Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

tls, crypto: add DHE support #8272

Closed
wants to merge 2 commits into from
Closed

tls, crypto: add DHE support #8272

wants to merge 2 commits into from

Conversation

shigeki
Copy link

@shigeki shigeki commented Aug 27, 2014

Per #8264, please review this, @indutny .

This also changes the default cipher list as DHE-RSA-AES128-SHA256 is added and !EDH is explicitly written to !EDH-RSA-DES:!EDH-DSS-DES.
In case of an invalid DH parameter file, it is sliently discarded.
To use auto DH parameter in a server and DHE key length check in a client, we need to wait for the next release of OpenSSL-1.0.2.

indutny
indutny reviewed Aug 27, 2014
View reviewed changes
src/node_crypto.cc
if (!bio)
return;

DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DH* dh

@indutny
Copy link
Member

indutny commented Aug 27, 2014

@shigeki what's wrong with EDH ciphers?

Other than a few nits - LGTM.

@shigeki
Copy link
Author

shigeki commented Aug 27, 2014

@indutny Thanks for reviewing. It seems that!EDH also disables all DHE- cipher suites so I explicitly wrote them.

@indutny
Copy link
Member

indutny commented Aug 27, 2014

And why do we need to disable them?

@shigeki
Copy link
Author

shigeki commented Aug 27, 2014

I'm not sure the reason of the old commit. But it might come from prohibiting CBC by BEAST.
We should reconsider the default cipher list again in near future to add GCM and remove RC4 as described in http://tools.ietf.org/html/draft-ietf-uta-tls-bcp-02

@indutny
Copy link
Member

indutny commented Aug 27, 2014

Yeah, I already have a good cipher list for a v0.12. Let's remove !EDH anyway, and land your patch :)

shigeki pushed a commit to shigeki/node-v0.x-archive that referenced this pull request Aug 28, 2014
tls: add DHE-RSA-AES128-SHA256 to the default ciphers
ba2affe 
`!EDH` is also removed from the list in the discussion of nodejs#8272
@shigeki
Copy link
Author

shigeki commented Aug 28, 2014

@indutny The patch is revised with your comments. Also two changes are

  • add a new commit to change the default cipher for easy to track in the future.
  • 4096bit test is removed because it takes too long time to generate a key file

Please review this again.

Shigeki Ohtsu added 2 commits August 28, 2014 20:44
tls, crypto: add DHE support
916e9d9 
In case of an invalid DH parameter file, it is sliently discarded. To
use auto DH parameter in a server and DHE key length check in a
client, we need to wait for the next release of OpenSSL-1.0.2.
tls: add DHE-RSA-AES128-SHA256 to the default ciphers
db29afb 
`!EDH` is also removed from the list in the discussion of nodejs#8272
@indutny
Copy link
Member

indutny commented Aug 28, 2014

LGTM, thank you!

indutny pushed a commit that referenced this pull request Aug 28, 2014
@indutny
tls: add DHE-RSA-AES128-SHA256 to the def ciphers
f6877f3 
`!EDH` is also removed from the list in the discussion of #8272

Reviewed-By: Fedor Indutny <fedor@indutny.com>
@indutny
Copy link
Member

indutny commented Aug 28, 2014

Landed in 0dfedb7 and f6877f3, thank you!

@indutny indutny closed this Aug 28, 2014
@silverwind silverwind mentioned this pull request Feb 25, 2015
Closed
@misterdjules misterdjules mentioned this pull request Mar 12, 2015
Closed
@tniessen tniessen mentioned this pull request Feb 18, 2023
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
pr v0.12
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@shigeki @indutny @Nodejs-Jenkins