Skip to content

Commit fa6f0f1

Browse files
sam-githubBethGriggs
authored andcommitted
doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION
Backport-PR-URL: #26951 PR-URL: #26821 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
1 parent d2666e6 commit fa6f0f1

File tree

2 files changed

+43
-19
lines changed

2 files changed

+43
-19
lines changed

doc/api/cli.md

+12-10
Original file line numberDiff line numberDiff line change
@@ -448,38 +448,40 @@ with crypto support (default).
448448
added: REPLACEME
449449
-->
450450

451-
Set default [`maxVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1.3.
451+
Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
452+
TLSv1.3.
452453

453454
### `--tls-max-v1.3`
454455
<!-- YAML
455456
added: REPLACEME
456457
-->
457458

458-
Set default [`maxVersion`][] to `'TLSv1.3'`. Use to enable support for TLSv1.3.
459+
Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
460+
for TLSv1.3.
459461

460462
### `--tls-min-v1.0`
461463
<!-- YAML
462464
added: REPLACEME
463465
-->
464466

465-
Set default [`minVersion`][] to `'TLSv1'`. Use for compatibility with old TLS
466-
clients or servers.
467+
Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1'. Use for compatibility with
468+
old TLS clients or servers.
467469

468470
### `--tls-min-v1.1`
469471
<!-- YAML
470472
added: REPLACEME
471473
-->
472474

473-
Set default [`minVersion`][] to `'TLSv1.1'`. Use for compatibility with old TLS
474-
clients or servers.
475+
Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
476+
with old TLS clients or servers.
475477

476478
### `--tls-min-v1.3`
477479
<!-- YAML
478480
added: REPLACEME
479481
-->
480482

481-
Set default [`minVersion`][] to `'TLSv1.3'`. Use to disable support for TLSv1.2
482-
in favour of TLSv1.3, which is more secure.
483+
Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
484+
for TLSv1.2, which is not as secure as TLSv1.3.
483485

484486
### `--trace-deprecation`
485487
<!-- YAML
@@ -918,9 +920,9 @@ greater than `4` (its current default value). For more information, see the
918920
[`--openssl-config`]: #cli_openssl_config_file
919921
[`Buffer`]: buffer.html#buffer_class_buffer
920922
[`SlowBuffer`]: buffer.html#buffer_class_slowbuffer
921-
[`maxVersion`]: tls.html#tls_tls_createsecurecontext_options
922-
[`minVersion`]: tls.html#tls_tls_createsecurecontext_options
923923
[`process.setUncaughtExceptionCaptureCallback()`]: process.html#process_process_setuncaughtexceptioncapturecallback_fn
924+
[`tls.DEFAULT_MAX_VERSION`]: tls.html#tls_tls_default_max_version
925+
[`tls.DEFAULT_MIN_VERSION`]: tls.html#tls_tls_default_min_version
924926
[Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
925927
[REPL]: repl.html
926928
[ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage

doc/api/tls.md

+31-9
Original file line numberDiff line numberDiff line change
@@ -1351,20 +1351,13 @@ changes:
13511351
* `maxVersion` {string} Optionally set the maximum TLS version to allow. One
13521352
of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
13531353
along with the `secureProtocol` option, use one or the other.
1354-
**Default:** `'TLSv1.2'`, unless changed using CLI options. Using
1355-
`--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3`
1356-
sets the default to `'TLSv1.3'`. If multiple of the options are provided,
1357-
the highest maximum is used.
1354+
**Default:** [`tls.DEFAULT_MAX_VERSION`][].
13581355
* `minVersion` {string} Optionally set the minimum TLS version to allow. One
13591356
of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
13601357
along with the `secureProtocol` option, use one or the other. It is not
13611358
recommended to use less than TLSv1.2, but it may be required for
13621359
interoperability.
1363-
**Default:** `'TLSv1'`, unless changed using CLI options. Using
1364-
`--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
1365-
the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
1366-
`'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
1367-
used.
1360+
**Default:** [`tls.DEFAULT_MIN_VERSION`][].
13681361
* `passphrase` {string} Shared passphrase used for a single private key and/or
13691362
a PFX.
13701363
* `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded
@@ -1532,6 +1525,33 @@ The default curve name to use for ECDH key agreement in a tls server. The
15321525
default value is `'auto'`. See [`tls.createSecureContext()`] for further
15331526
information.
15341527

1528+
## tls.DEFAULT_MAX_VERSION
1529+
<!-- YAML
1530+
added: v11.4.0
1531+
-->
1532+
1533+
* {string} The default value of the `maxVersion` option of
1534+
[`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
1535+
protocol versions, `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
1536+
**Default:** `'TLSv1.2'`, unless changed using CLI options. Using
1537+
`--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3` sets
1538+
the default to `'TLSv1.3'`. If multiple of the options are provided, the
1539+
highest maximum is used.
1540+
1541+
## tls.DEFAULT_MIN_VERSION
1542+
<!-- YAML
1543+
added: v11.4.0
1544+
-->
1545+
1546+
* {string} The default value of the `minVersion` option of
1547+
[`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
1548+
protocol versions, `'TLSv1.3'`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
1549+
**Default:** `'TLSv1'`, unless changed using CLI options. Using
1550+
`--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
1551+
the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
1552+
`'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
1553+
used.
1554+
15351555
## Deprecated APIs
15361556

15371557
### Class: CryptoStream
@@ -1660,6 +1680,8 @@ where `secureSocket` has the same API as `pair.cleartext`.
16601680
[`server.setTicketKeys()`]: #tls_server_setticketkeys_keys
16611681
[`socket.setTimeout(timeout)`]: #net_socket_settimeout_timeout_callback
16621682
[`tls.DEFAULT_ECDH_CURVE`]: #tls_tls_default_ecdh_curve
1683+
[`tls.DEFAULT_MAX_VERSION`]: #tls_tls_default_max_version
1684+
[`tls.DEFAULT_MIN_VERSION`]: #tls_tls_default_min_version
16631685
[`tls.Server`]: #tls_class_tls_server
16641686
[`tls.TLSSocket.getPeerCertificate()`]: #tls_tlssocket_getpeercertificate_detailed
16651687
[`tls.TLSSocket.getSession()`]: #tls_tlssocket_getsession

0 commit comments

Comments
 (0)