doc: describe secureProtocol and CLI interaction · nodejs/node@4327326 (original) (raw)

4 files changed

lines changed

Original file line number	Diff line number	Diff line change
@@ -347,16 +347,16 @@ with crypto support (default).
347	347	added: REPLACEME
348	348	-->
349	349
350		-Enable TLSv1.0. This should only be used for compatibility with old TLS
351		-clients or servers.
	350	+Enable TLSv1.0 and greater in default [secureProtocol][]. Use for compatibility
	351	+with old TLS clients or servers.
352	352
353	353	### `--tls-v1.1`
354	354	<!-- YAML
355	355	added: REPLACEME
356	356	-->
357	357
358		-Enable TLSv1.1. This should only be used for compatibility with old TLS
359		-clients or servers.
	358	+Enable TLSv1.1 and greater in default [secureProtocol][]. Use for compatibility
	359	+with old TLS clients or servers.
360	360
361	361	### `--trace-deprecation`
362	362	<!-- YAML
@@ -787,3 +787,4 @@ greater than `4` (its current default value). For more information, see the
787	787	[experimental ECMAScript Module]: esm.html#esm_loader_hooks
788	788	[libuv threadpool documentation]: http://docs.libuv.org/en/latest/threadpool.html
789	789	[remote code execution]: https://www.owasp.org/index.php/Code\_Injection
	790	+[secureProtocol]: tls.html#tls_tls_createsecurecontext_options

Original file line number	Diff line number	Diff line change
@@ -1118,10 +1118,15 @@ changes:
1118	1118	which is not usually necessary. This should be used carefully if at all!
1119	1119	Value is a numeric bitmask of the `SSL_OP_*` options from
1120	1120	[OpenSSL Options][].
1121		-* `secureProtocol` {string} SSL method to use. The possible values are listed
1122		- as [SSL_METHODS][], use the function names as strings. For example,
1123		-`'TLSv1_2_method'` to force TLS version 1.2.
1124		-Default: `'TLSv1_2_method'`.
	1121	+* `secureProtocol` {string} The TLS protocol version to use. The possible
	1122	+ values are listed as [SSL_METHODS][], use the function names as strings. For
	1123	+ example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'`
	1124	+ to allow any TLS protocol version. It is not recommended to use TLS versions
	1125	+ less than 1.2, but it may be required for interoperability. Default:
	1126	+`'TLSv1_2_method'`, unless changed using CLI options. Using the `--tlsv1.0`
	1127	+ CLI option is like `'TLS_method'` except protocols earlier than TLSv1.0 are
	1128	+ not allowed, and using the `--tlsv1.1` CLI option is like `'TLS_method'`
	1129	+ except that protocols earlier than TLSv1.1 are not allowed.
1125	1130	* `sessionIdContext` {string} Opaque identifier used by servers to ensure
1126	1131	session state is not shared between applications. Unused by clients.
1127	1132

Original file line number	Diff line number	Diff line change
@@ -184,12 +184,12 @@ Specify an alternative default TLS cipher list.
184	184	Requires Node.js to be built with crypto support. (Default)
185	185	.
186	186	.It Fl -tls-v1.0
187		-Enable TLSv1.0. This should only be used for compatibility with old TLS
188		-clients or servers.
	187	+Enable TLSv1.0 and greater in default secureProtocol. Use for compatibility
	188	+with old TLS clients or servers.
189	189	.
190	190	.It Fl -tls-v1.1
191		-Enable TLSv1.1. This should only be used for compatibility with old TLS
192		-clients or servers.
	191	+Enable TLSv1.1 and greater in default secureProtocol. Use for compatibility
	192	+with old TLS clients or servers.
193	193	.
194	194	.It Fl -trace-deprecation
195	195	Print stack traces for deprecations.

Original file line number	Diff line number	Diff line change
@@ -191,11 +191,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
191	191
192	192	#if HAVE_OPENSSL
193	193	AddOption("--tls-v1.0",
194		-"enable TLSv1.0",
	194	+"enable TLSv1.0 and greater by default",
195	195	&EnvironmentOptions::tls_v1_0,
196	196	kAllowedInEnvironment);
197	197	AddOption("--tls-v1.1",
198		-"enable TLSv1.1",
	198	+"enable TLSv1.1 and greater by default",
199	199	&EnvironmentOptions::tls_v1_1,
200	200	kAllowedInEnvironment);
201	201	#endif