Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

crypto: allow forcing SSLv2/v3 via secureProtocol #8575

Closed
wants to merge 1 commit into from

Conversation

indutny
Copy link
Member

@indutny indutny commented Oct 18, 2014

Force-enable SSLv2/v3 when secureProtocol is explicitly set
to SSLv2_method or SSLv3_method.

see discussion at #8551

Force-enable SSLv2/v3 when `secureProtocol` is explicitly set
to `SSLv2_method` or `SSLv3_method`.

see discussion at nodejs#8551

if (!binding.SSL2_ENABLE)
CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2;
}

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't 100% right, the secureProtocol should also handle the undefined case, but should happen below not when we're defining the default options, it should be set when flags is undefined and when secureProtocol isn't SSLv23...

@tjfontaine
Copy link

Landed in a slightly different javascript implementation -- 1349b68

@DomT4
Copy link

DomT4 commented Oct 20, 2014

I presume the end-user gets some kind of flag to note the less-secure-than-desired connection in these rare cases?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants