Skip to content
Permalink
Browse files

doc: describe secureProtocol and CLI interaction

Cross-reference the secureProtocol docs and the CLI docs for --tls-v1.0
and --tls-v1.1 and describe relationship. Make clear that --tls-v1.0
enables TLSv1.0 and TLSv1.1.

PR-URL: #24386
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
  • Loading branch information...
sam-github committed Nov 15, 2018
1 parent 54b4beb commit 43273262e5f07a80cecf2cef6ac89ca1719821fb
Showing with 20 additions and 14 deletions.
  1. +5 −4 doc/api/cli.md
  2. +9 −4 doc/api/tls.md
  3. +4 −4 doc/node.1
  4. +2 −2 src/node_options.cc
@@ -347,16 +347,16 @@ with crypto support (default).
added: REPLACEME
-->

Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.0 and greater in default [secureProtocol][]. Use for compatibility
with old TLS clients or servers.

### `--tls-v1.1`
<!-- YAML
added: REPLACEME
-->

Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.1 and greater in default [secureProtocol][]. Use for compatibility
with old TLS clients or servers.

### `--trace-deprecation`
<!-- YAML
@@ -787,3 +787,4 @@ greater than `4` (its current default value). For more information, see the
[experimental ECMAScript Module]: esm.html#esm_loader_hooks
[libuv threadpool documentation]: http://docs.libuv.org/en/latest/threadpool.html
[remote code execution]: https://www.owasp.org/index.php/Code_Injection
[secureProtocol]: tls.html#tls_tls_createsecurecontext_options
@@ -1118,10 +1118,15 @@ changes:
which is not usually necessary. This should be used carefully if at all!
Value is a numeric bitmask of the `SSL_OP_*` options from
[OpenSSL Options][].
* `secureProtocol` {string} SSL method to use. The possible values are listed
as [SSL_METHODS][], use the function names as strings. For example,
`'TLSv1_2_method'` to force TLS version 1.2.
**Default:** `'TLSv1_2_method'`.
* `secureProtocol` {string} The TLS protocol version to use. The possible
values are listed as [SSL_METHODS][], use the function names as strings. For
example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'`
to allow any TLS protocol version. It is not recommended to use TLS versions
less than 1.2, but it may be required for interoperability. **Default:**
`'TLSv1_2_method'`, unless changed using CLI options. Using the `--tlsv1.0`
CLI option is like `'TLS_method'` except protocols earlier than TLSv1.0 are
not allowed, and using the `--tlsv1.1` CLI option is like `'TLS_method'`
except that protocols earlier than TLSv1.1 are not allowed.
* `sessionIdContext` {string} Opaque identifier used by servers to ensure
session state is not shared between applications. Unused by clients.

@@ -184,12 +184,12 @@ Specify an alternative default TLS cipher list.
Requires Node.js to be built with crypto support. (Default)
.
.It Fl -tls-v1.0
Enable TLSv1.0. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.0 and greater in default secureProtocol. Use for compatibility
with old TLS clients or servers.
.
.It Fl -tls-v1.1
Enable TLSv1.1. This should only be used for compatibility with old TLS
clients or servers.
Enable TLSv1.1 and greater in default secureProtocol. Use for compatibility
with old TLS clients or servers.
.
.It Fl -trace-deprecation
Print stack traces for deprecations.
@@ -191,11 +191,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

#if HAVE_OPENSSL
AddOption("--tls-v1.0",
"enable TLSv1.0",
"enable TLSv1.0 and greater by default",
&EnvironmentOptions::tls_v1_0,
kAllowedInEnvironment);
AddOption("--tls-v1.1",
"enable TLSv1.1",
"enable TLSv1.1 and greater by default",
&EnvironmentOptions::tls_v1_1,
kAllowedInEnvironment);
#endif

0 comments on commit 4327326

Please sign in to comment.
You can’t perform that action at this time.