@@ -8,11 +8,13 @@ const {
8
8
assert, connect, keys, tls
9
9
} = require ( fixtures . path ( 'tls-connect' ) ) ;
10
10
const DEFAULT_MIN_VERSION = tls . DEFAULT_MIN_VERSION ;
11
+ const DEFAULT_MAX_VERSION = tls . DEFAULT_MAX_VERSION ;
11
12
12
13
// For v11.x, the default is fixed and cannot be changed via CLI.
13
14
assert . strictEqual ( DEFAULT_MIN_VERSION , 'TLSv1' ) ;
14
15
15
- function test ( cmin , cmax , cprot , smin , smax , sprot , expect ) {
16
+ function test ( cmin , cmax , cprot , smin , smax , sprot , proto , cerr , serr ) {
17
+ assert ( proto || cerr || serr , 'test missing any expectations' ) ;
16
18
connect ( {
17
19
client : {
18
20
checkServerIdentity : ( servername , cert ) => { } ,
@@ -29,23 +31,52 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) {
29
31
secureProtocol : sprot ,
30
32
} ,
31
33
} , common . mustCall ( ( err , pair , cleanup ) => {
32
- if ( expect && ! expect . match ( / ^ T L S / ) ) {
33
- assert ( err . message . match ( expect ) ) ;
34
+ function u ( _ ) { return _ === undefined ? 'U' : _ ; }
35
+ console . log ( 'test:' , u ( cmin ) , u ( cmax ) , u ( cprot ) , u ( smin ) , u ( smax ) , u ( sprot ) ,
36
+ 'expect' , u ( proto ) , u ( cerr ) , u ( serr ) ) ;
37
+ if ( ! proto ) {
38
+ console . log ( 'client' , pair . client . err ? pair . client . err . code : undefined ) ;
39
+ console . log ( 'server' , pair . server . err ? pair . server . err . code : undefined ) ;
40
+ // 11.x doesn't have https://github.com/nodejs/node/pull/24729
41
+ if ( cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
42
+ pair . client . err &&
43
+ pair . client . err . message . includes ( 'methods disabled' ) )
44
+ pair . client . err . code = 'ERR_TLS_INVALID_PROTOCOL_METHOD' ;
45
+ if ( serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
46
+ pair . server . err &&
47
+ pair . server . err . message . includes ( 'methods disabled' ) )
48
+ pair . server . err . code = 'ERR_TLS_INVALID_PROTOCOL_METHOD' ;
49
+ if ( cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
50
+ pair . client . err &&
51
+ pair . client . err . message . includes ( 'Unknown method' ) )
52
+ pair . client . err . code = 'ERR_TLS_INVALID_PROTOCOL_METHOD' ;
53
+ if ( serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
54
+ pair . server . err &&
55
+ pair . server . err . message . includes ( 'Unknown method' ) )
56
+ pair . server . err . code = 'ERR_TLS_INVALID_PROTOCOL_METHOD' ;
57
+ if ( cerr ) {
58
+ assert ( pair . client . err ) ;
59
+ // Accept these codes as aliases, the one reported depends on the
60
+ // OpenSSL version.
61
+ if ( cerr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' &&
62
+ pair . client . err . code === 'ERR_SSL_VERSION_TOO_LOW' )
63
+ cerr = 'ERR_SSL_VERSION_TOO_LOW' ;
64
+ assert . strictEqual ( pair . client . err . code , cerr ) ;
65
+ }
66
+ if ( serr ) {
67
+ assert ( pair . server . err ) ;
68
+ assert . strictEqual ( pair . server . err . code , serr ) ;
69
+ }
34
70
return cleanup ( ) ;
35
71
}
36
72
37
- if ( expect ) {
38
- assert . ifError ( pair . server . err ) ;
39
- assert . ifError ( pair . client . err ) ;
40
- assert ( pair . server . conn ) ;
41
- assert ( pair . client . conn ) ;
42
- assert . strictEqual ( pair . client . conn . getProtocol ( ) , expect ) ;
43
- assert . strictEqual ( pair . server . conn . getProtocol ( ) , expect ) ;
44
- return cleanup ( ) ;
45
- }
46
-
47
- assert ( pair . server . err ) ;
48
- assert ( pair . client . err ) ;
73
+ assert . ifError ( err ) ;
74
+ assert . ifError ( pair . server . err ) ;
75
+ assert . ifError ( pair . client . err ) ;
76
+ assert ( pair . server . conn ) ;
77
+ assert ( pair . client . conn ) ;
78
+ assert . strictEqual ( pair . client . conn . getProtocol ( ) , proto ) ;
79
+ assert . strictEqual ( pair . server . conn . getProtocol ( ) , proto ) ;
49
80
return cleanup ( ) ;
50
81
} ) ) ;
51
82
}
@@ -56,18 +87,28 @@ const U = undefined;
56
87
test ( U , U , U , U , U , U , 'TLSv1.2' ) ;
57
88
58
89
// Insecure or invalid protocols cannot be enabled.
59
- test ( U , U , U , U , U , 'SSLv2_method' , 'SSLv2 methods disabled' ) ;
60
- test ( U , U , U , U , U , 'SSLv3_method' , 'SSLv3 methods disabled' ) ;
61
- test ( U , U , 'SSLv2_method' , U , U , U , 'SSLv2 methods disabled' ) ;
62
- test ( U , U , 'SSLv3_method' , U , U , U , 'SSLv3 methods disabled' ) ;
63
- test ( U , U , 'hokey-pokey' , U , U , U , 'Unknown method' ) ;
64
- test ( U , U , U , U , U , 'hokey-pokey' , 'Unknown method' ) ;
90
+ test ( U , U , U , U , U , 'SSLv2_method' ,
91
+ U , U , 'ERR_TLS_INVALID_PROTOCOL_METHOD' ) ;
92
+ test ( U , U , U , U , U , 'SSLv3_method' ,
93
+ U , U , 'ERR_TLS_INVALID_PROTOCOL_METHOD' ) ;
94
+ test ( U , U , 'SSLv2_method' , U , U , U ,
95
+ U , 'ERR_TLS_INVALID_PROTOCOL_METHOD' ) ;
96
+ test ( U , U , 'SSLv3_method' , U , U , U ,
97
+ U , 'ERR_TLS_INVALID_PROTOCOL_METHOD' ) ;
98
+ test ( U , U , 'hokey-pokey' , U , U , U ,
99
+ U , 'ERR_TLS_INVALID_PROTOCOL_METHOD' ) ;
100
+ test ( U , U , U , U , U , 'hokey-pokey' ,
101
+ U , U , 'ERR_TLS_INVALID_PROTOCOL_METHOD' ) ;
65
102
66
103
// Cannot use secureProtocol and min/max versions simultaneously.
67
- test ( U , U , U , U , 'TLSv1.2' , 'TLS1_2_method' , 'conflicts with secureProtocol' ) ;
68
- test ( U , U , U , 'TLSv1.2' , U , 'TLS1_2_method' , 'conflicts with secureProtocol' ) ;
69
- test ( U , 'TLSv1.2' , 'TLS1_2_method' , U , U , U , 'conflicts with secureProtocol' ) ;
70
- test ( 'TLSv1.2' , U , 'TLS1_2_method' , U , U , U , 'conflicts with secureProtocol' ) ;
104
+ test ( U , U , U , U , 'TLSv1.2' , 'TLS1_2_method' ,
105
+ U , U , 'ERR_TLS_PROTOCOL_VERSION_CONFLICT' ) ;
106
+ test ( U , U , U , 'TLSv1.2' , U , 'TLS1_2_method' ,
107
+ U , U , 'ERR_TLS_PROTOCOL_VERSION_CONFLICT' ) ;
108
+ test ( U , 'TLSv1.2' , 'TLS1_2_method' , U , U , U ,
109
+ U , 'ERR_TLS_PROTOCOL_VERSION_CONFLICT' ) ;
110
+ test ( 'TLSv1.2' , U , 'TLS1_2_method' , U , U , U ,
111
+ U , 'ERR_TLS_PROTOCOL_VERSION_CONFLICT' ) ;
71
112
72
113
// TLS_method means "any supported protocol".
73
114
test ( U , U , 'TLSv1_2_method' , U , U , 'TLS_method' , 'TLSv1.2' ) ;
@@ -82,17 +123,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1');
82
123
test ( U , U , 'TLSv1_2_method' , U , U , 'SSLv23_method' , 'TLSv1.2' ) ;
83
124
84
125
if ( DEFAULT_MIN_VERSION === 'TLSv1.2' ) {
85
- test ( U , U , 'TLSv1_1_method' , U , U , 'SSLv23_method' , null ) ;
86
- test ( U , U , 'TLSv1_method' , U , U , 'SSLv23_method' , null ) ;
87
- test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_1_method' , null ) ;
88
- test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_method' , null ) ;
126
+ test ( U , U , 'TLSv1_1_method' , U , U , 'SSLv23_method' ,
127
+ U , 'ECONNRESET' , 'ERR_SSL_UNSUPPORTED_PROTOCOL' ) ;
128
+ test ( U , U , 'TLSv1_method' , U , U , 'SSLv23_method' ,
129
+ U , 'ECONNRESET' , 'ERR_SSL_UNSUPPORTED_PROTOCOL' ) ;
130
+ test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_1_method' ,
131
+ U , 'ERR_SSL_UNSUPPORTED_PROTOCOL' , 'ERR_SSL_WRONG_VERSION_NUMBER' ) ;
132
+ test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_method' ,
133
+ U , 'ERR_SSL_UNSUPPORTED_PROTOCOL' , 'ERR_SSL_WRONG_VERSION_NUMBER' ) ;
89
134
}
90
135
91
136
if ( DEFAULT_MIN_VERSION === 'TLSv1.1' ) {
92
137
test ( U , U , 'TLSv1_1_method' , U , U , 'SSLv23_method' , 'TLSv1.1' ) ;
93
- test ( U , U , 'TLSv1_method' , U , U , 'SSLv23_method' , null ) ;
138
+ test ( U , U , 'TLSv1_method' , U , U , 'SSLv23_method' ,
139
+ U , 'ECONNRESET' , 'ERR_SSL_UNSUPPORTED_PROTOCOL' ) ;
94
140
test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_1_method' , 'TLSv1.1' ) ;
95
- test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_method' , null ) ;
141
+ test ( U , U , 'SSLv23_method' , U , U , 'TLSv1_method' ,
142
+ U , 'ERR_SSL_UNSUPPORTED_PROTOCOL' , 'ERR_SSL_WRONG_VERSION_NUMBER' ) ;
96
143
}
97
144
98
145
if ( DEFAULT_MIN_VERSION === 'TLSv1' ) {
@@ -110,18 +157,34 @@ test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1');
110
157
111
158
// The default default.
112
159
if ( DEFAULT_MIN_VERSION === 'TLSv1.2' ) {
113
- test ( U , U , 'TLSv1_1_method' , U , U , U , null ) ;
114
- test ( U , U , 'TLSv1_method' , U , U , U , null ) ;
115
- test ( U , U , U , U , U , 'TLSv1_1_method' , null ) ;
116
- test ( U , U , U , U , U , 'TLSv1_method' , null ) ;
160
+ test ( U , U , 'TLSv1_1_method' , U , U , U ,
161
+ U , 'ECONNRESET' , 'ERR_SSL_UNSUPPORTED_PROTOCOL' ) ;
162
+ test ( U , U , 'TLSv1_method' , U , U , U ,
163
+ U , 'ECONNRESET' , 'ERR_SSL_UNSUPPORTED_PROTOCOL' ) ;
164
+
165
+ if ( DEFAULT_MAX_VERSION === 'TLSv1.2' ) {
166
+ test ( U , U , U , U , U , 'TLSv1_1_method' ,
167
+ U , 'ERR_SSL_UNSUPPORTED_PROTOCOL' , 'ERR_SSL_WRONG_VERSION_NUMBER' ) ;
168
+ test ( U , U , U , U , U , 'TLSv1_method' ,
169
+ U , 'ERR_SSL_UNSUPPORTED_PROTOCOL' , 'ERR_SSL_WRONG_VERSION_NUMBER' ) ;
170
+ } else {
171
+ assert ( false , 'unreachable' ) ;
172
+ }
117
173
}
118
174
119
175
// The default with --tls-v1.1.
120
176
if ( DEFAULT_MIN_VERSION === 'TLSv1.1' ) {
121
177
test ( U , U , 'TLSv1_1_method' , U , U , U , 'TLSv1.1' ) ;
122
- test ( U , U , 'TLSv1_method' , U , U , U , null ) ;
178
+ test ( U , U , 'TLSv1_method' , U , U , U ,
179
+ U , 'ECONNRESET' , 'ERR_SSL_UNSUPPORTED_PROTOCOL' ) ;
123
180
test ( U , U , U , U , U , 'TLSv1_1_method' , 'TLSv1.1' ) ;
124
- test ( U , U , U , U , U , 'TLSv1_method' , null ) ;
181
+
182
+ if ( DEFAULT_MAX_VERSION === 'TLSv1.2' ) {
183
+ test ( U , U , U , U , U , 'TLSv1_method' ,
184
+ U , 'ERR_SSL_UNSUPPORTED_PROTOCOL' , 'ERR_SSL_WRONG_VERSION_NUMBER' ) ;
185
+ } else {
186
+ assert ( false , 'unreachable' ) ;
187
+ }
125
188
}
126
189
127
190
// The default with --tls-v1.0.
0 commit comments