This release handles the recent POODLE vulnerability by disabling SSLv2/SSLv3 by default for the most predominate uses of TLS in Node.js.
It took longer than expected to get this release accomplished in a way that would provide appropriate default security settings, while minimizing the surface area for the behavior change we were introducing. It was also important that we validated that our changes were being applied in the variety of configurations we support in our APIs.
With this release, we are confident that the only behavior change is that of the default allowed protocols do not include SSLv2 or SSLv3. Though you are still able to programatically consume those protocols if necessary.
Included is the documentation that you can find at https://nodejs.org/api/tls.html#tls_protocol_support that describes how this works going forward for client and server implementations.
Node.js is compiled with SSLv2 and SSLv3 protocol support by default, but these
protocols are disabled. They are considered insecure and could be easily
compromised as was shown by CVE-2014-3566. However, in some situations, it
may cause problems with legacy clients/servers (such as Internet Explorer 6).
If you wish to enable SSLv2 or SSLv3, run node with the
--enable-ssl3 flag respectively. In future versions of Node.js SSLv2 and
SSLv3 will not be compiled in by default.
There is a way to force node into using SSLv3 or SSLv2 only mode by explicitly
The default protocol method Node.js uses is
SSLv23_method which would be more
AutoNegotiate_method. This method will try and negotiate
from the highest level down to whatever the client supports. To provide a
secure default, Node.js (since v0.10.33) explicitly disables the use of SSLv3
and SSLv2 by setting the
secureOptions to be
SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2 (again, unless you have passed
If you have set
securityOptions to anything, we will not override your
The ramifications of this behavior change:
SSLv3only will now not be able to appropriately negotiate a connection and will be refused. In this case your server will emit a
clientErrorevent. The error message will include
'wrong version number'.
errorevent. The error message will include
'wrong version number'.
2014.10.20, node.js Version 0.10.33 (Stable)
child_process: properly support optional args (cjihrig)
crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)
This is a behavior change, by default we will not allow the negotiation to
SSLv2 or SSLv3. If you want this behavior, run Node.js with either
This does not change the behavior for users specifically requesting
SSLv3_method. While this behavior is not advised, it is
assumed you know what you're doing since you're specifically asking to use
2014.10.21, libuv Version 0.10.29 (Stable)
Relevant changes since version 0.10.28:
Please login to add feedback.