Skip to content
This repository has been archived by the owner on Apr 22, 2023. It is now read-only.

Commit

Permalink
doc: additional clarification on legacy ciphers
Browse files Browse the repository at this point in the history 
per feedback from Julian and Michael Dawson, additional
clarifications in the documentation on the legacy ciphers
and the reversion of behavior when using the v0.10.38
cipher list.
  • Loading branch information
@jasnell
jasnell committed Apr 22, 2015
1 parent b068eb6 commit c6e1a88
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions doc/api/tls.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,14 +152,6 @@ Currently, the values supported for the `enable-legacy-cipher-list` switch and

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Note that the `--enable-legacy-cipher-list`, `NODE_LEGACY_CIPHER_LIST`,
`--cipher-list` and `NODE_CIPHER_LIST` options are mutually exclusive. Only one
should be used at a time. If multiple happen to be used, the
`NODE_LEGACY_CIPHER_LIST` environment variable will take precedence, followed
in order by the `NODE_CIPHER_LIST` environment variable, the
`--enable-legacy-cipher-list` command line option, and finally the
`--cipher-list` command line option.

These legacy cipher suites are also made available for use via the
`getLegacyCiphers()` method:

Expand All @@ -172,6 +164,23 @@ Reverting back to the defaults used by older releases can weaken the security
of your applications. The legacy cipher suites should only be used if absolutely
necessary.

NOTE: Due to an error in Node.js v0.10.38, the default cipher list only applied
to servers using TLS. The default cipher list would _not_ be used by clients.
This behavior has been changed in v0.10.39 and the default cipher list is now
used by both the server and client when using TLS. However, when using
`--enable-legacy-cipher-list=v0.10.38`, Node.js is reverted back to the
v0.10.38 behavior of only using the default cipher list on the server.

### Cipher List Precedence

Note that the `--enable-legacy-cipher-list`, `NODE_LEGACY_CIPHER_LIST`,
`--cipher-list` and `NODE_CIPHER_LIST` options are mutually exclusive. Only
_one_ should be used at a time. If multiple happen to be specified, the
`NODE_LEGACY_CIPHER_LIST` environment variable will take precedence, followed
in order by the `NODE_CIPHER_LIST` environment variable, the
`--enable-legacy-cipher-list` command line option, and finally the
`--cipher-list` command line option.

## tls.getCiphers()

Returns an array with the names of the supported SSL ciphers.
Expand Down

0 comments on commit c6e1a88

Please sign in to comment.