deps: update openssl config by shigeki · Pull Request #5630 · nodejs/node

shigeki · 2016-03-09T16:56:52Z

Pull Request check-list

Does make -j8 test (UNIX) or vcbuild test nosign (Windows) pass with
this change (including linting)?
Is the commit message formatted according to [CONTRIBUTING.md][0]?
[CI tests] If this change fixes a bug (or a performance problem), is a regression
test (or a benchmark) included?
Is a documentation update included (if this change modifies
existing APIs, or introduces new ones)?

Affected core subsystem(s)

deps: openssl

Description of change

deps/openssl/config were not updated in the last upgrading. Two new defines of OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h.

This disables several ciphers included in EXPORT and LOW. They are also disabled in the default cipher list but I think that applying this to LTS should be discussed in LTS issue. I will open it.

CI is running on https://ci.nodejs.org/job/node-test-commit/2502/ but something Jenkins error was on MacOS. I will try it again.

R: @bnoordhuis

OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h

shigeki · 2016-03-09T16:58:27Z

New CI is https://ci.nodejs.org/job/node-test-pull-request/1890/

Fishrock123 · 2016-03-09T17:12:51Z

s/udpate/update/ :)

shigeki · 2016-03-09T17:15:53Z

@Fishrock123 Oops. Fixed typo. Thanks.

shigeki · 2016-03-10T02:12:42Z

CI in https://ci.nodejs.org/job/node-test-commit/2505/ is all green.

shigeki · 2016-03-10T02:18:07Z

Strictly speaking, this fix corresponds to semver-major. As discussed in LTS on nodejs/Release#85, I would like to apply this to 5.x.

jasnell · 2016-03-11T02:51:51Z

LGTM for master... Let's add it to the lts-agenda for Monday to discuss.

shigeki · 2016-03-15T11:49:55Z

@indutny Could you review this PR?

indutny · 2016-03-15T11:57:30Z

LGTM, if CI is green

shigeki · 2016-03-15T11:59:25Z

@indutny Thanks. CI was submitted in https://ci.nodejs.org/job/node-test-pull-request/1927/.

OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>

shigeki · 2016-03-15T12:33:12Z

CI is all green. Landed in 668fb17. Thanks.

jasnell · 2016-03-15T15:03:48Z

@shigeki ... This was backported to v0.12 and v0.10 in #5712 correct?

Also, removed the lts-agenda label on this since it was decided via the github conversation to go ahead and land this in the lts branches.

shigeki · 2016-03-15T15:13:40Z

@jasnell #5712 was the fix for openssl-1.0.1 and it has already landed to v0.12-staging and v0.10-staging branches. This PR is the fix for openssl-1.0.2 and it need to be backported from master to 5.x and 4.x. I would like you to take care of them.

jasnell · 2016-03-15T15:19:08Z

Sounds good! :-)

OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>

MylesBorins · 2016-03-17T19:19:04Z

@shigeki is this pressing enough to roll into the next v4 release asap or should it have a bit of time to live on v5 first?

shigeki · 2016-03-18T00:15:09Z

@thealphanerd This fix is a kind of regular procedures in upgrading openssl and has just a small risk. So it's already enough to roll to v4.x.

OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h Fixes: nodejs/Release#85 PR-URL: #5630 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>

deps: update openssl config

ca8adf0

OPENSSL_NO_SSL2 and OPENSSL_NO_WEAK_SSL_CIPHERS are defined in opensslconf.h

Fishrock123 added the openssl Issues and PRs related to the OpenSSL dependency. label Mar 9, 2016

shigeki mentioned this pull request Mar 9, 2016

Disable EXPORT and LOW SSLv3+ ciphers by default for Argon, v0.12 and v0.10 nodejs/Release#85

Closed

shigeki force-pushed the update_openssl_config branch from a12afa6 to d76834d Compare March 9, 2016 17:14

shigeki changed the title ~~deps: udpate openssl config~~ deps: update openssl config Mar 9, 2016

shigeki force-pushed the update_openssl_config branch from d76834d to ca8adf0 Compare March 10, 2016 01:18

jasnell added lts-watch-v4.x labels Mar 11, 2016

shigeki closed this Mar 15, 2016

jasnell removed the lts-agenda label Mar 15, 2016

evanlucas mentioned this pull request Mar 15, 2016

v5.9.0 proposal #5702

Merged

MylesBorins added the land-on-v4.x label Mar 21, 2016

MylesBorins removed the lts-watch-v4.x label Mar 21, 2016

Uh oh!

Conversation

shigeki commented Mar 9, 2016

Pull Request check-list

Affected core subsystem(s)

Description of change

Uh oh!

shigeki commented Mar 9, 2016

Uh oh!

Fishrock123 commented Mar 9, 2016

Uh oh!

shigeki commented Mar 9, 2016

Uh oh!

shigeki commented Mar 10, 2016

Uh oh!

shigeki commented Mar 10, 2016

Uh oh!

jasnell commented Mar 11, 2016

Uh oh!

shigeki commented Mar 15, 2016

Uh oh!

indutny commented Mar 15, 2016

Uh oh!

shigeki commented Mar 15, 2016

Uh oh!

shigeki commented Mar 15, 2016

Uh oh!

jasnell commented Mar 15, 2016

Uh oh!

shigeki commented Mar 15, 2016

Uh oh!

jasnell commented Mar 15, 2016

Uh oh!

MylesBorins commented Mar 17, 2016

Uh oh!

shigeki commented Mar 18, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants