- Oct 23, 2014
-
-
Julien Gilli authored
Add a test that goes through the whole matrix of: - command line options (--enable-ssl*) - secureOptions - secureProtocols and makes sure that compatible test setups actually work as expected. The test works by spawning two processes for each test case: one client and one server. The test passes if a SSL/TLS connection from the client to the server is successful and the test case was supposed to pass, or if the connection couldn't be established and the test case was supposed to fail. The test is currently located in the directory 'test/external' because it has external dependencies.
-
Timothy J Fontaine authored
Reuse the secureProtocol and secureOptions of the server when creating the secure context for incoming clients.
-
Timothy J Fontaine authored
Specifying honorCipherOrder should not change the SSLv2/SSLv3 defaults for a TLS server. Use secureOptions logic in both lib/tls.js and lib/crypto.js
-
- Oct 21, 2014
-
-
Timothy J Fontaine authored
* openssl: Update to 1.0.1j (Addressing multiple CVEs) * uv: Update to v0.10.29 * child_process: properly support optional args (cjihrig) * crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla) This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either `--enable-ssl2` or `--enable-ssl3` respectively. This does not change the behavior for users specifically requesting `SSLv2_method` or `SSLv3_method`. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.
-
- Oct 20, 2014
-
-
Timothy J Fontaine authored
-
Fedor Indutny authored
Force-enable SSLv2/v3 when `secureProtocol` is explicitly set to `SSLv2_method` or `SSLv3_method`. see discussion at #8551
-
- Oct 17, 2014
-
-
Timothy J Fontaine authored
-
Timothy J Fontaine authored
-
Timothy J Fontaine authored
-
- Oct 16, 2014
-
-
Alexis Campailla authored
Always set ssl2/ssl3 disabled based on whether they are enabled in Node. In some corner-case scenario, node with OPENSSL_NO_SSL3 defined could be linked to openssl that has SSL3 enabled.
-
Timothy J Fontaine authored
In the case of a pipe'd input, i.e. from the CI the fd will be a PIPE and when listen() is called it will return ENOTSOCK instead of EINVAL. Backport: cd2d3aed
-
Timothy J Fontaine authored
The order of the callbacks is non-deterministic, so don't expect the error messages to come back in the same order every time, instead just verify they are expected messages.
-
Timothy J Fontaine authored
This change disables SSLv2/SSLv3 use by default, and introduces a command line flag to opt into using SSLv2/SSLv3. SSLv2 and SSLv3 are considered unsafe, and should only be used in situations where compatibility with other components is required and they cannot be upgrade to support newer forms of TLS.
-
- Oct 15, 2014
-
-
Timothy J Fontaine authored
-
Fedor Indutny authored
Because of constant-timeness change made in openssl-1.0.1j the error is no longer returned from EVP_DecryptFinal_ex. Now it just return 0, and thus the error message does not contain proper error code. Adapt to this change, there is not much that we could do about it.
-
Fedor Indutny authored
-
Fedor Indutny authored
PR-URL: https://github.com/joyent/node/pull/8551 Reviewed-By:
Ben Noordhuis <info@bnoordhuis.nl>
-
Fedor Indutny authored
PR-URL: https://github.com/joyent/node/pull/8551 Reviewed-By:
Ben Noordhuis <info@bnoordhuis.nl>
-
Swaagie authored
PR-URL: https://github.com/joyent/node/pull/8553 Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
- Oct 13, 2014
-
-
Matthew Fitzsimmons authored
-
Timothy J Fontaine authored
-
Timothy J Fontaine authored
-
- Sep 26, 2014
-
-
Fedor Indutny authored
Otherwise the warning could be printed on some systems. fix #8419
-
- Sep 23, 2014
-
-
Calvin Metcalf authored
Expands the paragraph in the transform stream implementation docs about the callback that is passed to the _transform method to include details about how two arguments may be passed, error and data. A code example is also included. Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
- Sep 17, 2014
-
-
Colin Ihrig authored
Currently, a TypeError is incorrectly thrown if the second argument is an object. This commit allows the args argument to be properly omitted. Fixes: https://github.com/joyent/node/issues/6068 Reviewed-by:
Trevor Norris <trev.norris@gmail.com>
-
- Sep 16, 2014
-
-
Timothy J Fontaine authored
-
Timothy J Fontaine authored
-
Timothy J Fontaine authored
* npm: Update to 1.4.28 * v8: fix a crash introduced by previous release (Fedor Indutny) * configure: add --openssl-no-asm flag (Fedor Indutny) * crypto: use domains for any callback-taking method (Chris Dickinson) * http: do not send `0rnrn` in TE HEAD responses (Fedor Indutny) * querystring: fix unescape override (Tristan Berger) * url: Add support for RFC 3490 separators (Mathias Bynens)
-
Timothy J Fontaine authored
-
Fedor Indutny authored
When replying to a HEAD request, do not attempt to send the trailers and EOF sequence (`0\r\n\r\n`). The HEAD request MUST not have body. Quote from RFC: The presence of a message body in a response depends on both the request method to which it is responding and the response status code (Section 3.1.2). Responses to the HEAD request method (Section 4.3.2 of [RFC7231]) never include a message body because the associated response header fields (e.g., Transfer-Encoding, Content-Length, etc.), if present, indicate only what their values would have been if the request method had been GET (Section 4.3.1 of [RFC7231]). fix #8361 Reviewed-By:
Timothy J Fontaine <tjfontaine@gmail.com>
-
Chris Dickinson authored
This adds domains coverage for pdbkdf2, pseudoRandomBytes, and randomBytes. All others should be covered by event emitters. Fixes #5801. Reviewed-By:
Timothy J Fontaine <tjfontaine@gmail.com>
-
- Sep 15, 2014
-
-
Maciej Małecki authored
Fixes #6424. Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
Mathias Schreck authored
The behavior of the `node_modules` lookup algorithm was changed in #1177, but the documentation was not updated completely to describe the new behavior. The pseudocode of the lookup algorithm did not metion that `index.json` is tried to be loaded if you require a folder. Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
- Sep 03, 2014
-
-
Fedor Indutny authored
see #8062 Reviewed-By:
Trevor Norris <trev.norris@gmail.com>
-
- Sep 02, 2014
-
-
Julien Gilli authored
PR #8034 came with a test to make sure that timers expiry is based on monotonic time and not on wall-clock time. However, a bug in the implementation broke timers with non-integer delays. A fix for this issue was provided with PR #8073, but it didn't come with a test. Because #8073 fixed a subtle issue that could reappear in the future, and because the impact of such an issue would be significant, I suggest adding this test. The test would timeout after 1 minute if the issue was reproduced. Otherwise it will run very quickly. Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
- Aug 27, 2014
-
-
Mathias Bynens authored
There is no need to split the host by hand in `url.js` – Punycode.js takes care of it anyway. This not only simplifies the code, but also adds support for RFC 3490 separators (i.e. not just U+002E, but U+3002, U+FF0E, and U+FF61 as well). Closes #6055. Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
Tristan Berger authored
Documentation states that `querystring.unescape` may be overridden to replace unescaper during parsing. However, the function was only being used as a fallback for when the native decoder throws (on a malformed URL). This patch moves the call to the native function and the try/catch around it into querystring.unescape then has the parser always invoke it, so that an override will always be used. Fixes #4055 Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
- Aug 26, 2014
-
-
Fedor Indutny authored
Should help addons use OpenSSL functions. Reviewed-By:
Fedor Indutny <fedor@indutny.com>
-
Fedor Indutny authored
fix #8062
-
- Aug 22, 2014
-
-
Fedor Indutny authored
fd80a31e has introduced a segfault during redundant boundary check elimination (#8208). The problem consists of two parts: 1. Abscense of instruction iterator in `EliminateRedundantBoundsChecks`. It was present in recent v8, but wasn't considered important at the time of backport. However, since the function is changing instructions order in block, it is important to not rely at `i->next()` at the end of the loop. 2. Too strict ASSERT in `MoveIndexIfNecessary`. It is essentially a backport of a45c96ab from v8's upstream. See https://github.com/v8/v8/commit/a45c96ab for details. fix #8208
-