From 109c097797b82efb2eb081a1e87284000c094871 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Thu, 28 Mar 2019 11:28:22 -0700 Subject: [PATCH] tls: revert default max to TLSv1.2 TLSv1.3 is still supported when explicitly configured, but it is not the default. PR-URL: https://github.com/nodejs/node/pull/26951 Reviewed-By: Rod Vagg Reviewed-By: Beth Griggs --- doc/api/tls.md | 4 ++-- lib/tls.js | 4 +--- src/node_options.cc | 4 ++-- test/parallel/test-tls-cli-min-version-1.0.js | 2 +- test/parallel/test-tls-cli-min-version-1.1.js | 2 +- test/parallel/test-tls-cli-min-version-1.3.js | 2 +- test/parallel/test-tls-client-renegotiation-13.js | 1 + test/parallel/test-tls-min-max-version.js | 9 +++++++-- test/parallel/test-tls-set-ciphers.js | 6 +++++- 9 files changed, 21 insertions(+), 13 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 17972574e3e8ad..0c00adf188f0a4 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -1351,7 +1351,7 @@ changes: * `maxVersion` {string} Optionally set the maximum TLS version to allow. One of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the `secureProtocol` option, use one or the other. - **Default:** `'TLSv1.3'`, unless changed using CLI options. Using + **Default:** `'TLSv1.2'`, unless changed using CLI options. Using `--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3` sets the default to `'TLSv1.3'`. If multiple of the options are provided, the highest maximum is used. @@ -1360,7 +1360,7 @@ changes: along with the `secureProtocol` option, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. - **Default:** `'TLSv1.2'`, unless changed using CLI options. Using + **Default:** `'TLSv1'`, unless changed using CLI options. Using `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is diff --git a/lib/tls.js b/lib/tls.js index f920e4d8c625bd..e4dadaa284e6de 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -54,8 +54,6 @@ exports.DEFAULT_CIPHERS = exports.DEFAULT_ECDH_CURVE = 'auto'; -exports.DEFAULT_MAX_VERSION = 'TLSv1.3'; - if (getOptionValue('--tls-min-v1.0')) exports.DEFAULT_MIN_VERSION = 'TLSv1'; else if (getOptionValue('--tls-min-v1.1')) @@ -70,7 +68,7 @@ if (getOptionValue('--tls-max-v1.3')) else if (getOptionValue('--tls-max-v1.2')) exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; else - exports.DEFAULT_MAX_VERSION = 'TLSv1.3'; // Will depend on node version. + exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; // Will depend on node version. exports.getCiphers = internalUtil.cachedResult( diff --git a/src/node_options.cc b/src/node_options.cc index 0febe4b4d742e3..46ee2b9f6ad9ee 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -341,7 +341,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { &EnvironmentOptions::tls_min_v1_3, kAllowedInEnvironment); AddOption("--tls-max-v1.2", - "set default TLS maximum to TLSv1.2 (default: TLSv1.3)", + "set default TLS maximum to TLSv1.2 (default: TLSv1.2)", &EnvironmentOptions::tls_max_v1_2, kAllowedInEnvironment); // Current plan is: @@ -349,7 +349,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() { // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2 // In either case, support both options they are uniformly available. AddOption("--tls-max-v1.3", - "set default TLS maximum to TLSv1.3 (default: TLSv1.3)", + "set default TLS maximum to TLSv1.3 (default: TLSv1.2)", &EnvironmentOptions::tls_max_v1_3, kAllowedInEnvironment); } diff --git a/test/parallel/test-tls-cli-min-version-1.0.js b/test/parallel/test-tls-cli-min-version-1.0.js index 577562782eceee..0a227c0b949556 100644 --- a/test/parallel/test-tls-cli-min-version-1.0.js +++ b/test/parallel/test-tls-cli-min-version-1.0.js @@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto'); const assert = require('assert'); const tls = require('tls'); -assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3'); +assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2'); assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1'); // Check the min-max version protocol versions against these CLI settings. diff --git a/test/parallel/test-tls-cli-min-version-1.1.js b/test/parallel/test-tls-cli-min-version-1.1.js index 3af2b39546c42a..1219c82030da9b 100644 --- a/test/parallel/test-tls-cli-min-version-1.1.js +++ b/test/parallel/test-tls-cli-min-version-1.1.js @@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto'); const assert = require('assert'); const tls = require('tls'); -assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3'); +assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2'); assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.1'); // Check the min-max version protocol versions against these CLI settings. diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/parallel/test-tls-cli-min-version-1.3.js index 1bccc2f6cd331a..3ac335ecdd5bfb 100644 --- a/test/parallel/test-tls-cli-min-version-1.3.js +++ b/test/parallel/test-tls-cli-min-version-1.3.js @@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto'); const assert = require('assert'); const tls = require('tls'); -assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3'); +assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2'); assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.3'); // Check the min-max version protocol versions against these CLI settings. diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js index 8af63c4f791ddc..bd7ab70316dc59 100644 --- a/test/parallel/test-tls-client-renegotiation-13.js +++ b/test/parallel/test-tls-client-renegotiation-13.js @@ -1,3 +1,4 @@ +// Flags: --tls-max-v1.3 'use strict'; const common = require('../common'); diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index e2f35a5803ab24..f30b9b3b9897c9 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -68,8 +68,13 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { const U = undefined; -// Default protocol is the max version. -test(U, U, U, U, U, U, DEFAULT_MAX_VERSION); +if (DEFAULT_MAX_VERSION === 'TLSv1.2' && DEFAULT_MIN_VERSION === 'TLSv1.3') { + // No connections are possible by default. + test(U, U, U, U, U, U, U, 'ERR_SSL_NO_PROTOCOLS_AVAILABLE', U); +} else { + // Default protocol is the max version. + test(U, U, U, U, U, U, DEFAULT_MAX_VERSION); +} // Insecure or invalid protocols cannot be enabled. test(U, U, U, U, U, 'SSLv2_method', diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js index f21478b9251270..ecf9176c4020a6 100644 --- a/test/parallel/test-tls-set-ciphers.js +++ b/test/parallel/test-tls-set-ciphers.js @@ -6,9 +6,13 @@ const fixtures = require('../common/fixtures'); // Test cipher: option for TLS. const { - assert, connect, keys + assert, connect, keys, tls } = require(fixtures.path('tls-connect')); +const tls13 = !!require('constants').TLS1_3_VERSION; + +if (tls13) + tls.DEFAULT_MAX_VERSION = 'TLSv1.3'; function test(cciphers, sciphers, cipher, cerr, serr) { assert(cipher || cerr || serr, 'test missing any expectations');