daohualiuxiang
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: use SHA1 for sessionIdContext 

FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().

PR-URL: https://github.com/nodejs/node/pull/3866
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
pull/3866/merge
Stefan Budeanu 2015-11-09 18:19:11 -05:00 committed by Fedor Indutny
parent 424ae5d4ac
commit df268f97bc
2 changed files with 7 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/api/tls.markdown
View File

@ -841,9 +841,9 @@ automatically set as a listener for the [secureConnection][] event. The
NOTE: Automatically shared between `cluster` module workers. NOTE: Automatically shared between `cluster` module workers.
- `sessionIdContext`: A string containing an opaque identifier for session - `sessionIdContext`: A string containing an opaque identifier for session
resumption. If `requestCert` is `true`, the default is MD5 hash value resumption. If `requestCert` is `true`, the default is a 128 bit
generated from command-line. (In FIPS mode a truncated SHA1 hash is truncated SHA1 hash value generated from command-line. Otherwise,
used instead.) Otherwise, the default is not provided. the default is not provided.
- `secureProtocol`: The SSL method to use, e.g. `SSLv3_method` to force - `secureProtocol`: The SSL method to use, e.g. `SSLv3_method` to force
SSL version 3. The possible values depend on your installation of SSL version 3. The possible values depend on your installation of

20
lib/_tls_wrap.js
View File

@ -14,21 +14,6 @@ const Timer = process.binding('timer_wrap').Timer;
const tls_wrap = process.binding('tls_wrap'); const tls_wrap = process.binding('tls_wrap');
const TCP = process.binding('tcp_wrap').TCP; const TCP = process.binding('tcp_wrap').TCP;
const Pipe = process.binding('pipe_wrap').Pipe; const Pipe = process.binding('pipe_wrap').Pipe;
const defaultSessionIdContext = getDefaultSessionIdContext();
function getDefaultSessionIdContext() {
var defaultText = process.argv.join(' ');
/* SSL_MAX_SID_CTX_LENGTH is 128 bits */
if (process.config.variables.openssl_fips) {
return crypto.createHash('sha1')
.update(defaultText)
.digest('hex').slice(0, 32);
} else {
return crypto.createHash('md5')
.update(defaultText)
.digest('hex');
}
}
function onhandshakestart() { function onhandshakestart() {
debug('onhandshakestart'); debug('onhandshakestart');
@ -908,7 +893,10 @@ Server.prototype.setOptions = function(options) {
if (options.sessionIdContext) { if (options.sessionIdContext) {
this.sessionIdContext = options.sessionIdContext; this.sessionIdContext = options.sessionIdContext;
} else { } else {
this.sessionIdContext = defaultSessionIdContext; this.sessionIdContext = crypto.createHash('sha1')
.update(process.argv.join(' '))
.digest('hex')
.slice(0, 32);
} }
}; };