Externalise tls.DEFAULT_CIPHERS please! #46462
Comments
andreas-ibm
added
the
feature request
|
When you say "externalise" you mean "document"? PR welcome, I suppose.
Wouldn't you need to do that anyway as good engineering practice? |
|
I'll see if I can find the right place to chance for a PR :-) I just wanted to check it wouldn't cause problems, like "no, don't do that, if people start using that variable it'll cause them to do this other Bad Thing". Yes, we review approximately every 3 months which is more often than we (currently) rebuild node.js, though this may change. I'd also like to be able to handle the case where the customer provides the node.js instance so being able to handle it from within the JS would be nice! Right, I'll look at that PR then, cheers. |
The DEFAULT_CIPHERS already exists, this change shows how to use it. Fixes: nodejs#46462
What is the problem this feature will solve?
We would like to modify the default ciphers on startup, unless the user has overridden with
--tls-cipher-list. So for example on startup, we'll comparetls.DEFAULT_CIPHERSagainstcrypto.constants.defaultCoreCipherListand if they're the same (the user hasn't overridden on command line) then we might want toto remove some older / weaker ciphers.
This also means we can customise the modification to remove more things, but still get the benefit of any new, stronger ciphers added.
What is the feature you are proposing to solve the problem?
We can do it today using the above method, but because
tls.DEFAULT_CIPHERSisn't documented it's implied that you may remove it in the future, I'm asking for it to be documented.What alternatives have you considered?
We could build and set
crypto.constants.defaultCoreCipherListourselves, but when we then upgrade we would need to re-review the cipher list to add in any new ciphers to our "blessed" list. Using the above method is more dynamic and easier to change (i.e. we don't need to rebuild).The text was updated successfully, but these errors were encountered: