Skip to content

Commit

Permalink
tls: make ossl 1.1.1 cipher list throw error
Browse files Browse the repository at this point in the history
Make OpenSSL 1.1.1 error during cipher list setting if it would have
errored with OpenSSL 1.1.0.

Can be dropped after our OpenSSL fixes this upstream.

See: openssl/openssl#7759

PR-URL: #25381
Reviewed-By: Daniel Bevenius <[email protected]>
Reviewed-By: Shigeki Ohtsu <[email protected]>
Backport-PR-URL: #25688
  • Loading branch information
sam-github authored and targos committed Jan 28, 2019
1 parent d4ec110 commit c34c569
Showing 1 changed file with 19 additions and 1 deletion.
20 changes: 19 additions & 1 deletion src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -919,8 +919,26 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {

THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");

// Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl
// 1.1.1, set_cipher_list() is for TLSv1.2 and earlier.
//
// In openssl 1.1.0, set_cipher_list() would error if it resulted in no
// TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support.
//
// In openssl 1.1.1, set_cipher_list() will not error if it results in no
// TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there
// are by default. There will be an error later, during the handshake, but
// that results in an async error event, rather than a sync error thrown,
// which is a semver-major change for the tls API.
//
// Since we don't currently support TLSv1.3, work around this by removing the
// TLSv1.3 cipher suites, so we get backwards compatible synchronous errors.
const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
if (!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
if (
#ifdef TLS1_3_VERSION
!SSL_CTX_set_ciphersuites(sc->ctx_.get(), "") ||
#endif
!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
if (!err) {
return env->ThrowError("Failed to set ciphers");
Expand Down

0 comments on commit c34c569

Please sign in to comment.