Skip to content

Commit

Permalink
crypto: don't disable TLS 1.3 without suites
Browse files Browse the repository at this point in the history
In the manual page, there is a stement that ciphersuites contain
explicit default settings - all TLS 1.3 ciphersuites are available.
In node, we assume that an empty setting mean no ciphersuites and
we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to
disable TLS 1.3 and by not override the default ciphersuits
with an empty string.

So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit
list of ciphers. If none are acceptible, the correct approach is
to disable TLS 1.3 instead elsewhere.

Fixes: #43419
  • Loading branch information
AdamMajer committed Jun 14, 2022
1 parent 3d0a0b6 commit 1b1db2d
Showing 1 changed file with 2 additions and 7 deletions.
9 changes: 2 additions & 7 deletions lib/internal/tls/secure-context.js
Original file line number Diff line number Diff line change
Expand Up @@ -225,15 +225,10 @@ function configSecureContext(context, options = kEmptyObject, name = 'options')
cipherSuites,
} = processCiphers(ciphers, `${name}.ciphers`);

context.setCipherSuites(cipherSuites);
if (cipherSuites !== '')
context.setCipherSuites(cipherSuites);
context.setCiphers(cipherList);

if (cipherSuites === '' &&
context.getMaxProto() > TLS1_2_VERSION &&
context.getMinProto() < TLS1_3_VERSION) {
context.setMaxProto(TLS1_2_VERSION);
}

if (cipherList === '' &&
context.getMinProto() < TLS1_3_VERSION &&
context.getMaxProto() > TLS1_2_VERSION) {
Expand Down

0 comments on commit 1b1db2d

Please sign in to comment.