Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: Use SHA1 for sessionIdContext #3866

Closed
wants to merge 1 commit into from
Closed

tls: Use SHA1 for sessionIdContext #3866

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
tls: Use SHA1 for sessionIdContext 
FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().
  • Loading branch information
@stefanmb
stefanmb committed Nov 16, 2015
commit 129cfe1b01eb4e9306dc25a109cb24d8a56ebb48
6 changes: 3 additions & 3 deletions doc/api/tls.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -841,9 +841,9 @@ automatically set as a listener for the [secureConnection][] event. The
NOTE: Automatically shared between `cluster` module workers.

- `sessionIdContext`: A string containing an opaque identifier for session
resumption. If `requestCert` is `true`, the default is MD5 hash value
generated from command-line. (In FIPS mode a truncated SHA1 hash is
used instead.) Otherwise, the default is not provided.
resumption. If `requestCert` is `true`, the default is a 128 bit
truncated SHA1 hash value generated from command-line. Otherwise,
the default is not provided.

- `secureProtocol`: The SSL method to use, e.g. `SSLv3_method` to force
SSL version 3. The possible values depend on your installation of
Expand Down
20 changes: 4 additions & 16 deletions lib/_tls_wrap.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,21 +14,6 @@ const Timer = process.binding('timer_wrap').Timer;
const tls_wrap = process.binding('tls_wrap');
const TCP = process.binding('tcp_wrap').TCP;
const Pipe = process.binding('pipe_wrap').Pipe;
const defaultSessionIdContext = getDefaultSessionIdContext();

function getDefaultSessionIdContext() {
var defaultText = process.argv.join(' ');
/* SSL_MAX_SID_CTX_LENGTH is 128 bits */
if (process.config.variables.openssl_fips) {
return crypto.createHash('sha1')
.update(defaultText)
.digest('hex').slice(0, 32);
} else {
return crypto.createHash('md5')
.update(defaultText)
.digest('hex');
}
}

function onhandshakestart() {
debug('onhandshakestart');
Expand Down Expand Up @@ -908,7 +893,10 @@ Server.prototype.setOptions = function(options) {
if (options.sessionIdContext) {
this.sessionIdContext = options.sessionIdContext;
} else {
this.sessionIdContext = defaultSessionIdContext;
this.sessionIdContext = crypto.createHash('sha1')
.update(process.argv.join(' '))
.digest('hex')
.slice(0, 32);
}
};

Expand Down