diff --git a/deps/openssl/config/opensslconf.h b/deps/openssl/config/opensslconf.h index 508b1b2da71850..5e5765d5b3ff47 100644 --- a/deps/openssl/config/opensslconf.h +++ b/deps/openssl/config/opensslconf.h @@ -44,6 +44,9 @@ # ifndef OPENSSL_NO_STORE # define OPENSSL_NO_STORE # endif +# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS +# define OPENSSL_NO_WEAK_SSL_CIPHERS +# endif #endif /* OPENSSL_DOING_MAKEDEPEND */ #ifndef OPENSSL_THREADS @@ -112,6 +115,9 @@ # if defined(OPENSSL_NO_MDC2) && !defined(NO_MDC2) # define NO_MDC2 # endif +# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS) +# define NO_WEAK_SSL_CIPHERS +# endif #endif /* crypto/opensslconf.h.in */ diff --git a/test/simple/test-tls-honorcipherorder-secureOptions.js b/test/simple/test-tls-honorcipherorder-secureOptions.js index e70cfb1ef4a43f..932ffe25b494a6 100644 --- a/test/simple/test-tls-honorcipherorder-secureOptions.js +++ b/test/simple/test-tls-honorcipherorder-secureOptions.js @@ -49,7 +49,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, secureOptions, cb) secureProtocol: SSL_Method, key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), - ciphers: 'AES256-SHA:RC4-SHA:DES-CBC-SHA', + ciphers: 'AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', secureOptions: secureOptions, honorCipherOrder: !!honorCipherOrder }; @@ -95,37 +95,37 @@ test1(); function test1() { // Client has the preference of cipher suites by default - test(false, 'DES-CBC-SHA:RC4-SHA:AES256-SHA','DES-CBC-SHA', 0, test2); + test(false, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA','RC4-SHA', 0, test2); } function test2() { // Server has the preference of cipher suites where AES256-SHA is in // the first. - test(true, 'DES-CBC-SHA:RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test3); + test(true, 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', 'AES256-SHA', 0, test3); } function test3() { - // Server has the preference of cipher suites. RC4-SHA is given - // higher priority over DES-CBC-SHA among client cipher suites. - test(true, 'DES-CBC-SHA:RC4-SHA', 'RC4-SHA', 0, test4); + // Server has the preference of cipher suites. AES256-SHA is given + // higher priority over RC4-SHA among client cipher suites. + test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', 0, test4); } function test4() { // As client has only one cipher, server has no choice in regardless // of honorCipherOrder. - test(true, 'DES-CBC-SHA', 'DES-CBC-SHA', 0, test5); + test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', 0, test5); } function test5() { test(false, - 'DES-CBC-SHA', - 'DES-CBC-SHA', + 'RC4-SHA', + 'RC4-SHA', process.binding('constants').SSL_OP_SINGLE_DH_USE, test6); } function test6() { test(true, - 'DES-CBC-SHA', - 'DES-CBC-SHA', + 'RC4-SHA', + 'RC4-SHA', process.binding('constants').SSL_OP_SINGLE_DH_USE); } diff --git a/test/simple/test-tls-honorcipherorder.js b/test/simple/test-tls-honorcipherorder.js index 6b24d75146e20a..e0e1e70d380438 100644 --- a/test/simple/test-tls-honorcipherorder.js +++ b/test/simple/test-tls-honorcipherorder.js @@ -30,7 +30,7 @@ var SSL_Method = 'TLSv1_method'; var localhost = '127.0.0.1'; process.on('exit', function() { - assert.equal(nconns, 6); + assert.equal(nconns, 5); }); function test(honorCipherOrder, clientCipher, expectedCipher, cb) { @@ -38,7 +38,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) { secureProtocol: SSL_Method, key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), - ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA', + ciphers: 'RC4-SHA:AES256-SHA:ECDHE-RSA-AES256-SHA', honorCipherOrder: !!honorCipherOrder }; @@ -75,31 +75,24 @@ function test1() { } function test2() { - // Server has the preference of cipher suites where DES-CBC-SHA is in + // Server has the preference of cipher suites where RC4-SHA is in // the first. - test(true, 'AES256-SHA:DES-CBC-SHA:RC4-SHA', 'DES-CBC-SHA', test3); + test(true, 'AES256-SHA:RC4-SHA', 'RC4-SHA', test3); } function test3() { - // Server has the preference of cipher suites. RC4-SHA is given - // higher priority over DES-CBC-SHA among client cipher suites. - test(true, 'RC4-SHA:AES256-SHA', 'AES256-SHA', test4); + // Server has the preference of cipher suites. AES256-SHA is given + // higher priority over ECDHE-RSA-AES256-SHA among client cipher suites. + test(true, 'ECDHE-RSA-AES256-SHA:AES256-SHA', 'AES256-SHA', test4); } function test4() { // As client has only one cipher, server has no choice in regardless // of honorCipherOrder. - test(true, 'RC4-SHA', 'RC4-SHA', test5); + test(true, 'ECDHE-RSA-AES256-SHA', 'ECDHE-RSA-AES256-SHA', test5); } function test5() { - // Client did not explicitly set ciphers. Ensure that client defaults to - // sane ciphers. Even though server gives top priority to DES-CBC-SHA - // it should not be negotiated because it's not in default client ciphers. - test(true, null, 'AES256-SHA', test6); -} - -function test6() { // Ensure that `tls.DEFAULT_CIPHERS` is used SSL_Method = 'TLSv1_2_method'; tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';