-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto,tls: remove SSLv2 support #5536
Conversation
@@ -1093,13 +1093,19 @@ | |||
'L_ENDIAN', | |||
'PURIFY', | |||
'_REENTRANT', | |||
|
|||
'OPENSSL_NO_SSL2', | |||
# Heartbeat is a TLS extension, that couldn't be turned off or | |||
# asked to be not advertised. Unfortunately this is unacceptable for | |||
# Microsoft's IIS, which seems to be ignoring whole ClientHello after | |||
# seeing this extension. | |||
'OPENSSL_NO_HEARTBEATS', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why don't we enable this on v4+?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm up for that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe it's a 1.0.1 thing
lgtm pending CI, which I've asked for again: https://ci.nodejs.org/job/node-test-pull-request/1825/ @bnoordhuis there's a "CERTIFY_SAFE" checkbox (hoop) you have to jump through now to get it to go. |
Remove support for SSLv2 because of DROWN (CVE-2016-0800). Use of the `--enable-ssl2` flag is now an error; node will print an error message and exit. PR-URL: nodejs#5536 Reviewed-By: Rod Vagg <[email protected]>
00ff090
to
93ffe76
Compare
Remove support for SSLv2 because of DROWN (CVE-2016-0800). Use of the `--enable-ssl2` flag is now an error; node will print an error message and exit. PR-URL: #5536 Reviewed-By: Rod Vagg <[email protected]>
Remove support for SSLv2 because of DROWN (CVE-2016-0800). Use of the `--enable-ssl2` flag is now an error; node will print an error message and exit. PR-URL: nodejs/node#5536 Reviewed-By: Rod Vagg <[email protected]>
R=@rvagg and @indutny for the clienthello changes.
CI: https://ci.nodejs.org/job/node-test-pull-request/1822/