diff options
| author | Adam Majer <amajer@suse.de> | 2022-06-27 11:47:13 +0300 |
|---|---|---|
| committer | Michaƫl Zasso <targos@protonmail.com> | 2022-07-31 10:45:01 +0300 |
| commit | a3a845b8ba2f0ea4c2ca9e734520f496a13cf6de (patch) | |
| tree | 92657f995c82d1b70591767c894dbd6b70593fa9 /benchmark | |
| parent | 965367f5866c2f7b5e9fbf2021cb2139941e03be (diff) | |
crypto: don't disable TLS 1.3 without suites
In the manual page, there is a statement that ciphersuites contain
explicit default settings - all TLS 1.3 ciphersuites enabled.
In node, we assume that an empty setting mean no ciphersuites and
we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to
disable TLS 1.3 and by not override the default ciphersuits
with an empty string.
So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit
list of ciphers. If none are acceptable, the correct approach is
to disable TLS 1.3 instead elsewhere.
Fixes: https://github.com/nodejs/node/issues/43419
PR-URL: https://github.com/nodejs/node/pull/43427
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'benchmark')
| -rw-r--r-- | benchmark/tls/secure-pair.js | 2 | ||||
| -rw-r--r-- | benchmark/tls/throughput-c2s.js | 3 | ||||
| -rw-r--r-- | benchmark/tls/throughput-s2c.js | 3 | ||||
| -rw-r--r-- | benchmark/tls/tls-connect.js | 3 |
4 files changed, 8 insertions, 3 deletions
diff --git a/benchmark/tls/secure-pair.js b/benchmark/tls/secure-pair.js index 76658fc3c42..08be1f7e46f 100644 --- a/benchmark/tls/secure-pair.js +++ b/benchmark/tls/secure-pair.js @@ -25,6 +25,7 @@ function main({ dur, size, securing }) { isServer: true, requestCert: true, rejectUnauthorized: true, + maxVersion: 'TLSv1.2', }; const server = net.createServer(onRedirectConnection); @@ -38,6 +39,7 @@ function main({ dur, size, securing }) { cert: options.cert, isServer: false, rejectUnauthorized: false, + maxVersion: options.maxVersion, }; const network = securing === 'clear' ? net : tls; const conn = network.connect(clientOptions, () => { diff --git a/benchmark/tls/throughput-c2s.js b/benchmark/tls/throughput-c2s.js index f3a96abcbc0..023b42cbeda 100644 --- a/benchmark/tls/throughput-c2s.js +++ b/benchmark/tls/throughput-c2s.js @@ -33,7 +33,8 @@ function main({ dur, type, size }) { key: fixtures.readKey('rsa_private.pem'), cert: fixtures.readKey('rsa_cert.crt'), ca: fixtures.readKey('rsa_ca.crt'), - ciphers: 'AES256-GCM-SHA384' + ciphers: 'AES256-GCM-SHA384', + maxVersion: 'TLSv1.2', }; const server = tls.createServer(options, onConnection); diff --git a/benchmark/tls/throughput-s2c.js b/benchmark/tls/throughput-s2c.js index a505a719d30..d3018cf851d 100644 --- a/benchmark/tls/throughput-s2c.js +++ b/benchmark/tls/throughput-s2c.js @@ -40,7 +40,8 @@ function main({ dur, type, sendchunklen, recvbuflen, recvbufgenfn }) { key: fixtures.readKey('rsa_private.pem'), cert: fixtures.readKey('rsa_cert.crt'), ca: fixtures.readKey('rsa_ca.crt'), - ciphers: 'AES256-GCM-SHA384' + ciphers: 'AES256-GCM-SHA384', + maxVersion: 'TLSv1.2', }; let socketOpts; diff --git a/benchmark/tls/tls-connect.js b/benchmark/tls/tls-connect.js index 3fc2ecb6149..db50306485a 100644 --- a/benchmark/tls/tls-connect.js +++ b/benchmark/tls/tls-connect.js @@ -21,7 +21,8 @@ function main(conf) { key: fixtures.readKey('rsa_private.pem'), cert: fixtures.readKey('rsa_cert.crt'), ca: fixtures.readKey('rsa_ca.crt'), - ciphers: 'AES256-GCM-SHA384' + ciphers: 'AES256-GCM-SHA384', + maxVersion: 'TLSv1.2', }; const server = tls.createServer(options, onConnection); |