-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(Server): set tls.DEFAULT_ECDH_CURVE
to 'auto'
#1531
Conversation
@nekolab on |
Codecov Report
@@ Coverage Diff @@
## master #1531 +/- ##
==========================================
+ Coverage 74.02% 74.02% +<.01%
==========================================
Files 10 10
Lines 666 670 +4
==========================================
+ Hits 493 496 +3
- Misses 173 174 +1
Continue to review full report at Codecov.
|
@evilebottnawi |
@nekolab thanks! |
tls.DEFAULT_ECDH_CURVE
to 'auto'
lib/Server.js
Outdated
// breaking connection when certificate is not signed with prime256v1 | ||
// change it to auto allows OpenSSL to select the curve automatically | ||
// See https://github.com/nodejs/node/issues/16196 for more infomation | ||
const verMatch = process.version.match(/^v(\d+).(\d+)/); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the version check required here or could this be defaulted to 'auto'
in general? E.g was this being 'reverted' for node >= 10.0.0
for some reason? If so, why?
const verMatch = process.version.match(/^v(\d+).(\d+)/); | |
const version = process.version.match(/^v(\d+).(\d+)/); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
node
v9.0.0 is EOL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just saw #1531 (comment) Hmm....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@michael-ciniawsky node@8
also affected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const version = parseFloat(process.version.slice(1))
if (10 > version && version >= 8.6) {
...
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@michael-ciniawsky node@10
is not affected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for guiding, I've update the code and please take a look again.
There is another place using regex to match the version, I've changed it too
9926a44
to
81ec101
Compare
The default value of tls.DEFAULT_ECDH_CURVE is 'prime256v1', it breaks the connection when certificate is not compatible with the default curve since node 8.6.0. To fix this issue, we need set it to 'auto', makes OpenSSL select the curve automatically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nekolab Thx
The default value of tls.DEFAULT_ECDH_CURVE is 'prime256v1',
it breaks the connection when certificate is not compatible
with the default curve since node^8.6.0.
To fix this issue, we need set it to 'auto', makes OpenSSL
select the curve automatically.