Skip to content

Instantly share code, notes, and snippets.

@misterdjules

misterdjules/gist:71d24e6df69647272e40

Last active August 29, 2015 14:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save misterdjules/71d24e6df69647272e40 to your computer and use it in GitHub Desktop.
Save misterdjules/71d24e6df69647272e40 to your computer and use it in GitHub Desktop.
Download ZIP
SSLv3 client with --enable-ssl3 connecting to server without specific cmd line option/SSL protocol set
Raw
gistfile1.js
var tls = require('tls');
var fs = require('fs');
var path = require('path');
var fork = require('child_process').fork;
var assert = require('assert');
var constants = require('constants');
var common = require('../common');
if (process.argv[2] === 'child') {
process.on('message', function(msg) {
if (msg === 'go') {
var con = tls.connect(common.PORT,
{
rejectUnauthorized: false,
secureProtocol: 'SSLv3_method'
},
function() {
assert.equal(con.getVersion(), 'SSLv3');
process.send('done');
});
con.on('error', function(err) {
assert.ok(false,
"Client using SSLv3_method and enabling SSLv3 with " +
"--enable-ssl3 must be able to connect to any SSL " +
"server but failed with error: " + err);
process.send('done');
});
}
});
} else {
var keyPath = path.join(common.fixturesDir, 'agent.key');
var certPath = path.join(common.fixturesDir, 'agent.crt');
var key = fs.readFileSync(keyPath).toString();
var cert = fs.readFileSync(certPath).toString();
var child;
if (child = fork(process.argv[1],
['child'],
{ execArgv: ['--enable-ssl3'] })) {
var server = tls.Server({ key: key,
cert: cert,
ca: [],
secureOptions: 0,
});
server.listen(common.PORT, function() {
child.on('message', function onChildMsg(msg) {
if (msg === 'done') {
server.close();
child.kill();
}
});
child.send('go');
});
} else {
assert.throws("Could not create child process");
}
}
Raw
gistfile2.diff
diff --git a/lib/crypto.js b/lib/crypto.js
index d1c9eb5..c33cd6d 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -78,7 +78,9 @@ function Credentials(secureProtocol, flags, context) {
}
}
- if (flags) this.context.setOptions(flags);
+ if (flags != null) {
+ this.context.setOptions(flags);
+ }
}
exports.Credentials = Credentials;
diff --git a/lib/tls.js b/lib/tls.js
index 392f7ad..7e4bd9d 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -616,7 +616,7 @@ CryptoStream.prototype.isSessionReused = function() {
return null;
};
-CryptoStream.prototype.getCipher = function(err) {
+CryptoStream.prototype.getCipher = function() {
if (this.pair.ssl) {
return this.pair.ssl.getCurrentCipher();
} else {
@@ -624,6 +624,14 @@ CryptoStream.prototype.getCipher = function(err) {
}
};
+CryptoStream.prototype.getVersion = function() {
+ if (this.pair.ssl) {
+ return this.pair.ssl.getCurrentVersion();
+ } else {
+ return null;
+ }
+}
+
CryptoStream.prototype.end = function(chunk, encoding) {
if (this === this.pair.cleartext) {
@@ -1239,11 +1247,10 @@ Server.prototype.setOptions = function(options) {
if (options.secureProtocol) this.secureProtocol = options.secureProtocol;
if (options.crl) this.crl = options.crl;
if (options.ciphers) this.ciphers = options.ciphers;
- var secureOptions = options.secureOptions || 0;
if (options.honorCipherOrder) {
secureOptions |= constants.SSL_OP_CIPHER_SERVER_PREFERENCE;
}
- if (secureOptions) this.secureOptions = secureOptions;
+ this.secureOptions = options.secureOptions;
if (options.NPNProtocols) convertNPNProtocols(options.NPNProtocols, this);
if (options.SNICallback) {
this.SNICallback = options.SNICallback;
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index fbcdf86..36e3ac2 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -705,11 +705,15 @@ Handle<Value> SecureContext::SetOptions(const Arguments& args) {
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
- if (args.Length() != 1 || !args[0]->IntegerValue()) {
+ if (args.Length() != 1 || !args[0]->IsInt32()) {
return ThrowException(Exception::TypeError(String::New("Bad parameter")));
}
- SSL_CTX_set_options(sc->ctx_, args[0]->IntegerValue());
+ if (args[0]->IntegerValue() == 0) {
+ SSL_CTX_clear_options(sc->ctx_, SSL_CTX_get_options(sc->ctx_));;
+ } else {
+ SSL_CTX_set_options(sc->ctx_, args[0]->IntegerValue());
+ }
return True();
}
@@ -1122,6 +1126,7 @@ void Connection::Initialize(Handle<Object> target) {
NODE_SET_PROTOTYPE_METHOD(t, "isInitFinished", Connection::IsInitFinished);
NODE_SET_PROTOTYPE_METHOD(t, "verifyError", Connection::VerifyError);
NODE_SET_PROTOTYPE_METHOD(t, "getCurrentCipher", Connection::GetCurrentCipher);
+ NODE_SET_PROTOTYPE_METHOD(t, "getCurrentVersion", Connection::GetCurrentVersion);
NODE_SET_PROTOTYPE_METHOD(t, "start", Connection::Start);
NODE_SET_PROTOTYPE_METHOD(t, "shutdown", Connection::Shutdown);
NODE_SET_PROTOTYPE_METHOD(t, "close", Connection::Close);
@@ -2043,6 +2048,14 @@ Handle<Value> Connection::GetCurrentCipher(const Arguments& args) {
return scope.Close(info);
}
+Handle<Value> Connection::GetCurrentVersion(const Arguments& args) {
+ HandleScope scope;
+
+ Connection *ss = Connection::Unwrap(args);
+ Local<String> version = String::New(SSL_get_version(ss->ssl_));
+ return scope.Close(version);
+}
+
Handle<Value> Connection::Close(const Arguments& args) {
HandleScope scope;
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 54b9b88..7467dc7 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -199,6 +199,7 @@ class Connection : ObjectWrap {
static v8::Handle<v8::Value> IsInitFinished(const v8::Arguments& args);
static v8::Handle<v8::Value> VerifyError(const v8::Arguments& args);
static v8::Handle<v8::Value> GetCurrentCipher(const v8::Arguments& args);
+ static v8::Handle<v8::Value> GetCurrentVersion(const v8::Arguments& args);
static v8::Handle<v8::Value> Shutdown(const v8::Arguments& args);
static v8::Handle<v8::Value> Start(const v8::Arguments& args);
static v8::Handle<v8::Value> Close(const v8::Arguments& args);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment