diff --git a/lib/_tls_common.js b/lib/_tls_common.js index 618f40e7562b05..a0970571be3383 100644 --- a/lib/_tls_common.js +++ b/lib/_tls_common.js @@ -47,7 +47,7 @@ function toV(which, v, def) { if (v === 'TLSv1') return TLS1_VERSION; if (v === 'TLSv1.1') return TLS1_1_VERSION; if (v === 'TLSv1.2') return TLS1_2_VERSION; - if (v === 'TLSv1.3') return TLS1_3_VERSION; + if (v === 'TLSv1.3' && TLS1_3_VERSION) return TLS1_3_VERSION; throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which); } diff --git a/src/node_constants.cc b/src/node_constants.cc index f08bcbcb25b6d8..4593760b2f3d94 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc @@ -1245,7 +1245,9 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, TLS1_VERSION); NODE_DEFINE_CONSTANT(target, TLS1_1_VERSION); NODE_DEFINE_CONSTANT(target, TLS1_2_VERSION); +#ifdef TLS1_3_VERSION NODE_DEFINE_CONSTANT(target, TLS1_3_VERSION); +#endif #endif NODE_DEFINE_CONSTANT(target, INT_MAX); } diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 568b44cf26c25a..8cafc808800b0e 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -411,7 +411,12 @@ void SecureContext::New(const FunctionCallbackInfo& args) { // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that // Node.js doesn't, so pin the max to what we do support. -const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION; +const int MAX_SUPPORTED_VERSION = +#ifdef TLS1_3_VERSION + TLS1_3_VERSION; +#else + TLS1_2_VERSION; +#endif void SecureContext::Init(const FunctionCallbackInfo& args) { SecureContext* sc; @@ -947,7 +952,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo& args) { void SecureContext::SetCipherSuites(const FunctionCallbackInfo& args) { // BoringSSL doesn't allow API config of TLS1.3 cipher suites. -#ifndef OPENSSL_IS_BORINGSSL +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_IS_BORINGSSL) SecureContext* sc; ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); Environment* env = sc->env(); diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js index bd7ab70316dc59..cce41578ba31b2 100644 --- a/test/parallel/test-tls-client-renegotiation-13.js +++ b/test/parallel/test-tls-client-renegotiation-13.js @@ -4,6 +4,9 @@ const common = require('../common'); const fixtures = require('../common/fixtures'); +if (!require('constants').TLS1_3_VERSION) + common.skip(`openssl ${process.versions.openssl} does not support TLSv1.3`); + // Confirm that for TLSv1.3, renegotiate() is disallowed. const { diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js index 03c32da03c945b..4379d74897a7dd 100644 --- a/test/parallel/test-tls-getcipher.js +++ b/test/parallel/test-tls-getcipher.js @@ -56,6 +56,9 @@ server.listen(0, '127.0.0.1', common.mustCall(function() { })); })); +if (!require('constants').TLS1_3_VERSION) + return console.log('cannot test TLSv1.3 against 1.3-incapable shared lib'); + tls.createServer({ key: fixtures.readKey('agent2-key.pem'), cert: fixtures.readKey('agent2-cert.pem'), diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index f30b9b3b9897c9..cd8bccca04d612 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -9,6 +9,13 @@ const { } = require(fixtures.path('tls-connect')); const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION; const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION; +const tls13 = !!require('constants').TLS1_3_VERSION; + +if (!tls13 && ( + DEFAULT_MAX_VERSION === 'TLSv1.3' || + DEFAULT_MIN_VERSION === 'TLSv1.3')) { + return common.skip('cannot test TLSv1.3 against 1.3-incapable shared lib'); +} function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { assert(proto || cerr || serr, 'test missing any expectations'); @@ -16,6 +23,11 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { // at Object. (file:line) // from the stack location, we only want the file:line part. const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, ''); + if (Array.prototype.includes.call(arguments, 'TLSv1.3')) { + console.log('test: skip because TLSv1.3 is not supported'); + console.log(' ', where); + return; + } connect({ client: { checkServerIdentity: (servername, cert) => { }, diff --git a/test/parallel/test-tls-set-ciphers-error.js b/test/parallel/test-tls-set-ciphers-error.js index f963b414f44630..a09c12b321cba0 100644 --- a/test/parallel/test-tls-set-ciphers-error.js +++ b/test/parallel/test-tls-set-ciphers-error.js @@ -4,6 +4,9 @@ const common = require('../common'); if (!common.hasCrypto) common.skip('missing crypto'); +if (!require('constants').TLS1_3_VERSION) + return common.skip('openssl before TLS1.3 does not check for failure'); + const assert = require('assert'); const tls = require('tls'); const fixtures = require('../common/fixtures'); diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js index ecf9176c4020a6..254cc52ad4ef37 100644 --- a/test/parallel/test-tls-set-ciphers.js +++ b/test/parallel/test-tls-set-ciphers.js @@ -15,6 +15,10 @@ if (tls13) tls.DEFAULT_MAX_VERSION = 'TLSv1.3'; function test(cciphers, sciphers, cipher, cerr, serr) { + if (!tls13 && (/TLS_/.test(cciphers) || /TLS_/.test(sciphers))) { + // Test relies on TLS1.3, skip it. + return; + } assert(cipher || cerr || serr, 'test missing any expectations'); const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, ''); connect({