Skip to content

Commit a55d146

Browse files
atlowChemiatlowChemi
committed
tls: ciphers allow bang syntax
Fixes: #49699
1 parent 480ab8c commit a55d146

File tree

2 files changed

+12
-5
lines changed

2 files changed

+12
-5
lines changed

lib/internal/tls/secure-context.js

+8-5
Original file line numberDiff line numberDiff line change
@@ -101,24 +101,27 @@ function processCiphers(ciphers, name) {
101101
ArrayPrototypeFilter(
102102
ciphers,
103103
(cipher) => {
104-
return cipher.length > 0 &&
105-
!StringPrototypeStartsWith(cipher, 'TLS_');
104+
if (cipher.length === 0) return false;
105+
if (StringPrototypeStartsWith(cipher, 'TLS_')) return false;
106+
if (StringPrototypeStartsWith(cipher, '!TLS_')) return false;
107+
return true;
106108
}), ':');
107109

108110
const cipherSuites =
109111
ArrayPrototypeJoin(
110112
ArrayPrototypeFilter(
111113
ciphers,
112114
(cipher) => {
113-
return cipher.length > 0 &&
114-
StringPrototypeStartsWith(cipher, 'TLS_');
115+
if (cipher.length === 0) return false;
116+
if (StringPrototypeStartsWith(cipher, 'TLS_')) return true;
117+
if (StringPrototypeStartsWith(cipher, '!TLS_')) return true;
118+
return false;
115119
}), ':');
116120

117121
// Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its
118122
// not possible to handshake with no suites.
119123
if (cipherSuites === '' && cipherList === '')
120124
throw new ERR_INVALID_ARG_VALUE(name, ciphers);
121-
122125
return { cipherList, cipherSuites };
123126
}
124127

test/parallel/test-tls-set-ciphers.js

+4
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ const {
1616
function test(cciphers, sciphers, cipher, cerr, serr, options) {
1717
assert(cipher || cerr || serr, 'test missing any expectations');
1818
const where = inspect(new Error()).split('\n')[2].replace(/[^(]*/, '');
19+
const minVersion = options?.minVersion;
1920

2021
const max_tls_ver = (ciphers, options) => {
2122
if (options instanceof Object && Object.hasOwn(options, 'maxVersion'))
@@ -32,12 +33,14 @@ function test(cciphers, sciphers, cipher, cerr, serr, options) {
3233
ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
3334
ciphers: cciphers,
3435
maxVersion: max_tls_ver(cciphers, options),
36+
...(minVersion && { minVersion }),
3537
},
3638
server: {
3739
cert: keys.agent6.cert,
3840
key: keys.agent6.key,
3941
ciphers: sciphers,
4042
maxVersion: max_tls_ver(sciphers, options),
43+
...(minVersion && { minVersion }),
4144
},
4245
}, common.mustCall((err, pair, cleanup) => {
4346
function u(_) { return _ === undefined ? 'U' : _; }
@@ -85,6 +88,7 @@ test('AES256-SHA', U, 'AES256-SHA');
8588

8689
test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
8790
test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
91+
test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM_SHA384');
8892

8993
// Do not have shared ciphers.
9094
test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',

0 commit comments

Comments
 (0)