Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: support automatic DHE #46978

Merged
merged 1 commit into from
Mar 12, 2023

Conversation

tniessen
Copy link
Member

@tniessen tniessen commented Mar 6, 2023

Node.js has so far only supported user-defined DHE parameters and even recommended generating custom parameters. This change lets users set the dhparam option to 'auto' instead, in which case DHE parameters of sufficient strength are selected automatically (from a small set of well-known parameters). This has been recommended by OpenSSL for quite a while, and it makes it much easier for Node.js TLS servers to properly support DHE-based perfect forward secrecy.

This also updates the documentation to prioritize ECDHE over DHE, mostly because the former tends to be more efficient and is enabled by default.

@tniessen tniessen added tls Issues and PRs related to the tls subsystem. semver-minor PRs that contain new features and should be released in the next minor version. notable-change PRs with changes that should be highlighted in changelogs. needs-ci PRs that need a full CI run. labels Mar 6, 2023
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. labels Mar 6, 2023
@tniessen tniessen removed the crypto Issues and PRs related to the crypto subsystem. label Mar 6, 2023
doc/api/tls.md Outdated Show resolved Hide resolved
src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
@lpinca lpinca added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@tniessen tniessen force-pushed the tls-support-dhe-auto branch from 078c0ec to 9d5abb6 Compare March 6, 2023 20:40
@tniessen tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Mar 6, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 6, 2023
@tniessen

This comment was marked as outdated.

src/crypto/crypto_context.cc Outdated Show resolved Hide resolved
Node.js has so far only supported user-defined DHE parameters and even
recommended generating custom parameters. This change lets users set the
dhparam option to 'auto' instead, in which case DHE parameters of
sufficient strength are selected automatically (from a small set of
well-known parameters). This has been recommended by OpenSSL for quite a
while, and it makes it much easier for Node.js TLS servers to properly
support DHE-based perfect forward secrecy.

This also updates the documentation to prioritize ECDHE over DHE, mostly
because the former tends to be more efficient and is enabled by default.
@tniessen tniessen force-pushed the tls-support-dhe-auto branch from 9d5abb6 to ee0f667 Compare March 8, 2023 19:55
@tniessen tniessen added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 8, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 8, 2023
@nodejs-github-bot
Copy link
Collaborator

@tniessen
Copy link
Member Author

This needs to be re-approved due to #46978 (comment).

@tniessen tniessen added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 12, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 12, 2023
@nodejs-github-bot nodejs-github-bot merged commit 2660a32 into nodejs:main Mar 12, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 2660a32

@tniessen
Copy link
Member Author

Thank you @lpinca :)

targos pushed a commit that referenced this pull request Mar 13, 2023
Node.js has so far only supported user-defined DHE parameters and even
recommended generating custom parameters. This change lets users set the
dhparam option to 'auto' instead, in which case DHE parameters of
sufficient strength are selected automatically (from a small set of
well-known parameters). This has been recommended by OpenSSL for quite a
while, and it makes it much easier for Node.js TLS servers to properly
support DHE-based perfect forward secrecy.

This also updates the documentation to prioritize ECDHE over DHE, mostly
because the former tends to be more efficient and is enabled by default.

PR-URL: #46978
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
targos pushed a commit that referenced this pull request Mar 14, 2023
Node.js has so far only supported user-defined DHE parameters and even
recommended generating custom parameters. This change lets users set the
dhparam option to 'auto' instead, in which case DHE parameters of
sufficient strength are selected automatically (from a small set of
well-known parameters). This has been recommended by OpenSSL for quite a
while, and it makes it much easier for Node.js TLS servers to properly
support DHE-based perfect forward secrecy.

This also updates the documentation to prioritize ECDHE over DHE, mostly
because the former tends to be more efficient and is enabled by default.

PR-URL: #46978
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
targos added a commit that referenced this pull request Mar 14, 2023
Notable changes:

buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
src:
  * (SEMVER-MINOR) add `fs.openAsBlob` to support File-backed Blobs (James M Snell) #45258
tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
wasi:
  * (SEMVER-MINOR) add support for version when creating WASI (Michael Dawson) #46469
worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47086
targos added a commit that referenced this pull request Mar 14, 2023
Notable changes:

buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
src:
  * (SEMVER-MINOR) add `fs.openAsBlob` to support File-backed Blobs (James M Snell) #45258
tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
wasi:
  * (SEMVER-MINOR) add support for version when creating WASI (Michael Dawson) #46469
worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47087
targos added a commit that referenced this pull request Mar 14, 2023
Notable changes:

buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
src:
  * (SEMVER-MINOR) add `fs.openAsBlob` to support File-backed Blobs (James M Snell) #45258
tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
wasi:
  * (SEMVER-MINOR) add support for version when creating WASI (Michael Dawson) #46469
worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47087
targos added a commit that referenced this pull request Mar 14, 2023
Notable changes:

buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
src:
  * (SEMVER-MINOR) add `fs.openAsBlob` to support File-backed Blobs (James M Snell) #45258
tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
wasi:
  * (SEMVER-MINOR) add support for version when creating WASI (Michael Dawson) #46469
worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47087
danielleadams pushed a commit that referenced this pull request Apr 11, 2023
Node.js has so far only supported user-defined DHE parameters and even
recommended generating custom parameters. This change lets users set the
dhparam option to 'auto' instead, in which case DHE parameters of
sufficient strength are selected automatically (from a small set of
well-known parameters). This has been recommended by OpenSSL for quite a
while, and it makes it much easier for Node.js TLS servers to properly
support DHE-based perfect forward secrecy.

This also updates the documentation to prioritize ECDHE over DHE, mostly
because the former tends to be more efficient and is enabled by default.

PR-URL: #46978
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
danielleadams added a commit that referenced this pull request Apr 11, 2023
Notable changes:

* buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
* doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
  * add debadree25 to collaborators (Debadree Chatterjee) #46716
  * add deokjinkim to collaborators (Deokjin Kim) #46444
* events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
* lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) #46494
* src:
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) #46368
* stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
* tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
* url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
* worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: TBD
danielleadams added a commit that referenced this pull request Apr 11, 2023
Notable changes:

* buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
* doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
  * add debadree25 to collaborators (Debadree Chatterjee) #46716
  * add deokjinkim to collaborators (Deokjin Kim) #46444
* events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
* lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) #46494
* src:
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) #46368
* stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
* tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
* url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
* worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47502
danielleadams added a commit that referenced this pull request Apr 11, 2023
Notable changes:

* buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
* doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
  * add debadree25 to collaborators (Debadree Chatterjee) #46716
  * add deokjinkim to collaborators (Deokjin Kim) #46444
* events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
* lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) #46494
* src:
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) #46368
  * (SEMVER-MINOR) add initial support for single executable applications (Darshan Sen) #45038
* stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
* tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
* url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
* worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47502
danielleadams added a commit that referenced this pull request Apr 12, 2023
Notable changes:

Add initial support for single executable applications

Compile a JavaScript file into a single executable application:

```console
$ echo 'console.log(`Hello, ${process.argv[2]}!`);' > hello.js

$ cp $(command -v node) hello

$ npx postject hello NODE_JS_CODE hello.js \
    --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2

$ npx postject hello NODE_JS_CODE hello.js \
    --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2 \
    --macho-segment-name NODE_JS

$ ./hello world
Hello, world!
```

Contributed by Darshan Sen in #45038

Replace url parser with Ada

Node.js gets a new URL parser called Ada that is compliant with the WHATWG
URL Specification and provides more than 100% performance improvement to
the existing implementation.

Contributed by Yagiz Nizipli in #46410

Other notable changes:

* buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
* doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
  * add debadree25 to collaborators (Debadree Chatterjee) #46716
  * add deokjinkim to collaborators (Deokjin Kim) #46444
* events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
* lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) #46494
* src:
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) #46368
* stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
* tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
* url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
* worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47502
danielleadams added a commit that referenced this pull request Apr 13, 2023
Notable changes:

Add initial support for single executable applications

Compile a JavaScript file into a single executable application:

```console
$ echo 'console.log(`Hello, ${process.argv[2]}!`);' > hello.js

$ cp $(command -v node) hello

$ npx postject hello NODE_JS_CODE hello.js \
    --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2

$ npx postject hello NODE_JS_CODE hello.js \
    --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2 \
    --macho-segment-name NODE_JS

$ ./hello world
Hello, world!
```

Contributed by Darshan Sen in #45038

Replace url parser with Ada

Node.js gets a new URL parser called Ada that is compliant with the WHATWG
URL Specification and provides more than 100% performance improvement to
the existing implementation.

Contributed by Yagiz Nizipli in #46410

Other notable changes:

* buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) #46500
* doc:
  * add marco-ippolito to collaborators (Marco Ippolito) #46816
  * add debadree25 to collaborators (Debadree Chatterjee) #46716
  * add deokjinkim to collaborators (Deokjin Kim) #46444
* events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) #46523
* lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) #46387
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) #46494
* src:
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) #46583
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) #46368
* stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) #46273
* tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) #46978
* url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) #46308
* worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) #46832

PR-URL: #47502
codebytere added a commit to electron/electron that referenced this pull request Apr 15, 2023
codebytere added a commit to electron/electron that referenced this pull request Apr 16, 2023
codebytere added a commit to electron/electron that referenced this pull request Apr 17, 2023
codebytere added a commit to electron/electron that referenced this pull request Apr 18, 2023
* chore: bump node in DEPS to v18.16.0

* build,test: add proper support for IBM i

nodejs/node#46739

* lib: enforce use of trailing commas

nodejs/node#46881

* src: add initial support for single executable applications

nodejs/node#45038

* lib: do not crash using workers with disabled shared array buffers

nodejs/node#41023

* src: remove shadowed variable in OptionsParser::Parse

nodejs/node#46672

* src: allow embedder control of code generation policy

nodejs/node#46368

* src: allow optional Isolate termination in node::Stop()

nodejs/node#46583

* lib: fix BroadcastChannel initialization location

nodejs/node#46864

* chore: fixup patch indices

* chore: sync filenames.json

* fix: add simdutf dep to src/inspector BUILD.gn

- nodejs/node#46471
- nodejs/node#46472

* deps: replace url parser with Ada

nodejs/node#46410

* tls: support automatic DHE

nodejs/node#46978

* fixup! src: add initial support for single executable applications

* http: unify header treatment

nodejs/node#46528

* fix: libc++ buffer overflow in string_view ctor

nodejs/node#46410

* test: include strace openat test

nodejs/node#46150

* fixup! fixup! src: add initial support for single executable applications

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. notable-change PRs with changes that should be highlighted in changelogs. semver-minor PRs that contain new features and should be released in the next minor version. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants