Skip to content

Commit bf2c283

Browse files
sam-githubBethGriggs
authored andcommitted
tls: add --tls-min-v1.2 CLI switch
For 11.x, the default minimum is TLSv1, so it needs a CLI switch to change the default to the more secure minimum of TLSv1.2. PR-URL: #26951 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
1 parent 7aeca27 commit bf2c283

File tree

6 files changed

+34
-0
lines changed

6 files changed

+34
-0
lines changed

doc/api/cli.md

+8
Original file line numberDiff line numberDiff line change
@@ -475,6 +475,14 @@ added: REPLACEME
475475
Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
476476
with old TLS clients or servers.
477477

478+
### `--tls-min-v1.2`
479+
<!-- YAML
480+
added: REPLACEME
481+
-->
482+
483+
Set default [`minVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1
484+
and TLSv1.1 in favour of TLSv1.2, which is more secure.
485+
478486
### `--tls-min-v1.3`
479487
<!-- YAML
480488
added: REPLACEME

doc/node.1

+4
Original file line numberDiff line numberDiff line change
@@ -250,6 +250,10 @@ or servers.
250250
Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
251251
or servers.
252252
.
253+
.It Fl -tls-min-v1.2
254+
Set default minVersion to 'TLSv1.2'. Use to disable support for TLSv1 and
255+
TLSv1.1 in favour of TLSv1.2, which is more secure.
256+
.
253257
.It Fl -tls-min-v1.3
254258
Set default minVersion to 'TLSv1.3'. Use to disable support for TLSv1.2 in
255259
favour of TLSv1.3, which is more secure.

lib/tls.js

+2
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,8 @@ if (getOptionValue('--tls-min-v1.0'))
5858
exports.DEFAULT_MIN_VERSION = 'TLSv1';
5959
else if (getOptionValue('--tls-min-v1.1'))
6060
exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
61+
else if (getOptionValue('--tls-min-v1.2'))
62+
exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
6163
else if (getOptionValue('--tls-min-v1.3'))
6264
exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
6365
else

src/node_options.cc

+4
Original file line numberDiff line numberDiff line change
@@ -336,6 +336,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
336336
"set default TLS minimum to TLSv1.1 (default: TLSv1)",
337337
&EnvironmentOptions::tls_min_v1_1,
338338
kAllowedInEnvironment);
339+
AddOption("--tls-min-v1.2",
340+
"set default TLS minimum to TLSv1.2 (default: TLSv1)",
341+
&EnvironmentOptions::tls_min_v1_2,
342+
kAllowedInEnvironment);
339343
AddOption("--tls-min-v1.3",
340344
"set default TLS minimum to TLSv1.3 (default: TLSv1)",
341345
&EnvironmentOptions::tls_min_v1_3,

src/node_options.h

+1
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,7 @@ class EnvironmentOptions : public Options {
138138

139139
bool tls_min_v1_0 = false;
140140
bool tls_min_v1_1 = false;
141+
bool tls_min_v1_2 = false;
141142
bool tls_min_v1_3 = false;
142143
bool tls_max_v1_2 = false;
143144
bool tls_max_v1_3 = false;
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
// Flags: --tls-min-v1.2
2+
'use strict';
3+
const common = require('../common');
4+
if (!common.hasCrypto) common.skip('missing crypto');
5+
6+
// Check that node `--tls-min-v1.2` is supported.
7+
8+
const assert = require('assert');
9+
const tls = require('tls');
10+
11+
assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
12+
assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');
13+
14+
// Check the min-max version protocol versions against these CLI settings.
15+
require('./test-tls-min-max-version.js');

0 commit comments

Comments
 (0)