Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v11.x backport] TLS1.3 #26951

Closed
wants to merge 13 commits into from

Conversation

Projects
None yet
10 participants
@sam-github
Copy link
Member

commented Mar 27, 2019

PRs included in this backort:

  • Update openssl1.1.1b: #26327, backported because openssl updates don't merge well, and always need backporting
  • TLS1.3 support: #26209 (WIP), had to do some minor fixups to cherry-pick
  • tls: revert default max to TLSv1.2: this is new, it reverts the semver-major change introduced in the previous commit
  • tls: add debugging to native TLS code: #26843, cherry-picked clean on top of TLS1.3 support
  • doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION : #26821, had to fix a minor conflict caused by tls: revert default max to TLSv1.2, which changed the default min/max from the values on master
  • tls: support shared openssl 1.1.0: this is new, it adds back support for openssl 1.1.0
  • tls: add --tls-min-v1.2 CLI switch: this is new, it adds a CLI switch to change the min protocol to v1.2
Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@sam-github sam-github changed the base branch from master to v11.x-staging Mar 28, 2019

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 28, 2019

@targos, do you have any suggestions as to how to backport a set of dependent PRs to 11.x?

TLS1.3 depends on openssl1.1.1b, as well as the #25093 and #24729, see #24729 (comment)

Can I just pick them all onto this branch as I find necessary, or will that make things hard for you?

I could also do the backports in series, but that is made difficult unless they are pretty promptly cherry-picked onto v11.x-staging, because I have to float the commits in a stand-alone PR-branch, but I also need them in this PR-branch so I can keep working.

I'm not sure what the normal way of doing this is.

Btw, the openssl1.1.1b part of this PR could be cherry-picked to #26949 right now, I believe. Should I PR that immediately? Its only a backport because we don't merge openssl updates back, we re-do the source commit and the config regeneration step from scratch.

@sam-github sam-github force-pushed the sam-github:tls1.3-v11.x branch from 0787ad9 to 0f96e57 Mar 28, 2019

@rvagg

This comment has been minimized.

Copy link
Member

commented Mar 28, 2019

@sam-github is this just "Drafting" because it doesn't have those dependent pieces? Other than that it's a straight backport of 1.3?

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 28, 2019

Remaining work (that I know about!):

  1. Fix the test failures, I'm working through them. 7 of the tests are because of the missing .code property, it looks like, thus the dependent backports. Still need to look at the other 3.
  2. Once the tests pass, I need to push one more commit, to change the TLS default max back to TLS1.2, and then make sure the tests still pass.
@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 28, 2019

@rvagg And I forgot to answer

Other than that it's a straight backport of 1.3?

So far, yes. Some conflict resolution during cherry pick, but nothing remarkable. The change to the default TLS max is the only thing I expect to be different, and I hope it won't affect the test suite too much.

@sam-github sam-github force-pushed the sam-github:tls1.3-v11.x branch from 0f96e57 to ed004eb Mar 28, 2019

@nodejs-github-bot

This comment has been minimized.

@sam-github sam-github marked this pull request as ready for review Mar 28, 2019

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 28, 2019

Passes locally, both with TLS1.3 as the default max, and with TLS1.2 as the default max. Lets see what CI thinks.

Depends on:

  • #26953
  • #26953
    which are in this branch. They can rebased away once above 2 backports land.

@sam-github sam-github force-pushed the sam-github:tls1.3-v11.x branch from 96bc258 to 5e20f91 Mar 28, 2019

@targos

This comment has been minimized.

Copy link
Member

commented Mar 28, 2019

@sam-github

@targos, do you have any suggestions as to how to backport a set of dependent PRs to 11.x?

Whatever is easier for you. I like when multiple backports are bundled in the same PR, so from my PoV you could close the other backport PRs and we land everything when this is ready.

@targos targos referenced this pull request Mar 28, 2019

Closed

doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION #26821

0 of 4 tasks complete

@targos targos referenced this pull request Mar 28, 2019

Closed

tls: add debugging to native TLS code #26843

2 of 2 tasks complete

@sam-github sam-github force-pushed the sam-github:tls1.3-v11.x branch from 5e20f91 to f9c38a6 Mar 28, 2019

@mscdex

This comment has been minimized.

Copy link
Contributor

commented Mar 29, 2019

Does this mean v11.x will no longer build against shared OpenSSL 1.1.0?

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Mar 29, 2019

@mscdex ATM it does, but I suspect losing support for shared openssl 1.1.0 is not acceptable as semver-minor, would you agree?

I'm going to try to fix that, I assume it will take only a few ifdefs in c++, and then a whole lot more checks in the test suites for TLS1.3 support.

Actually attempting to use 1.1.1 features when node.js when its built against 1.1.0 will not go well, which is expected (I guess) and we don't document what features are 1.1.1 specific. Is there any way to give a heads up to distributors? Or (@refack?) is there a way at ./configure time to warn that the --shared-openssl options are being used, but the shared openssl version is < openssl 1.1.1b, just so people know that the build will not be fully functional?

I'm not sure why it is that we ever allowed building against a shared library that is not the same version as the currently included openssl version. I'd speculate that 1.1.0 and 1.0.2 were so similar it didn't matter much, though even there I'd think that 1.1.0 would have had something that a node API user would have noticed.

@nodejs-github-bot

This comment has been minimized.

@sam-github sam-github force-pushed the sam-github:tls1.3-v11.x branch from 7ab7bb3 to 8bb255b Mar 29, 2019

@targos targos force-pushed the nodejs:v11.x-staging branch from 908fc8e to c2500d4 Mar 29, 2019

@targos targos force-pushed the nodejs:v11.x-staging branch from c2500d4 to db9e439 Mar 30, 2019

@refack refack referenced this pull request Apr 15, 2019

Closed

doc: update LICENSE file #27132

2 of 2 tasks complete
@refack

This comment has been minimized.

Copy link
Member

commented Apr 15, 2019

If anyone is interested https://gist.github.com/refack/1ec020607baa346e9265554646274de5 is a pre-push hook to block git from creating or deleting branches on a /nodejs/ repo.

@sam-github sam-github deleted the sam-github:tls1.3-v11.x branch Apr 15, 2019

codebytere added a commit that referenced this pull request Apr 19, 2019

2019-04-23, Version 11.15.0 (Current)
* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
  * support TLSv1.3 (Sam Roberts) [#26209](#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)

@codebytere codebytere referenced this pull request Apr 19, 2019

Merged

v11.15.0 proposal #27314

codebytere added a commit that referenced this pull request Apr 19, 2019

2019-04-23, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
  * support TLSv1.3 (Sam Roberts) [#26209](#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)

codebytere added a commit that referenced this pull request Apr 19, 2019

2019-04-23, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
  * support TLSv1.3 (Sam Roberts) [#26209](#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)

@sam-github sam-github referenced this pull request Apr 25, 2019

Closed

[v10.x backport]: Update OpenSSL 1.1.1b #27419

0 of 4 tasks complete

@sam-github sam-github restored the sam-github:tls1.3-v11.x branch Apr 26, 2019

@sam-github

This comment has been minimized.

Copy link
Member Author

commented Apr 26, 2019

WIP backport: #27432

@sam-github sam-github deleted the sam-github:tls1.3-v11.x branch Apr 26, 2019

codebytere added a commit that referenced this pull request Apr 29, 2019

2019-04-23, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
  * support TLSv1.3 (Sam Roberts) [#26209](#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)

codebytere added a commit to codebytere/node that referenced this pull request Apr 29, 2019

2019-04-30, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [nodejs#19794](nodejs#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [nodejs#25093](nodejs#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [nodejs#26951](nodejs#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [nodejs#26951](nodejs#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [nodejs#26951](nodejs#26951)
  * revert change to invalid protocol error type (Sam Roberts) [nodejs#26951](nodejs#26951)
  * support TLSv1.3 (Sam Roberts) [nodejs#26209](nodejs#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [nodejs#24729](nodejs#24729)

codebytere added a commit that referenced this pull request Apr 30, 2019

2019-04-30, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
  * support TLSv1.3 (Sam Roberts) [#26209](#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)

PR-URL: #27314

codebytere added a commit that referenced this pull request Apr 30, 2019

2019-04-30, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
  * support TLSv1.3 (Sam Roberts) [#26209](#26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)

PR-URL: #27314

sam-github added a commit to sam-github/node that referenced this pull request May 1, 2019

tls: add --tls-min-v1.2 CLI switch
Switch added in v11.x, add it to master/12.x for consistency and
compatibility.

See: nodejs#26951

sam-github added a commit to sam-github/node that referenced this pull request May 1, 2019

tls: add --tls-min-v1.2 CLI switch
Switch added in v11.x, add it to master/12.x for consistency and
compatibility.

See: nodejs#26951, commit bf2c283

@sam-github sam-github referenced this pull request May 1, 2019

Closed

tls: add --tls-min-v1.2 CLI switch #27520

0 of 4 tasks complete

sam-github added a commit to sam-github/node that referenced this pull request May 1, 2019

test: check TLS config that breaks the defaults
Check that setting the maximum TLS protocol lower than the minimum TLS
protocol makes connections impossible, with a reasonable error code, and
that it doesn't break any attempts to connect with non-default protocol
settings.

See: nodejs#26951, 109c097

@sam-github sam-github referenced this pull request May 1, 2019

Closed

tls: disallow conflicting TLS protocol options #27521

3 of 3 tasks complete

sam-github added a commit to sam-github/node that referenced this pull request May 2, 2019

test: check TLS config that breaks the defaults
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: nodejs#26951, 109c097

sam-github added a commit to sam-github/node that referenced this pull request May 2, 2019

test: check TLS config that breaks the defaults
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: nodejs#26951, 109c097

sam-github added a commit to sam-github/node that referenced this pull request May 2, 2019

tls: disallow conflicting TLS protocol options
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: nodejs#26951, 109c097

sam-github added a commit to sam-github/node that referenced this pull request May 3, 2019

tls: add --tls-min-v1.2 CLI switch
Switch added in v11.x, add it to master/12.x for consistency and
compatibility.

See: nodejs#26951, commit bf2c283

sam-github added a commit that referenced this pull request May 3, 2019

tls: disallow conflicting TLS protocol options
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>

targos added a commit that referenced this pull request May 4, 2019

tls: disallow conflicting TLS protocol options
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>

Trott added a commit to Trott/io.js that referenced this pull request May 5, 2019

tls: add --tls-min-v1.2 CLI switch
Switch added in v11.x, add it to master/12.x for consistency and
compatibility.

See: nodejs#26951, commit bf2c283

PR-URL: nodejs#27520
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>

targos added a commit that referenced this pull request May 6, 2019

tls: add --tls-min-v1.2 CLI switch
Switch added in v11.x, add it to master/12.x for consistency and
compatibility.

See: #26951, commit bf2c283

PR-URL: #27520
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.