renegotiation state or not. Backport-PR-URL: https://github.com/nodejs/node/pull/26270 PR-URL: https://github.com/nodejs/node/pull/25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> commit 161dca72cb06e36614fdc75184383c8f456e97a4 Author: Sam Roberts <vieuxtech@gmail.com> Date: Wed Nov 28 14:11:18 2018 -0800 tls: re-define max supported version as 1.2 Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: https://github.com/nodejs/node/issues/24658 PR-URL: https://github.com/nodejs/node/pull/25024 Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Partial port, remain compatible with 1.0.2: commit 970ce14f61a44504520581c5af5dc9c3bddc0f40 Author: Shigeki Ohtsu <ohtsu@ohtsu.org> Date: Wed Mar 14 14:26:55 2018 +0900 crypto: remove deperecated methods of TLS version All version-specific methods were deprecated in OpenSSL 1.1.0 and min/max versions explicitly need to be set. This still keeps comptatible with JS and OpenSSL-1.0.2 APIs for now. crypto, constants: add constant of OpenSSL-1.1.0 Several constants for OpenSSL-1.1.0 engine were removed and renamed in OpenSSL-1.1.0. This added one renamed constant in order to have a compatible feature with that of OpenSSL-1.0.2. Other missed or new constants in OpenSSL-1.1.0 are not yet added. crypto,tls,constants: remove OpenSSL1.0.2 support This is semver-majar change so that we need not to have compatibilities with older versions. Fixes: https://github.com/nodejs/node/issues/4270 PR-URL: https://github.com/nodejs/node/pull/19794 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Index: node-v8.15.1/src/node_constants.cc =================================================================== --- node-v8.15.1.orig/src/node_constants.cc +++ node-v8.15.1/src/node_constants.cc @@ -921,6 +921,10 @@ void DefineOpenSSLConstants(Local<Object NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_ECDSA); # endif +# ifdef ENGINE_METHOD_EC + NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_EC); +# endif + # ifdef ENGINE_METHOD_CIPHERS NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_CIPHERS); # endif Index: node-v8.15.1/src/node_crypto.cc =================================================================== --- node-v8.15.1.orig/src/node_crypto.cc +++ node-v8.15.1/src/node_crypto.cc @@ -509,6 +509,8 @@ void SecureContext::Init(const FunctionC ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); + int min_version = 0; + int max_version = 0; const SSL_METHOD* method = TLS_method(); if (args.Length() == 1 && args[0]->IsString()) { @@ -531,29 +533,95 @@ void SecureContext::Init(const FunctionC } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) { return env->ThrowError("SSLv3 methods disabled"); } else if (strcmp(*sslmethod, "SSLv23_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + method = TLS_method(); + #else method = SSLv23_method(); + #endif } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + method = TLS_server_method(); + #else method = SSLv23_server_method(); + #endif } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + method = TLS_client_method(); + #else method = SSLv23_client_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + method = TLS_method(); + #else method = TLSv1_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + method = TLS_server_method(); + #else method = TLSv1_server_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + method = TLS_client_method(); + #else method = TLSv1_client_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_1_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_method(); + #else method = TLSv1_1_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_1_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_server_method(); + #else method = TLSv1_1_server_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + method = TLS_client_method(); + #else method = TLSv1_1_client_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + method = TLS_method(); + #else method = TLSv1_2_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + method = TLS_server_method(); + #else method = TLSv1_2_server_method(); + #endif } else if (strcmp(*sslmethod, "TLSv1_2_client_method") == 0) { + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + method = TLS_client_method(); + #else method = TLSv1_2_client_method(); + #endif } else { return env->ThrowError("Unknown method"); } @@ -578,6 +646,13 @@ void SecureContext::Init(const FunctionC SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback); #if OPENSSL_VERSION_NUMBER >= 0x10100000L + SSL_CTX_set_min_proto_version(sc->ctx_, min_version); + if (max_version == 0) { + // Selecting some secureProtocol methods allows the TLS version to be "any + // supported", but we don't support TLSv1.3, even if OpenSSL does. + max_version = TLS1_2_VERSION; + } + SSL_CTX_set_max_proto_version(sc->ctx_, max_version); // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was // exposed in the public API. To retain compatibility, install a callback // which restores the old algorithm. Index: node-v8.15.1/src/tls_wrap.cc =================================================================== --- node-v8.15.1.orig/src/tls_wrap.cc +++ node-v8.15.1/src/tls_wrap.cc @@ -277,7 +277,10 @@ void TLSWrap::SSLInfoCallback(const SSL* } } - if (where & SSL_CB_HANDSHAKE_DONE) { + // SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called + // sending HelloRequest in OpenSSL-1.1.1. + // We need to check whether this is in a renegotiation state or not. + if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) { c->established_ = true; Local<Value> callback = object->Get(env->onhandshakedone_string()); if (callback->IsFunction()) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
