Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 8a8ac8c

Browse filesBrowse files
davidbenevanlucas
davidben
authored and
evanlucas
committed
crypto: hard-code tlsSocket.getCipher().version
This aligns the documentation with reality. This API never did what Node claims it did. The SSL_CIPHER_get_version function just isn't useful. In OpenSSL 1.0.2, it always returned the string "TLSv1/SSLv3" for anything but SSLv2 ciphers, which Node does not support. Note how test-tls-multi-pfx.js claims that ECDHE-ECDSA-AES256-GCM-SHA384 was added in TLSv1/SSLv3 which is not true. That cipher is new as of TLS 1.2. The OpenSSL 1.0.2 implementation is: char *SSL_CIPHER_get_version(const SSL_CIPHER *c) { int i; if (c == NULL) return ("(NONE)"); i = (int)(c->id >> 24L); if (i == 3) return ("TLSv1/SSLv3"); else if (i == 2) return ("SSLv2"); else return ("unknown"); } In OpenSSL 1.1.0, SSL_CIPHER_get_version changed to actually behave as Node documented it, but this changes the semantics of the function and breaks tests. The cipher's minimum protocol version is not a useful notion to return to the caller here, so just hardcode the string at "TLSv1/SSLv3" and document it as legacy. PR-URL: #16130 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Rod Vagg <rod@vagg.org>
1 parent c42935b commit 8a8ac8c
Copy full SHA for 8a8ac8c

File tree

Expand file treeCollapse file tree

2 files changed

+4
-5
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+4
-5
lines changed
Open diff view settings
Collapse file

‎doc/api/tls.md‎

Copy file name to clipboardExpand all lines: doc/api/tls.md
+3-3Lines changed: 3 additions & 3 deletions
  • Display the source diff
  • Display the rich diff
Original file line numberDiff line numberDiff line change
@@ -558,12 +558,12 @@ Always returns `true`. This may be used to distinguish TLS sockets from regular
558558
added: v0.11.4
559559
-->
560560

561-
Returns an object representing the cipher name and the SSL/TLS protocol version
562-
that first defined the cipher.
561+
Returns an object representing the cipher name. The `version` key is a legacy
562+
field which always contains the value `'TLSv1/SSLv3'`.
563563

564564
For example: `{ name: 'AES256-SHA', version: 'TLSv1/SSLv3' }`
565565

566-
See `SSL_CIPHER_get_name()` and `SSL_CIPHER_get_version()` in
566+
See `SSL_CIPHER_get_name()` in
567567
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CIPHER_get_name.html for more
568568
information.
569569

Collapse file

‎src/node_crypto.cc‎

Copy file name to clipboardExpand all lines: src/node_crypto.cc
+1-2Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2265,9 +2265,8 @@ void SSLWrap<Base>::GetCurrentCipher(const FunctionCallbackInfo<Value>& args) {
22652265
Local<Object> info = Object::New(env->isolate());
22662266
const char* cipher_name = SSL_CIPHER_get_name(c);
22672267
info->Set(env->name_string(), OneByteString(args.GetIsolate(), cipher_name));
2268-
const char* cipher_version = SSL_CIPHER_get_version(c);
22692268
info->Set(env->version_string(),
2270-
OneByteString(args.GetIsolate(), cipher_version));
2269+
OneByteString(args.GetIsolate(), "TLSv1/SSLv3"));
22712270
args.GetReturnValue().Set(info);
22722271
}
22732272

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.