From 6db377b2f4c8264d608aee131726428fd86a77ea Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Thu, 3 Mar 2016 21:49:01 +0900 Subject: [PATCH] doc: remove SSLv2 descriptions Doc descriptions related to SSLv2 are no longer needed. Fixes: https://github.com/nodejs/node/pull/5529 PR-URL: https://github.com/nodejs/node/pull/5541 Reviewed-By: Ben Noordhuis --- doc/api/tls.markdown | 19 +++++++------------ doc/node.1 | 3 --- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index fbd97e88a650aa..576176238a8276 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -40,24 +40,22 @@ To create .pfx or .p12, do this: ## Protocol support -Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these +Node.js is compiled with SSLv3 protocol support by default, but these protocols are **disabled**. They are considered insecure and could be easily compromised as was shown by [CVE-2014-3566][]. However, in some situations, it may cause problems with legacy clients/servers (such as Internet Explorer 6). -If you wish to enable SSLv2 or SSLv3, run node with the `--enable-ssl2` or -`--enable-ssl3` flag respectively. In future versions of Node.js SSLv2 and -SSLv3 will not be compiled in by default. +If you wish to enable SSLv3, run node with the `--enable-ssl3` flag. In future +versions of Node.js SSLv3 will not be compiled in by default. -There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly -specifying `secureProtocol` to `'SSLv3_method'` or `'SSLv2_method'`. +There is a way to force node into using SSLv3 only mode by explicitly +specifying `secureProtocol` to `'SSLv3_method'`. The default protocol method Node.js uses is `SSLv23_method` which would be more accurately named `AutoNegotiate_method`. This method will try and negotiate from the highest level down to whatever the client supports. To provide a secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3 -and SSLv2 by setting the `secureOptions` to be -`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed -`--enable-ssl3`, or `--enable-ssl2`, or `SSLv3_method` as `secureProtocol`). +by setting the `secureOptions` to be `SSL_OP_NO_SSLv3` (again, unless you have +passed `--enable-ssl3`, or `SSLv3_method` as `secureProtocol`). If you have set `secureOptions` to anything, we will not override your options. @@ -172,9 +170,6 @@ automatically set as a listener for the [secureConnection][] event. The - `honorCipherOrder` : When choosing a cipher, use the server's preferences instead of the client preferences. - Note that if SSLv2 is used, the server will send its list of preferences - to the client, and the client chooses the cipher. - Although, this option is disabled by default, it is *recommended* that you use this option in conjunction with the `ciphers` option to mitigate BEAST attacks. diff --git a/doc/node.1 b/doc/node.1 index ab5fa73b27107d..ddeae7d71132ad 100644 --- a/doc/node.1 +++ b/doc/node.1 @@ -62,9 +62,6 @@ and servers. --max-stack-size=val set max v8 stack size (bytes) - --enable-ssl2 enable ssl2 in crypto, tls, and https - modules - --enable-ssl3 enable ssl3 in crypto, tls, and https modules