tls.connect({
host: '127.0.0.1',
port: this.address().port,
- ciphers: 'AES128-SHA256',
+ ciphers: 'AES256-SHA256',
rejectUnauthorized: false,
maxVersion: 'TLSv1.2',
}, common.mustCall(function() {
const cipher = this.getCipher();
- assert.strictEqual(cipher.name, 'AES128-SHA256');
- assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_128_CBC_SHA256');
+ assert.strictEqual(cipher.name, 'AES256-SHA256');
+ assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_256_CBC_SHA256');
assert.strictEqual(cipher.version, 'TLSv1.2');
this.end();
}));
tls.connect({
host: '127.0.0.1',
port: this.address().port,
- ciphers: 'ECDHE-RSA-AES128-GCM-SHA256',
+ ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
rejectUnauthorized: false,
maxVersion: 'TLSv1.2',
}, common.mustCall(function() {
const cipher = this.getCipher();
- assert.strictEqual(cipher.name, 'ECDHE-RSA-AES128-GCM-SHA256');
+ assert.strictEqual(cipher.name, 'ECDHE-RSA-AES256-GCM-SHA384');
assert.strictEqual(cipher.standardName,
- 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256');
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384');
assert.strictEqual(cipher.version, 'TLSv1.2');
this.end();
}));
tls.createServer({
key: fixtures.readKey('agent2-key.pem'),
cert: fixtures.readKey('agent2-cert.pem'),
- ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256',
+ ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384',
maxVersion: 'TLSv1.3',
}, common.mustCall(function() {
this.close();
})).listen(0, common.mustCall(function() {
const client = tls.connect({
port: this.address().port,
- ciphers: 'TLS_AES_128_CCM_8_SHA256',
+ ciphers: 'TLS_AES_256_GCM_SHA384',
maxVersion: 'TLSv1.3',
rejectUnauthorized: false
}, common.mustCall(() => {
const cipher = client.getCipher();
- assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256');
+ assert.strictEqual(cipher.name, 'TLS_AES_256_GCM_SHA384');
assert.strictEqual(cipher.standardName, cipher.name);
assert.strictEqual(cipher.version, 'TLSv1.3');
client.end();
server.listen(0, common.mustCall(function() {
const c = net.createConnection(this.address().port);
+ c.on('data', function() {
+ // We must consume all data sent by the server. Otherwise the
+ // end event will not be sent and the test will hang.
+ // For example, when compiled with OpenSSL32 we see the
+ // following response '15 03 03 00 02 02 16' which
+ // decodes as a fatal (0x02) TLS error alert number 22 (0x16),
+ // which corresponds to TLS1_AD_RECORD_OVERFLOW which matches
+ // the error we see if NODE_DEBUG is turned on.
+ // Some earlier OpenSSL versions did not seem to send a response
+ // but the TLS spec seems to indicate there should be one
+ // https://datatracker.ietf.org/doc/html/rfc8446#page-85
+ // and error handling seems to have been re-written/improved
+ // in OpenSSL32. Consuming the data allows the test to pass
+ // either way.
+ });
+
c.on('connect', common.mustCall(function() {
c.write('blah\nblah\nblah\n');
}));
const U = undefined;
+let expectedTLSAlertError = 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE';
+if (common.hasOpenSSL(3, 2)) {
+ expectedTLSAlertError = 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE';
+}
+
// Have shared ciphers.
test(U, 'AES256-SHA', 'AES256-SHA');
test('AES256-SHA', U, 'AES256-SHA');
// Do not have shared ciphers.
test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',
- U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+ U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER');
-test('AES128-SHA', 'AES256-SHA', U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE',
+test('AES256-SHA', 'AES256-SHA256', U, expectedTLSAlertError,
'ERR_SSL_NO_SHARED_CIPHER');
-test('AES128-SHA:TLS_AES_256_GCM_SHA384',
- 'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA',
- U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+test('AES256-SHA:TLS_AES_256_GCM_SHA384',
+ 'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA256',
+ U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER');
// Cipher order ignored, TLS1.3 chosen before TLS1.2.
test('AES256-SHA:TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
// TLS_AES_128_CCM_8_SHA256 & TLS_AES_128_CCM_SHA256 are not enabled by
// default, but work.
-test('TLS_AES_128_CCM_8_SHA256', U,
- U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
-
-test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
- 'TLS_AES_128_CCM_8_SHA256');
+// However, for OpenSSL32 AES_128 is not enabled due to the
+// default security level
+if (!common.hasOpenSSL(3, 2)) {
+ test('TLS_AES_128_CCM_8_SHA256', U,
+ U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+
+ test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
+ 'TLS_AES_128_CCM_8_SHA256');
+}
// Invalid cipher values
test(9, 'AES256-SHA', U, 'ERR_INVALID_ARG_TYPE', U);
projects / nodejs.git / commitdiff