tls: make cipher list configurable

options.ciphers existed but didn't work, the cipher list was effectively
hard-coded to RC4-SHA:AES128-SHA:AES256-SHA.

Fixes #2066.

diff --git a/lib/tls.js b/lib/tls.js
index 21bb2af..8f83ecf 100644 (file)
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -849,15 +849,13 @@ function Server(/* [options], listener */) {
     passphrase: self.passphrase,
     cert: self.cert,
     ca: self.ca,
-    ciphers: self.ciphers,
+    ciphers: self.ciphers || 'RC4-SHA:AES128-SHA:AES256-SHA',
     secureProtocol: self.secureProtocol,
     secureOptions: self.secureOptions,
     crl: self.crl,
     sessionIdContext: self.sessionIdContext
   });
 
-  sharedCreds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
-
   // constructor call
   net.Server.call(this, function(socket) {
     var creds = crypto.createCredentials(null, sharedCreds.context);
@@ -1017,7 +1015,6 @@ exports.connect = function(port /* host, options, cb */) {
   var socket = new net.Stream();
 
   var sslcontext = crypto.createCredentials(options);
-  //sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
 
   convertNPNProtocols(options.NPNProtocols, this);
   var pair = new SecurePair(sslcontext, false, true, false,

diff --git a/test/simple/test-tls-set-ciphers.js b/test/simple/test-tls-set-ciphers.js
new file mode 100644 (file)
index 0000000..ba5c868
--- /dev/null
+++ b/test/simple/test-tls-set-ciphers.js
@@ -0,0 +1,61 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+var common = require('../common');
+var assert = require('assert');
+var exec = require('child_process').exec;
+var tls = require('tls');
+var fs = require('fs');
+
+if (process.platform === 'win32') {
+  console.log("Skipping test, you probably don't have openssl installed.");
+  process.exit();
+}
+
+var options = {
+  key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
+  cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
+  ciphers: 'NULL-MD5' // it's ultra-fast!
+};
+
+var reply = 'I AM THE WALRUS'; // something recognizable
+var nconns = 0;
+var response = '';
+
+process.on('exit', function() {
+  assert.equal(nconns, 1);
+  assert.notEqual(response.indexOf(reply), -1);
+});
+
+var server = tls.createServer(options, function(conn) {
+  conn.end(reply);
+  nconns++;
+});
+
+server.listen(common.PORT, '127.0.0.1', function() {
+  var cmd = 'openssl s_client -cipher NULL-MD5 -connect 127.0.0.1:' + common.PORT;
+
+  exec(cmd, function(err, stdout, stderr) {
+    if (err) throw err;
+    response = stdout;
+    server.close();
+  });
+});