From d989e207177f29fe277a010a1d087230aec40a8e Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Thu, 7 Mar 2019 14:51:33 -0800 Subject: [PATCH] doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION PR-URL: https://github.com/nodejs/node/pull/26821 Reviewed-By: Ben Noordhuis Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Ruben Bridgewater --- doc/api/cli.md | 22 ++++++++++++---------- doc/api/tls.md | 42 +++++++++++++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 19 deletions(-) diff --git a/doc/api/cli.md b/doc/api/cli.md index 75804e11521aee..4c5c8fb61853cf 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -448,38 +448,40 @@ with crypto support (default). added: REPLACEME --> -Set default [`maxVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1.3. +Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for +TLSv1.3. ### `--tls-max-v1.3` -Set default [`maxVersion`][] to `'TLSv1.3'`. Use to enable support for TLSv1.3. +Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support +for TLSv1.3. ### `--tls-min-v1.0` -Set default [`minVersion`][] to `'TLSv1'`. Use for compatibility with old TLS -clients or servers. +Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1'. Use for compatibility with +old TLS clients or servers. ### `--tls-min-v1.1` -Set default [`minVersion`][] to `'TLSv1.1'`. Use for compatibility with old TLS -clients or servers. +Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility +with old TLS clients or servers. ### `--tls-min-v1.3` -Set default [`minVersion`][] to `'TLSv1.3'`. Use to disable support for TLSv1.2 -in favour of TLSv1.3, which is more secure. +Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support +for TLSv1.2, which is not as secure as TLSv1.3. ### `--trace-deprecation` + +* {string} The default value of the `maxVersion` option of + [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS + protocol versions, `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. + **Default:** `'TLSv1.3'`, unless changed using CLI options. Using + `--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3` sets + the default to `'TLSv1.3'`. If multiple of the options are provided, the + highest maximum is used. + + +## tls.DEFAULT_MIN_VERSION + + +* {string} The default value of the `minVersion` option of + [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS + protocol versions, `'TLSv1.3'`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. + **Default:** `'TLSv1.2'`, unless changed using CLI options. Using + `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets + the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to + `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is + used. + + ## Deprecated APIs ### Class: CryptoStream @@ -1664,6 +1686,8 @@ where `secureSocket` has the same API as `pair.cleartext`. [`server.setTicketKeys()`]: #tls_server_setticketkeys_keys [`socket.setTimeout(timeout)`]: #net_socket_settimeout_timeout_callback [`tls.DEFAULT_ECDH_CURVE`]: #tls_tls_default_ecdh_curve +[`tls.DEFAULT_MAX_VERSION`]: #tls_tls_default_max_version +[`tls.DEFAULT_MIN_VERSION`]: #tls_tls_default_min_version [`tls.Server`]: #tls_class_tls_server [`tls.TLSSocket.getPeerCertificate()`]: #tls_tlssocket_getpeercertificate_detailed [`tls.TLSSocket.getSession()`]: #tls_tlssocket_getsession