diff --git a/configure.py b/configure.py index 2947df6ace826c..463fa9292e9e5f 100755 --- a/configure.py +++ b/configure.py @@ -164,6 +164,11 @@ "e.g. /root/x/y.js will be referenced via require('root/x/y'). " "Can be used multiple times") +parser.add_option('--openssl-default-cipher-list', + action='store', + dest='openssl_default_cipher_list', + help='Use the specified cipher list as the default cipher list') + parser.add_option("--openssl-no-asm", action="store_true", dest="openssl_no_asm", @@ -1286,6 +1291,8 @@ def without_ssl_error(option): without_ssl_error('--openssl-no-asm') if options.openssl_fips: without_ssl_error('--openssl-fips') + if options.openssl_default_cipher_list: + without_ssl_error('--openssl-default-cipher-list') return if options.use_openssl_ca_store: @@ -1295,6 +1302,9 @@ def without_ssl_error(option): variables['node_without_node_options'] = b(options.without_node_options) if options.without_node_options: o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS'] + if options.openssl_default_cipher_list: + variables['openssl_default_cipher_list'] = \ + options.openssl_default_cipher_list if not options.shared_openssl and not options.openssl_no_asm: is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch'] diff --git a/doc/api/tls.md b/doc/api/tls.md index 8364ae9517f640..4cba528f3f775f 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -273,33 +273,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 ## Modifying the default TLS cipher suite -Node.js is built with a default suite of enabled and disabled TLS ciphers. -Currently, the default cipher suite is: +Node.js is built with a default suite of enabled and disabled TLS ciphers. This +default cipher list can be configured when building Node.js to allow +distributions to provide their own default list. -```text -TLS_AES_256_GCM_SHA384: -TLS_CHACHA20_POLY1305_SHA256: -TLS_AES_128_GCM_SHA256: -ECDHE-RSA-AES128-GCM-SHA256: -ECDHE-ECDSA-AES128-GCM-SHA256: -ECDHE-RSA-AES256-GCM-SHA384: -ECDHE-ECDSA-AES256-GCM-SHA384: -DHE-RSA-AES128-GCM-SHA256: -ECDHE-RSA-AES128-SHA256: -DHE-RSA-AES128-SHA256: -ECDHE-RSA-AES256-SHA384: -DHE-RSA-AES256-SHA384: -ECDHE-RSA-AES256-SHA256: -DHE-RSA-AES256-SHA256: -HIGH: -!aNULL: -!eNULL: -!EXPORT: -!DES: -!RC4: -!MD5: -!PSK: -!SRP: +The following command can be used to show the default cipher suite: +```console +node -p crypto.constants.defaultCoreCipherList | tr ':' '\n' +TLS_AES_256_GCM_SHA384 +TLS_CHACHA20_POLY1305_SHA256 +TLS_AES_128_GCM_SHA256 +ECDHE-RSA-AES128-GCM-SHA256 +ECDHE-ECDSA-AES128-GCM-SHA256 +ECDHE-RSA-AES256-GCM-SHA384 +ECDHE-ECDSA-AES256-GCM-SHA384 +DHE-RSA-AES128-GCM-SHA256 +ECDHE-RSA-AES128-SHA256 +DHE-RSA-AES128-SHA256 +ECDHE-RSA-AES256-SHA384 +DHE-RSA-AES256-SHA384 +ECDHE-RSA-AES256-SHA256 +DHE-RSA-AES256-SHA256 +HIGH +!aNULL +!eNULL +!EXPORT +!DES +!RC4 +!MD5 +!PSK +!SRP !CAMELLIA ``` diff --git a/node.gyp b/node.gyp index 281a8f0176db24..68ca0f2c035353 100644 --- a/node.gyp +++ b/node.gyp @@ -736,6 +736,7 @@ 'variables': { 'openssl_system_ca_path%': '', + 'openssl_default_cipher_list%': '', }, 'defines': [ @@ -752,6 +753,11 @@ 'msvs_disabled_warnings!': [4244], 'conditions': [ + [ 'openssl_default_cipher_list!=""', { + 'defines': [ + 'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"' + ] + }], [ 'node_builtin_modules_path!=""', { 'defines': [ 'NODE_BUILTIN_MODULES_PATH="<(node_builtin_modules_path)"' ] }], diff --git a/src/node_constants.h b/src/node_constants.h index af5aa002eb5795..d7de705fb8ec7e 100644 --- a/src/node_constants.h +++ b/src/node_constants.h @@ -41,6 +41,9 @@ #define RSA_PSS_SALTLEN_AUTO -2 #endif +#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST) +#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST +#else // TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see: // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html #define DEFAULT_CIPHER_LIST_CORE \ @@ -68,7 +71,8 @@ "!PSK:" \ "!SRP:" \ "!CAMELLIA" -#endif +#endif // NODE_OPENSSL_DEFAULT_CIPHER_LIST +#endif // HAVE_OPENSSL namespace node {