doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION

Backport-PR-URL: #26951
PR-URL: #26821
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>

Author: sam-github

doc/api/cli.md

@@ -448,38 +448,40 @@ with crypto support (default).
 added: REPLACEME
 -->
 
-Set default [`maxVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1.3.
+Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
+TLSv1.3.
 
 ### `--tls-max-v1.3`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`maxVersion`][] to `'TLSv1.3'`. Use to enable support for TLSv1.3.
+Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
+for TLSv1.3.
 
 ### `--tls-min-v1.0`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`minVersion`][] to `'TLSv1'`. Use for compatibility with old TLS
-clients or servers.
+Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1'. Use for compatibility with
+old TLS clients or servers.
 
 ### `--tls-min-v1.1`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`minVersion`][] to `'TLSv1.1'`. Use for compatibility with old TLS
-clients or servers.
+Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
+with old TLS clients or servers.
 
 ### `--tls-min-v1.3`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`minVersion`][] to `'TLSv1.3'`. Use to disable support for TLSv1.2
-in favour of TLSv1.3, which is more secure.
+Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
+for TLSv1.2, which is not as secure as TLSv1.3.
 
 ### `--trace-deprecation`
 <!-- YAML
@@ -918,9 +920,9 @@ greater than `4` (its current default value). For more information, see the
 [`--openssl-config`]: #cli_openssl_config_file
 [`Buffer`]: buffer.html#buffer_class_buffer
 [`SlowBuffer`]: buffer.html#buffer_class_slowbuffer
-[`maxVersion`]: tls.html#tls_tls_createsecurecontext_options
-[`minVersion`]: tls.html#tls_tls_createsecurecontext_options
 [`process.setUncaughtExceptionCaptureCallback()`]: process.html#process_process_setuncaughtexceptioncapturecallback_fn
+[`tls.DEFAULT_MAX_VERSION`]: tls.html#tls_tls_default_max_version
+[`tls.DEFAULT_MIN_VERSION`]: tls.html#tls_tls_default_min_version
 [Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
 [REPL]: repl.html
 [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage

doc/api/tls.md

@@ -1351,20 +1351,13 @@ changes:
   * `maxVersion` {string} Optionally set the maximum TLS version to allow. One
     of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
     along with the `secureProtocol` option, use one or the other.
-    **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
-    `--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3`
-    sets the default to `'TLSv1.3'`. If multiple of the options are provided,
-    the highest maximum is used.
+    **Default:** [`tls.DEFAULT_MAX_VERSION`][].
   * `minVersion` {string} Optionally set the minimum TLS version to allow. One
     of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
     along with the `secureProtocol` option, use one or the other. It is not
     recommended to use less than TLSv1.2, but it may be required for
     interoperability.
-    **Default:** `'TLSv1'`, unless changed using CLI options. Using
-    `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
-    the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
-    `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
-    used.
+    **Default:** [`tls.DEFAULT_MIN_VERSION`][].
   * `passphrase` {string} Shared passphrase used for a single private key and/or
     a PFX.
   * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded
@@ -1532,6 +1525,33 @@ The default curve name to use for ECDH key agreement in a tls server. The
 default value is `'auto'`. See [`tls.createSecureContext()`] for further
 information.
 
+## tls.DEFAULT_MAX_VERSION
+<!-- YAML
+added: v11.4.0
+-->
+
+* {string} The default value of the `maxVersion` option of
+  [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
+  protocol versions, `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+  **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+  `--tls-max-v1.2` sets the default to `'TLSv1.2`'.  Using `--tls-max-v1.3` sets
+  the default to `'TLSv1.3'`. If multiple of the options are provided, the
+  highest maximum is used.
+
+## tls.DEFAULT_MIN_VERSION
+<!-- YAML
+added: v11.4.0
+-->
+
+* {string} The default value of the `minVersion` option of
+  [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
+  protocol versions, `'TLSv1.3'`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+  **Default:** `'TLSv1'`, unless changed using CLI options. Using
+  `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
+  the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
+  `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
+  used.
+
 ## Deprecated APIs
 
 ### Class: CryptoStream
@@ -1660,6 +1680,8 @@ where `secureSocket` has the same API as `pair.cleartext`.
 [`server.setTicketKeys()`]: #tls_server_setticketkeys_keys
 [`socket.setTimeout(timeout)`]: #net_socket_settimeout_timeout_callback
 [`tls.DEFAULT_ECDH_CURVE`]: #tls_tls_default_ecdh_curve
+[`tls.DEFAULT_MAX_VERSION`]: #tls_tls_default_max_version
+[`tls.DEFAULT_MIN_VERSION`]: #tls_tls_default_min_version
 [`tls.Server`]: #tls_class_tls_server
 [`tls.TLSSocket.getPeerCertificate()`]: #tls_tlssocket_getpeercertificate_detailed
 [`tls.TLSSocket.getSession()`]: #tls_tlssocket_getsession