diff options
| author | Sam Roberts <vieuxtech@gmail.com> | 2018-05-06 07:52:34 +0300 |
|---|---|---|
| committer | Ruben Bridgewater <ruben@bridgewater.de> | 2018-12-07 15:32:44 +0300 |
| commit | acb73518b7274bacdfc133fd121e91dfd6ba460b (patch) | |
| tree | b2529e77ed59d0299d006cfec3dc4b0205576fc6 /doc/api | |
| parent | bfec6a4eb36ea96fd199f6949794cdff264825a9 (diff) | |
tls: add min/max protocol version options
The existing secureProtocol option only allows setting the allowed
protocol to a specific version, or setting it to "all supported
versions". It also used obscure strings based on OpenSSL C API
functions. Directly setting the min or max is easier to use and explain.
Backport-PR-URL: https://github.com/nodejs/node/pull/24676
PR-URL: https://github.com/nodejs/node/pull/24405
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'doc/api')
| -rw-r--r-- | doc/api/errors.md | 11 | ||||
| -rw-r--r-- | doc/api/tls.md | 17 |
2 files changed, 25 insertions, 3 deletions
diff --git a/doc/api/errors.md b/doc/api/errors.md index 68bc1e1c5a4..75d0f368ca7 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1655,6 +1655,17 @@ recommended to use 2048 bits or larger for stronger security. A TLS/SSL handshake timed out. In this case, the server must also abort the connection. +<a id="ERR_TLS_INVALID_PROTOCOL_VERSION"></a> +### ERR_TLS_INVALID_PROTOCOL_VERSION + +Valid TLS protocol versions are `'TLSv1'`, `'TLSv1.1'`, or `'TLSv1.2'`. + +<a id="ERR_TLS_PROTOCOL_VERSION_CONFLICT"></a> +### ERR_TLS_PROTOCOL_VERSION_CONFLICT + +Attempting to set a TLS protocol `minVersion` or `maxVersion` conflicts with an +attempt to set the `secureProtocol` explicitly. Use one mechanism or the other. + <a id="ERR_TLS_RENEGOTIATE"></a> ### ERR_TLS_RENEGOTIATE diff --git a/doc/api/tls.md b/doc/api/tls.md index 40fc707435a..888b0eeb5a8 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1134,6 +1134,14 @@ changes: passphrase: <string>]}`. The object form can only occur in an array. `object.passphrase` is optional. Encrypted keys will be decrypted with `object.passphrase` if provided, or `options.passphrase` if it is not. + * `maxVersion` {string} Optionally set the maximum TLS version to allow. One + of `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the + `secureProtocol` option, use one or the other. **Default:** `'TLSv1.2'`. + * `minVersion` {string} Optionally set the minimum TLS version to allow. One + of `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the + `secureProtocol` option, use one or the other. It is not recommended to use + less than TLSv1.2, but it may be required for interoperability. + **Default:** `'TLSv1'`. * `passphrase` {string} Shared passphrase used for a single private key and/or a PFX. * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded @@ -1149,9 +1157,12 @@ changes: which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the `SSL_OP_*` options from [OpenSSL Options][]. - * `secureProtocol` {string} SSL method to use. The possible values are listed - as [SSL_METHODS][], use the function names as strings. For example, - `'TLSv1_2_method'` to force TLS version 1.2. **Default:** `'TLS_method'`. + * `secureProtocol` {string} The TLS protocol version to use. The possible + values are listed as [SSL_METHODS][], use the function names as strings. For + example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'` + to allow any TLS protocol version. It is not recommended to use TLS versions + less than 1.2, but it may be required for interoperability. **Default:** + none, see `minVersion`. * `sessionIdContext` {string} Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients. |