From 379ae6e5be08f94f0a5fd1b22e84536de42a50f8 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Mon, 26 Nov 2018 12:25:59 -0800 Subject: [PATCH] tls: make ossl 1.1.1 cipher list throw error Make OpenSSL 1.1.1 error during cipher list setting if it would have errored with OpenSSL 1.1.0. Can be dropped after our OpenSSL fixes this upstream. See: https://github.com/openssl/openssl/pull/7759 Gbp-Pq: Topic ssl Gbp-Pq: Name e5b03b82f72e6915bd24c7ef1481abd1842b84fe.patch --- src/node_crypto.cc | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index a43789a9b..f7e4b5afe 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -913,8 +913,24 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo& args) { } THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers"); - + // Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl + // 1.1.1, set_cipher_list() is for TLSv1.2 and earlier. + // + // In openssl 1.1.0, set_cipher_list() would error if it resulted in no + // TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support. + // + // In openssl 1.1.1, set_cipher_list() will not error if it results in no + // TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there + // are by default. There will be an error later, during the handshake, but + // that results in an async error event, rather than a sync error thrown, + // which is a semver-major change for the tls API. + // + // Since we don't currently support TLSv1.3, work around this by removing the + // TLSv1.3 cipher suites, so we get backwards compatible synchronous errors. const node::Utf8Value ciphers(args.GetIsolate(), args[0]); +#ifdef TLS1_3_VERSION + SSL_CTX_set_ciphersuites(sc->ctx_.get(), ""); +#endif SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers); } -- 2.30.2