Comments (11)
nodejs/node#1831 was only applied to 5.0 so that this affects all (4.2.x, 0.12, 0.10).
from lts.
Correction. nodejs/node#1831 was client side:
Server side is affected in 0.12 and 0.10 [EDIT: tls server of v0.10 does not support DHE]
Client side is affected in 4.2.x, 0.12 and 010.
I think we have two options for LTS. Any idea?
- Limit DH key size with code but disabled by default and introduce a new command line option.
- Leave it.
from lts.
Another option is to force it through as semver-minor or semver-patch, we did say that we may use that as an option.
In this case I think I'm in favour of just leaving it as is. In the majority of situations we should end up with secure enough defaults when negotiating with the majority of the clients that are in use right now (I think that's correct anyway).
from lts.
@shigeki I think the earlier discussion was that it does not apply to 0.10.X because it did not support DHE so it would only be 0.12.X and 4.X. Did I misunderstand ?
As one data point the IBM security teams believe we must make it secure by default which includes this change on the server side. To make is secure by default it would need to be on by default but with an option to turn it off.
from lts.
@mhdawson I mistook that a TLS server of 0.10 is affected but the tls client of 0.10 can support DHE as below. I fixed the list above. Thanks.
$ ./node ~/tls_client.js
process.version: v0.10.38
clearText.getCipher(): { name: 'DHE-RSA-AES128-SHA256', version: 'TLSv1/SSLv3' }
As one data point the IBM security teams believe we must make it secure by default which includes this change on the server side.
That's glad to me if we can make security hardening to change default behaviors even in LTS and we must notify users that a new option will be deprecated 5.x.
from lts.
I think the client side was covered by updating the openssl version which we did for 0.10.X and 0.12.X, I don't think we need to do anything else for this on the client side.
So I think for LTS we only need to address the server side. The change is already in 4.X and 0.10.X is not affected so that just leaves 0.12.X. I'll put together a PR to backport to 0.12.X with a command line option to revert
from lts.
From this https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ the change on the client side in openssl was to disallow DH parameters smaller than 768 so I believe its appropriate to have the same limit on the server side for the 0.12.X release as opposed to 1024 used in later releases. (1024 is fine for later releases but for 0.12.X we need to limit the potential impact to users. Given we match the same limit, and current clients don't accept anything smaller than 768 then unless all of the clients accessing an application are old, a key of 768 on the server side should already have been found/fixed)
from lts.
Created a PR to cover this for 0.12.X nodejs/node#3890
from lts.
@jasnell @shigeki can you both chime in on whether we can get this into an upcoming 0.12.X LTS release.
from lts.
from what I understand, this would technically be a semver-major.
It prevents a security misconfiguration and that is the only thing that it breaks. That should be enough reasons for making it not a semver-major
.
from lts.
I believe this is done I think it should be closed.
from lts.
Related Issues (20)
- This seems like a reasonable deviation, and its good if we document from the outset of Node version 8 so there should be no surprises later on. HOT 2
- Release
- UlisesGascon onboarding HOT 6
- Node.js Release WorkGroup Meeting 2023-08-24 HOT 1
- Releaser for v21.X HOT 5
- Broken Ubuntu focal (20.04) .deb repository (`Package not found`)? HOT 3
- ?? HOT 1
- Volunteer to be a releaser HOT 1
- Jordan Harband onboarding HOT 1
- Node.js Release WorkGroup Meeting 2023-09-21
- Could not find how to get delivery count HOT 1
- Volunteer as a releaser HOT 1
- Release plan - v21.x Current HOT 4
- Release team nomination HOT 1
- Release volunteer HOT 2
- Node.js Release WorkGroup Meeting 2023-10-19 HOT 3
- proposal for new release schedule / users are not interested in releases that will not become LTS HOT 18
- Node.js Release WorkGroup Meeting 2023-11-16 HOT 3
- PGP keys verification HOT 3
- Node.js Release WorkGroup Meeting 2023-12-14 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lts.