mirror of https://github.com/nodejs/node.git
tls: use SHA1 for sessionIdContext
FIPS 140-2 disallows use of MD5, which is used to derive the default sessionIdContext for tls.createServer(). PR-URL: https://github.com/nodejs/node/pull/3866 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com>pull/3866/merge
parent
424ae5d4ac
commit
df268f97bc
doc/api
lib
|
@ -841,9 +841,9 @@ automatically set as a listener for the [secureConnection][] event. The
|
|||
NOTE: Automatically shared between `cluster` module workers.
|
||||
|
||||
- `sessionIdContext`: A string containing an opaque identifier for session
|
||||
resumption. If `requestCert` is `true`, the default is MD5 hash value
|
||||
generated from command-line. (In FIPS mode a truncated SHA1 hash is
|
||||
used instead.) Otherwise, the default is not provided.
|
||||
resumption. If `requestCert` is `true`, the default is a 128 bit
|
||||
truncated SHA1 hash value generated from command-line. Otherwise,
|
||||
the default is not provided.
|
||||
|
||||
- `secureProtocol`: The SSL method to use, e.g. `SSLv3_method` to force
|
||||
SSL version 3. The possible values depend on your installation of
|
||||
|
|
|
@ -14,21 +14,6 @@ const Timer = process.binding('timer_wrap').Timer;
|
|||
const tls_wrap = process.binding('tls_wrap');
|
||||
const TCP = process.binding('tcp_wrap').TCP;
|
||||
const Pipe = process.binding('pipe_wrap').Pipe;
|
||||
const defaultSessionIdContext = getDefaultSessionIdContext();
|
||||
|
||||
function getDefaultSessionIdContext() {
|
||||
var defaultText = process.argv.join(' ');
|
||||
/* SSL_MAX_SID_CTX_LENGTH is 128 bits */
|
||||
if (process.config.variables.openssl_fips) {
|
||||
return crypto.createHash('sha1')
|
||||
.update(defaultText)
|
||||
.digest('hex').slice(0, 32);
|
||||
} else {
|
||||
return crypto.createHash('md5')
|
||||
.update(defaultText)
|
||||
.digest('hex');
|
||||
}
|
||||
}
|
||||
|
||||
function onhandshakestart() {
|
||||
debug('onhandshakestart');
|
||||
|
@ -908,7 +893,10 @@ Server.prototype.setOptions = function(options) {
|
|||
if (options.sessionIdContext) {
|
||||
this.sessionIdContext = options.sessionIdContext;
|
||||
} else {
|
||||
this.sessionIdContext = defaultSessionIdContext;
|
||||
this.sessionIdContext = crypto.createHash('sha1')
|
||||
.update(process.argv.join(' '))
|
||||
.digest('hex')
|
||||
.slice(0, 32);
|
||||
}
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue