crypto: allow forcing SSLv2/v3 via secureProtocol

Force-enable SSLv2/v3 when `secureProtocol` is explicitly set to `SSLv2_method` or `SSLv3_method`. see discussion at #8551
nodejs · Oct 20, 2014 · 1349b68 · 1349b68
1 parent 6c8593d
commit 1349b68
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 251 deletions.
diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
@@ -48,15 +48,19 @@ If you wish to enable SSLv2 or SSLv3, run node with the `--enable-ssl2` or
 `--enable-ssl3` flag respectively.  In future versions of Node.js SSLv2 and
 SSLv3 will not be compiled in by default.
 
-This means that without having one or both of those flags set on the command
-line, Node.js will **throw** if you explicitly set the `secureProtocol` to
-`SSLv3_method` or similar. However the default protocol method Node.js uses is
-`SSLv23_method` which would be more accurately named `AutoNegotiate_method`.
-This method will try and negotiate from the highest level down to whatever the
-client supports.  To provide a secure default, Node.js (since v0.10.33)
-explicitly disables the use of SSLv3 and SSLv2 by setting the `secureOptions`
-to be `SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
-`--enable-ssl3` or `--enable-ssl2`).
+There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
+specifying `secureProtocol` to `'SSLv3_method'` or `'SSLv2_method'`.
+
+The default protocol method Node.js uses is `SSLv23_method` which would be more
+accurately named `AutoNegotiate_method`. This method will try and negotiate
+from the highest level down to whatever the client supports.  To provide a
+secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
+and SSLv2 by setting the `secureOptions` to be
+`SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2` (again, unless you have passed
+`--enable-ssl3`, or `--enable-ssl2`, or `SSLv3_method` as `secureProtocol`).
+
+If you have set `securityOptions` to anything, we will not override your
+options.
 
 The ramifications of this behavior change:
 

diff --git a/lib/crypto.js b/lib/crypto.js
@@ -92,8 +92,14 @@ function Credentials(secureProtocol, flags, context) {
       CONTEXT_DEFAULT_OPTIONS |= constants.SSL_OP_NO_SSLv2;
   }
 
-  if (flags === undefined)
-    flags = CONTEXT_DEFAULT_OPTIONS;
+  if (flags === undefined) {
+    if (secureProtocol === undefined ||
+        secureProtocol === 'SSLv23_method' ||
+        secureProtocol === 'SSLv23_server_method' ||
+        secureProtocol === 'SSLv23_client_method') {
+      flags |= CONTEXT_DEFAULT_OPTIONS;
+    }
+  }
 
   this.context.setOptions(flags);
 }

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -238,24 +238,6 @@ Handle<Value> SecureContext::New(const Arguments& args) {
 }
 
 
-bool MaybeThrowSSL3() {
-  if (!SSL3_ENABLE) {
-    ThrowException(Exception::Error(String::New("SSLv3 is considered unsafe, see node --help")));
-    return true;
-  } else {
-    return false;
-  }
-}
-
-bool MaybeThrowSSL2() {
-  if (!SSL2_ENABLE) {
-    ThrowException(Exception::Error(String::New("SSLv2 is considered unsafe, see node --help")));
-    return true;
-  } else {
-    return false;
-  }
-}
-
 Handle<Value> SecureContext::Init(const Arguments& args) {
   HandleScope scope;
 
@@ -268,42 +250,36 @@ Handle<Value> SecureContext::Init(const Arguments& args) {
 
     if (strcmp(*sslmethod, "SSLv2_method") == 0) {
 #ifndef OPENSSL_NO_SSL2
-      if (MaybeThrowSSL2()) return Undefined();
       method = SSLv2_method();
 #else
       return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
 #endif
     } else if (strcmp(*sslmethod, "SSLv2_server_method") == 0) {
 #ifndef OPENSSL_NO_SSL2
-      if (MaybeThrowSSL2()) return Undefined();
       method = SSLv2_server_method();
 #else
       return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
 #endif
     } else if (strcmp(*sslmethod, "SSLv2_client_method") == 0) {
 #ifndef OPENSSL_NO_SSL2
-      if (MaybeThrowSSL2()) return Undefined();
       method = SSLv2_client_method();
 #else
       return ThrowException(Exception::Error(String::New("SSLv2 methods disabled")));
 #endif
     } else if (strcmp(*sslmethod, "SSLv3_method") == 0) {
 #ifndef OPENSSL_NO_SSL3
-      if (MaybeThrowSSL3()) return Undefined();
       method = SSLv3_method();
 #else
       return ThrowException(Exception::Error(String::New("SSLv3 methods disabled")));
 #endif
     } else if (strcmp(*sslmethod, "SSLv3_server_method") == 0) {
 #ifndef OPENSSL_NO_SSL3
-      if (MaybeThrowSSL3()) return Undefined();
       method = SSLv3_server_method();
 #else
       return ThrowException(Exception::Error(String::New("SSLv3 methods disabled")));
 #endif
     } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) {
 #ifndef OPENSSL_NO_SSL3
-      if (MaybeThrowSSL3()) return Undefined();
       method = SSLv3_client_method();
 #else
       return ThrowException(Exception::Error(String::New("SSLv3 methods disabled")));

diff --git a/test/simple/test-tls-disable-ssl2.js b/test/simple/test-tls-disable-ssl2.js
diff --git a/test/simple/test-tls-disable-ssl3.js b/test/simple/test-tls-disable-ssl3.js
diff --git a/test/simple/test-tls-enable-ssl2.js b/test/simple/test-tls-enable-ssl2.js
diff --git a/test/simple/test-tls-enable-ssl3.js b/test/simple/test-tls-enable-ssl3.js