1'use strict'; 2const common = require('../common'); 3const fixtures = require('../common/fixtures'); 4const { inspect } = require('util'); 5 6// Check min/max protocol versions. 7 8const { 9 assert, connect, keys, tls 10} = require(fixtures.path('tls-connect')); 11const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION; 12const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION; 13 14 15function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { 16 assert(proto || cerr || serr, 'test missing any expectations'); 17 // Report where test was called from. Strip leading garbage from 18 // at Object.<anonymous> (file:line) 19 // from the stack location, we only want the file:line part. 20 const where = inspect(new Error()).split('\n')[2].replace(/[^(]*/, ''); 21 connect({ 22 client: { 23 checkServerIdentity: (servername, cert) => { }, 24 ca: `${keys.agent1.cert}\n${keys.agent6.ca}`, 25 minVersion: cmin, 26 maxVersion: cmax, 27 secureProtocol: cprot, 28 }, 29 server: { 30 cert: keys.agent6.cert, 31 key: keys.agent6.key, 32 minVersion: smin, 33 maxVersion: smax, 34 secureProtocol: sprot, 35 }, 36 }, common.mustCall((err, pair, cleanup) => { 37 function u(_) { return _ === undefined ? 'U' : _; } 38 console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot), 39 'expect', u(proto), u(cerr), u(serr)); 40 console.log(' ', where); 41 if (!proto) { 42 console.log('client', pair.client.err ? pair.client.err.code : undefined); 43 console.log('server', pair.server.err ? pair.server.err.code : undefined); 44 if (cerr) { 45 assert(pair.client.err); 46 // Accept these codes as aliases, the one reported depends on the 47 // OpenSSL version. 48 if (cerr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' && 49 pair.client.err.code === 'ERR_SSL_VERSION_TOO_LOW') 50 cerr = 'ERR_SSL_VERSION_TOO_LOW'; 51 assert.strictEqual(pair.client.err.code, cerr); 52 } 53 if (serr) { 54 assert(pair.server.err); 55 assert.strictEqual(pair.server.err.code, serr); 56 } 57 return cleanup(); 58 } 59 60 assert.ifError(err); 61 assert.ifError(pair.server.err); 62 assert.ifError(pair.client.err); 63 assert(pair.server.conn); 64 assert(pair.client.conn); 65 assert.strictEqual(pair.client.conn.getProtocol(), proto); 66 assert.strictEqual(pair.server.conn.getProtocol(), proto); 67 return cleanup(); 68 })); 69} 70 71const U = undefined; 72 73// Default protocol is the max version. 74test(U, U, U, U, U, U, DEFAULT_MAX_VERSION); 75 76// Insecure or invalid protocols cannot be enabled. 77test(U, U, U, U, U, 'SSLv2_method', 78 U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); 79test(U, U, U, U, U, 'SSLv3_method', 80 U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); 81test(U, U, 'SSLv2_method', U, U, U, 82 U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); 83test(U, U, 'SSLv3_method', U, U, U, 84 U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); 85test(U, U, 'hokey-pokey', U, U, U, 86 U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); 87test(U, U, U, U, U, 'hokey-pokey', 88 U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); 89 90// Cannot use secureProtocol and min/max versions simultaneously. 91test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', 92 U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); 93test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', 94 U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); 95test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, 96 U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); 97test('TLSv1.2', U, 'TLS1_2_method', U, U, U, 98 U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); 99 100// TLS_method means "any supported protocol". 101test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2'); 102test(U, U, 'TLSv1_1_method', U, U, 'TLS_method', 'TLSv1.1'); 103test(U, U, 'TLSv1_method', U, U, 'TLS_method', 'TLSv1'); 104test(U, U, 'TLS_method', U, U, 'TLSv1_2_method', 'TLSv1.2'); 105test(U, U, 'TLS_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); 106test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1'); 107 108// SSLv23 also means "any supported protocol" greater than the default 109// minimum (which is configurable via command line). 110if (DEFAULT_MIN_VERSION === 'TLSv1.3') { 111 test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 112 U, 'ECONNRESET', 'ERR_SSL_INTERNAL_ERROR'); 113} else { 114 test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2'); 115} 116 117if (DEFAULT_MIN_VERSION === 'TLSv1.3') { 118 test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 119 U, 'ECONNRESET', 'ERR_SSL_INTERNAL_ERROR'); 120 test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 121 U, 'ECONNRESET', 'ERR_SSL_INTERNAL_ERROR'); 122 test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 123 U, 'ERR_SSL_NO_PROTOCOLS_AVAILABLE', 'ERR_SSL_UNEXPECTED_MESSAGE'); 124 test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 125 U, 'ERR_SSL_NO_PROTOCOLS_AVAILABLE', 'ERR_SSL_UNEXPECTED_MESSAGE'); 126} 127 128if (DEFAULT_MIN_VERSION === 'TLSv1.2') { 129 test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 130 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 131 test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 132 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 133 test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 134 U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); 135 test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 136 U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); 137} 138 139if (DEFAULT_MIN_VERSION === 'TLSv1.1') { 140 test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); 141 test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 142 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 143 test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); 144 test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 145 U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); 146} 147 148if (DEFAULT_MIN_VERSION === 'TLSv1') { 149 test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); 150 test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 'TLSv1'); 151 test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); 152 test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 'TLSv1'); 153} 154 155// TLSv1 thru TLSv1.2 are only supported with explicit configuration with API or 156// CLI (--tls-v1.0 and --tls-v1.1). 157test(U, U, 'TLSv1_2_method', U, U, 'TLSv1_2_method', 'TLSv1.2'); 158test(U, U, 'TLSv1_1_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); 159test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1'); 160 161// The default default. 162if (DEFAULT_MIN_VERSION === 'TLSv1.2') { 163 test(U, U, 'TLSv1_1_method', U, U, U, 164 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 165 test(U, U, 'TLSv1_method', U, U, U, 166 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 167 168 if (DEFAULT_MAX_VERSION === 'TLSv1.2') { 169 test(U, U, U, U, U, 'TLSv1_1_method', 170 U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); 171 test(U, U, U, U, U, 'TLSv1_method', 172 U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); 173 } else { 174 // TLS1.3 client hellos are are not understood by TLS1.1 or below. 175 test(U, U, U, U, U, 'TLSv1_1_method', 176 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 177 test(U, U, U, U, U, 'TLSv1_method', 178 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 179 } 180} 181 182// The default with --tls-v1.1. 183if (DEFAULT_MIN_VERSION === 'TLSv1.1') { 184 test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); 185 test(U, U, 'TLSv1_method', U, U, U, 186 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 187 test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); 188 189 if (DEFAULT_MAX_VERSION === 'TLSv1.2') { 190 test(U, U, U, U, U, 'TLSv1_method', 191 U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); 192 } else { 193 // TLS1.3 client hellos are are not understood by TLS1.1 or below. 194 test(U, U, U, U, U, 'TLSv1_method', 195 U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); 196 } 197} 198 199// The default with --tls-v1.0. 200if (DEFAULT_MIN_VERSION === 'TLSv1') { 201 test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); 202 test(U, U, 'TLSv1_method', U, U, U, 'TLSv1'); 203 test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); 204 test(U, U, U, U, U, 'TLSv1_method', 'TLSv1'); 205} 206 207// TLS min/max are respected when set with no secureProtocol. 208test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_method', 'TLSv1'); 209test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_1_method', 'TLSv1.1'); 210test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_2_method', 'TLSv1.2'); 211test('TLSv1', 'TLSv1.2', U, U, U, 'TLS_method', 'TLSv1.2'); 212 213test(U, U, 'TLSv1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1'); 214test(U, U, 'TLSv1_1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.1'); 215test(U, U, 'TLSv1_2_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.2'); 216 217test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.1'); 218test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1'); 219test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1'); 220test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1'); 221test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1'); 222test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1', U, 'TLSv1'); 223test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1', U, 'TLSv1'); 224test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1'); 225test('TLSv1', 'TLSv1.2', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1'); 226test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.2'); 227 228// v-any client can connect to v-specific server 229test('TLSv1', 'TLSv1.3', U, 'TLSv1.3', 'TLSv1.3', U, 'TLSv1.3'); 230test('TLSv1', 'TLSv1.3', U, 'TLSv1.2', 'TLSv1.3', U, 'TLSv1.3'); 231test('TLSv1', 'TLSv1.3', U, 'TLSv1.2', 'TLSv1.2', U, 'TLSv1.2'); 232test('TLSv1', 'TLSv1.3', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1'); 233test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1', U, 'TLSv1'); 234 235// v-specific client can connect to v-any server 236test('TLSv1.3', 'TLSv1.3', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.3'); 237test('TLSv1.2', 'TLSv1.2', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.2'); 238test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.1'); 239test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1'); 240