From 26a3cf058d737d25eec9926d2d4a20aa3e5e8e01 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 3 Jun 2020 12:56:58 +0200 Subject: [PATCH] src,build: add --openssl-default-cipher-list This commit adds a configuration option named openssl-default-cipher-list which takes a colon separated string specifying ciphers that should be used as the default ciphers instead of the ones defined in node_constants. The motivation for this is a use case where Fedora/RHEL would like to be able to specify a default cipher in the format PROFILE=SYSTEM. This would enable Fedora/RHEL to have a system wide security level for all applications. PR-URL: https://github.com/nodejs/node/pull/33708 Refs: https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies/ Reviewed-By: David Carlier Reviewed-By: Ben Noordhuis Reviewed-By: James M Snell Reviewed-By: Richard Lau --- configure.py | 10 ++++++++ doc/api/tls.md | 55 +++++++++++++++++++++++--------------------- node.gyp | 6 +++++ src/node_constants.h | 6 ++++- 4 files changed, 50 insertions(+), 27 deletions(-) diff --git a/configure.py b/configure.py index 285dfb22504dfa..87d99f75be6573 100755 --- a/configure.py +++ b/configure.py @@ -170,6 +170,11 @@ "e.g. /root/x/y.js will be referenced via require('root/x/y'). " "Can be used multiple times") +parser.add_option('--openssl-default-cipher-list', + action='store', + dest='openssl_default_cipher_list', + help='Use the specified cipher list as the default cipher list') + parser.add_option("--openssl-no-asm", action="store_true", dest="openssl_no_asm", @@ -1302,6 +1307,8 @@ def without_ssl_error(option): without_ssl_error('--openssl-no-asm') if options.openssl_fips: without_ssl_error('--openssl-fips') + if options.openssl_default_cipher_list: + without_ssl_error('--openssl-default-cipher-list') return if options.use_openssl_ca_store: @@ -1311,6 +1318,9 @@ def without_ssl_error(option): variables['node_without_node_options'] = b(options.without_node_options) if options.without_node_options: o['defines'] += ['NODE_WITHOUT_NODE_OPTIONS'] + if options.openssl_default_cipher_list: + variables['openssl_default_cipher_list'] = \ + options.openssl_default_cipher_list if not options.shared_openssl and not options.openssl_no_asm: is_x86 = 'x64' in variables['target_arch'] or 'ia32' in variables['target_arch'] diff --git a/doc/api/tls.md b/doc/api/tls.md index e1af5530963947..cff642443a45de 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -269,33 +269,36 @@ Reused, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 ## Modifying the Default TLS Cipher suite -Node.js is built with a default suite of enabled and disabled TLS ciphers. -Currently, the default cipher suite is: +Node.js is built with a default suite of enabled and disabled TLS ciphers. This +default cipher list can be configured when building Node.js to allow +distributions to provide their own default list. -```text -TLS_AES_256_GCM_SHA384: -TLS_CHACHA20_POLY1305_SHA256: -TLS_AES_128_GCM_SHA256: -ECDHE-RSA-AES128-GCM-SHA256: -ECDHE-ECDSA-AES128-GCM-SHA256: -ECDHE-RSA-AES256-GCM-SHA384: -ECDHE-ECDSA-AES256-GCM-SHA384: -DHE-RSA-AES128-GCM-SHA256: -ECDHE-RSA-AES128-SHA256: -DHE-RSA-AES128-SHA256: -ECDHE-RSA-AES256-SHA384: -DHE-RSA-AES256-SHA384: -ECDHE-RSA-AES256-SHA256: -DHE-RSA-AES256-SHA256: -HIGH: -!aNULL: -!eNULL: -!EXPORT: -!DES: -!RC4: -!MD5: -!PSK: -!SRP: +The following command can be used to show the default cipher suite: +```console +node -p crypto.constants.defaultCoreCipherList | tr ':' '\n' +TLS_AES_256_GCM_SHA384 +TLS_CHACHA20_POLY1305_SHA256 +TLS_AES_128_GCM_SHA256 +ECDHE-RSA-AES128-GCM-SHA256 +ECDHE-ECDSA-AES128-GCM-SHA256 +ECDHE-RSA-AES256-GCM-SHA384 +ECDHE-ECDSA-AES256-GCM-SHA384 +DHE-RSA-AES128-GCM-SHA256 +ECDHE-RSA-AES128-SHA256 +DHE-RSA-AES128-SHA256 +ECDHE-RSA-AES256-SHA384 +DHE-RSA-AES256-SHA384 +ECDHE-RSA-AES256-SHA256 +DHE-RSA-AES256-SHA256 +HIGH +!aNULL +!eNULL +!EXPORT +!DES +!RC4 +!MD5 +!PSK +!SRP !CAMELLIA ``` diff --git a/node.gyp b/node.gyp index f870104f962364..fb5109694350e0 100644 --- a/node.gyp +++ b/node.gyp @@ -746,6 +746,7 @@ 'variables': { 'openssl_system_ca_path%': '', + 'openssl_default_cipher_list%': '', }, 'defines': [ @@ -762,6 +763,11 @@ 'msvs_disabled_warnings!': [4244], 'conditions': [ + [ 'openssl_default_cipher_list!=""', { + 'defines': [ + 'NODE_OPENSSL_DEFAULT_CIPHER_LIST="<(openssl_default_cipher_list)"' + ] + }], [ 'error_on_warn=="true"', { 'cflags': ['-Werror'], 'xcode_settings': { diff --git a/src/node_constants.h b/src/node_constants.h index af5aa002eb5795..d7de705fb8ec7e 100644 --- a/src/node_constants.h +++ b/src/node_constants.h @@ -41,6 +41,9 @@ #define RSA_PSS_SALTLEN_AUTO -2 #endif +#if defined(NODE_OPENSSL_DEFAULT_CIPHER_LIST) +#define DEFAULT_CIPHER_LIST_CORE NODE_OPENSSL_DEFAULT_CIPHER_LIST +#else // TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see: // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html #define DEFAULT_CIPHER_LIST_CORE \ @@ -68,7 +71,8 @@ "!PSK:" \ "!SRP:" \ "!CAMELLIA" -#endif +#endif // NODE_OPENSSL_DEFAULT_CIPHER_LIST +#endif // HAVE_OPENSSL namespace node {