diff options
Diffstat (limited to 'src/node_crypto.cc')
-rw-r--r-- | src/node_crypto.cc | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 3ff9548487..01593914a1 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -946,8 +946,26 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) { THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers"); + // Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl + // 1.1.1, set_cipher_list() is for TLSv1.2 and earlier. + // + // In openssl 1.1.0, set_cipher_list() would error if it resulted in no + // TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support. + // + // In openssl 1.1.1, set_cipher_list() will not error if it results in no + // TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there + // are by default. There will be an error later, during the handshake, but + // that results in an async error event, rather than a sync error thrown, + // which is a semver-major change for the tls API. + // + // Since we don't currently support TLSv1.3, work around this by removing the + // TLSv1.3 cipher suites, so we get backwards compatible synchronous errors. const node::Utf8Value ciphers(args.GetIsolate(), args[0]); - if (!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) { + if ( +#ifdef TLS1_3_VERSION + !SSL_CTX_set_ciphersuites(sc->ctx_.get(), "") || +#endif + !SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) { unsigned long err = ERR_get_error(); // NOLINT(runtime/int) if (!err) { return env->ThrowError("Failed to set ciphers"); |