Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v11.15.0 proposal #27314

Merged
merged 15 commits into from
Apr 30, 2019
Merged

v11.15.0 proposal #27314

merged 15 commits into from
Apr 30, 2019

Commits on Apr 15, 2019

  1. tls: add code for ERR_TLS_INVALID_PROTOCOL_METHOD

    Add an error code property to invalid `secureProtocol` method
    exceptions.
    
    Backport-PR-URL: #26951
    PR-URL: #24729
    Reviewed-By: Joyee Cheung <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    00688b6 View commit details
    Browse the repository at this point in the history
  2. tls: revert change to invalid protocol error type

    In #24729, the error was changed to
    be a TypeError, which is the standard type for this kind of error.
    However, it was Error in 11.x and earlier, so revert that single aspect,
    so the backport can be semver-minor.
    
    PR-URL: #26951
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    8e14859 View commit details
    Browse the repository at this point in the history
  3. src: add .code and SSL specific error properties

    SSL errors have a long structured message, but lacked the standard .code
    property which can be used for stable comparisons. Add a `code`
    property, as well as the 3 string components of an SSL error: `reason`,
    `library`, and `function`.
    
    Backport-PR-URL: #26951
    PR-URL: #25093
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Daniel Bevenius <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    8b5d350 View commit details
    Browse the repository at this point in the history
  4. deps: upgrade openssl sources to 1.1.1b

    This updates all sources in deps/openssl/openssl with openssl-1.1.1b.
    
    Backport-PR-URL: #26951
    PR-URL: #26327
    Reviewed-By: Gireesh Punathil <[email protected]>
    Reviewed-By: Michael Dawson <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    d8cc478 View commit details
    Browse the repository at this point in the history
  5. deps: add s390 asm rules for OpenSSL-1.1.1

    This is a floating patch against OpenSSL-1.1.1 to generate asm files
    with Makefile rules.
    
    Backport-PR-URL: #26951
    PR-URL: #26327
    Reviewed-By: Gireesh Punathil <[email protected]>
    Reviewed-By: Michael Dawson <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    
    Original:
    
    Fixes: #4270
    PR-URL: #19794
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Michael Dawson <[email protected]>
    shigeki authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    1c98b72 View commit details
    Browse the repository at this point in the history
  6. deps: update archs files for OpenSSL-1.1.1b

    `cd deps/openssl/config; make` updates all archs dependant files.
    
    Backport-PR-URL: #26951
    PR-URL: #26327
    Reviewed-By: Gireesh Punathil <[email protected]>
    Reviewed-By: Michael Dawson <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    8db791d View commit details
    Browse the repository at this point in the history
  7. tls: support TLSv1.3

    This introduces TLS1.3 support and makes it the default max protocol,
    but also supports CLI/NODE_OPTIONS switches to disable it if necessary.
    
    TLS1.3 is a major update to the TLS protocol, with many security
    enhancements. It should be preferred over TLS1.2 whenever possible.
    
    TLS1.3 is different enough that even though the OpenSSL APIs are
    technically API/ABI compatible, that when TLS1.3 is negotiated, the
    timing of protocol records and of callbacks broke assumptions hard-coded
    into the 'tls' module.
    
    This change introduces no API incompatibilities when TLS1.2 is
    negotiated. It is the intention that it be backported to current and LTS
    release lines with the default maximum TLS protocol reset to 'TLSv1.2'.
    This will allow users of those lines to explicitly enable TLS1.3 if they
    want.
    
    API incompatibilities between TLS1.2 and TLS1.3 are:
    
    - Renegotiation is not supported by TLS1.3 protocol, attempts to call
    `.renegotiate()` will always fail.
    
    - Compiling against a system OpenSSL lower than 1.1.1 is no longer
    supported (OpenSSL-1.1.0 used to be supported with configure flags).
    
    - Variations of `conn.write('data'); conn.destroy()` have undefined
    behaviour according to the streams API. They may or may not send the
    'data', and may or may not cause a ERR_STREAM_DESTROYED error to be
    emitted. This has always been true, but conditions under which the write
    suceeds is slightly but observably different when TLS1.3 is negotiated
    vs when TLS1.2 or below is negotiated.
    
    - If TLS1.3 is negotiated, and a server calls `conn.end()` in its
    'secureConnection' listener without any data being written, the client
    will not receive session tickets (no 'session' events will be emitted,
    and `conn.getSession()` will never return a resumable session).
    
    - The return value of `conn.getSession()` API may not return a resumable
    session if called right after the handshake. The effect will be that
    clients using the legacy `getSession()` API will resume sessions if
    TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is
    negotiated.  See #25831 for more
    information.
    
    Backport-PR-URL: #26951
    PR-URL: #26209
    Reviewed-By: Anna Henningsen <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Rod Vagg <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    7393e37 View commit details
    Browse the repository at this point in the history
  8. tls: revert default max to TLSv1.2

    TLSv1.3 is still supported when explicitly configured, but it is not the
    default.
    
    PR-URL: #26951
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    109c097 View commit details
    Browse the repository at this point in the history
  9. tls: add CHECK for impossible condition

    Backport-PR-URL: #26951
    PR-URL: #26843
    Reviewed-By: Sam Roberts <[email protected]>
    Reviewed-By: Colin Ihrig <[email protected]>
    Reviewed-By: Minwoo Jung <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Tobias Nießen <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
    addaleax authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    225417b View commit details
    Browse the repository at this point in the history
  10. tls: add debugging to native TLS code

    Backport-PR-URL: #26951
    PR-URL: #26843
    Reviewed-By: Sam Roberts <[email protected]>
    Reviewed-By: Colin Ihrig <[email protected]>
    Reviewed-By: Minwoo Jung <[email protected]>
    Reviewed-By: Ben Noordhuis <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Tobias Nießen <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
    addaleax authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    d2666e6 View commit details
    Browse the repository at this point in the history
  11. doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION

    Backport-PR-URL: #26951
    PR-URL: #26821
    Reviewed-By: Ben Noordhuis <[email protected]>
    Reviewed-By: James M Snell <[email protected]>
    Reviewed-By: Colin Ihrig <[email protected]>
    Reviewed-By: Ruben Bridgewater <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    fa6f0f1 View commit details
    Browse the repository at this point in the history
  12. tls: supported shared openssl 1.1.0

    PR-URL: #26951
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    7aeca27 View commit details
    Browse the repository at this point in the history
  13. tls: add --tls-min-v1.2 CLI switch

    For 11.x, the default minimum is TLSv1, so it needs a CLI switch to
    change the default to the more secure minimum of TLSv1.2.
    
    PR-URL: #26951
    Reviewed-By: Rod Vagg <[email protected]>
    Reviewed-By: Beth Griggs <[email protected]>
    sam-github authored and BethGriggs committed Apr 15, 2019
    Configuration menu
    Copy the full SHA
    bf2c283 View commit details
    Browse the repository at this point in the history

Commits on Apr 29, 2019

  1. deps: V8: backport 61f4c22

    The differences to the original patch are the replacement of
    `i::IsIdentifier...()` with `unicode_cache_.IsIdentifier...()`,
    because the former is not available on Node.js v11.x, as well
    as the omitted `no_gc` argument for `GetFlatContent()`.
    
    Original commit message:
    
        Assume flat string when checking CompileFunctionInContext arguments.
    
        [email protected]
    
        Change-Id: I54c6137a3c6e14d4102188f154aa7216e7414dbc
        Reviewed-on: https://chromium-review.googlesource.com/c/1388533
        Reviewed-by: Jakob Kummerow <[email protected]>
        Commit-Queue: Yang Guo <[email protected]>
        Cr-Commit-Position: refs/heads/master@{#58562}
    
    Refs: v8/v8@61f4c22
    Fixes: #27256
    
    PR-URL: #27259
    Reviewed-By: Colin Ihrig <[email protected]>
    Reviewed-By: Joyee Cheung <[email protected]>
    Reviewed-By: Shelley Vohr <[email protected]>
    addaleax authored and codebytere committed Apr 29, 2019
    Configuration menu
    Copy the full SHA
    7da23dc View commit details
    Browse the repository at this point in the history

Commits on Apr 30, 2019

  1. 2019-04-30, Version 11.15.0 (Current)

    Notable changes:
    
    * deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](#19794)
    * src: add .code and SSL specific error properties (Sam Roberts) [#25093](#25093)
    * tls:
      * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](#26951)
      * supported shared openssl 1.1.0 (Sam Roberts) [#26951](#26951)
      * revert default max toTLSv1.2 (Sam Roberts) [#26951](#26951)
      * revert change to invalid protocol error type (Sam Roberts) [#26951](#26951)
      * support TLSv1.3 (Sam Roberts) [#26209](#26209)
      * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](#24729)
    
    PR-URL: #27314
    codebytere committed Apr 30, 2019
    Configuration menu
    Copy the full SHA
    e65a904 View commit details
    Browse the repository at this point in the history