nodejs/test/parallel/test-tls-no-sslv3.js

'use strict';
const common = require('../common');
if (!common.hasCrypto) {
  common.skip('missing crypto');
}

const { opensslCli } = require('../common/crypto');

if (opensslCli === false) {
  common.skip('node compiled without OpenSSL CLI.');
}

const assert = require('assert');
const tls = require('tls');
const spawn = require('child_process').spawn;
const fixtures = require('../common/fixtures');

const cert = fixtures.readKey('rsa_cert.crt');
const key = fixtures.readKey('rsa_private.pem');
const server = tls.createServer({ cert, key }, common.mustNotCall());
const errors = [];
let stderr = '';

server.listen(0, '127.0.0.1', function() {
  const address = `${this.address().address}:${this.address().port}`;
  const args = ['s_client',
                '-ssl3',
                '-connect', address];

  const client = spawn(opensslCli, args, { stdio: 'pipe' });
  client.stdout.pipe(process.stdout);
  client.stderr.pipe(process.stderr);
  client.stderr.setEncoding('utf8');
  client.stderr.on('data', (data) => stderr += data);

  client.once('exit', common.mustCall(function(exitCode) {
    assert.strictEqual(exitCode, 1);
    server.close();
  }));
});

server.on('tlsClientError', (err) => errors.push(err));

process.on('exit', function() {
  if (/[Uu]nknown option:? -ssl3/.test(stderr)) {
    common.printSkipMessage('`openssl s_client -ssl3` not supported.');
  } else {
    assert.strictEqual(errors.length, 1);
    assert(/:version too low/.test(errors[0].message));
  }
});
test: enable linting for tests Enable linting for the test directory. A number of changes was made so all tests conform the current rules used by lib and src directories. The only exception for tests is that unreachable (dead) code is allowed. test-fs-non-number-arguments-throw had to be excluded from the changes because of a weird issue on Windows CI. PR-URL: https://github.com/nodejs/io.js/pull/1721 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> 2015-05-19 13:00:06 +02:00			`'use strict';`
test: swap var->const/let and equal->strictEqual Change instances of var with const/let. Change assert.equal to assert.strictEqual. PR-URL: https://github.com/nodejs/node/pull/9888 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-12-01 11:01:54 -05:00			`const common = require('../common');`
test: move crypto related common utilities in common/crypto Since `common/crypto` already exists, it makes sense to keep crypto-related utilities there. The only exception being common.hasCrypto which is needed up front to determine if tests should be skipped. Eliminate the redundant check in hasFipsCrypto and just use crypto.getFips() directly where needed. PR-URL: https://github.com/nodejs/node/pull/56714 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2025-01-24 16:58:32 -08:00			`if (!common.hasCrypto) {`
test: abstract skip functionality to common The tap skipping output is so prevalent yet obscure in nature that we ought to move it into it's own function in test/common.js PR-URL: https://github.com/nodejs/node/pull/6697 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> 2016-05-11 15:34:52 -04:00			`common.skip('missing crypto');`
test: move crypto related common utilities in common/crypto Since `common/crypto` already exists, it makes sense to keep crypto-related utilities there. The only exception being common.hasCrypto which is needed up front to determine if tests should be skipped. Eliminate the redundant check in hasFipsCrypto and just use crypto.getFips() directly where needed. PR-URL: https://github.com/nodejs/node/pull/56714 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2025-01-24 16:58:32 -08:00			`}`
test: refactor all tests that depends on crypto we had a few ways versions of looking for support before executing a test. this commit unifies them as well as add the check for all tests that previously lacked them. found by running `./configure --without-ssl && make test`. also, produce tap skip output if the test is skipped. PR-URL: https://github.com/iojs/io.js/pull/1049 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-03-04 12:11:21 +11:00
test: move crypto related common utilities in common/crypto Since `common/crypto` already exists, it makes sense to keep crypto-related utilities there. The only exception being common.hasCrypto which is needed up front to determine if tests should be skipped. Eliminate the redundant check in hasFipsCrypto and just use crypto.getFips() directly where needed. PR-URL: https://github.com/nodejs/node/pull/56714 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2025-01-24 16:58:32 -08:00			`const { opensslCli } = require('../common/crypto');`

			`if (opensslCli === false) {`
test: simplify test skipping * Make common.skip() exit. Also add common.printSkipMessage() for partial skips. * Don't make needless things before skip PR-URL: https://github.com/nodejs/node/pull/14021 Fixes: https://github.com/nodejs/node/issues/14016 Reviewed-By: Refael Ackermann <refack@gmail.com> 2017-07-01 02:29:09 +03:00			`common.skip('node compiled without OpenSSL CLI.');`
test: move crypto related common utilities in common/crypto Since `common/crypto` already exists, it makes sense to keep crypto-related utilities there. The only exception being common.hasCrypto which is needed up front to determine if tests should be skipped. Eliminate the redundant check in hasFipsCrypto and just use crypto.getFips() directly where needed. PR-URL: https://github.com/nodejs/node/pull/56714 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2025-01-24 16:58:32 -08:00			`}`
test: simplify test skipping * Make common.skip() exit. Also add common.printSkipMessage() for partial skips. * Don't make needless things before skip PR-URL: https://github.com/nodejs/node/pull/14021 Fixes: https://github.com/nodejs/node/issues/14016 Reviewed-By: Refael Ackermann <refack@gmail.com> 2017-07-01 02:29:09 +03:00
			`const assert = require('assert');`
			`const tls = require('tls');`
test: swap var->const/let and equal->strictEqual Change instances of var with const/let. Change assert.equal to assert.strictEqual. PR-URL: https://github.com/nodejs/node/pull/9888 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-12-01 11:01:54 -05:00			`const spawn = require('child_process').spawn;`
test: begin normalizing fixtures use Adds a new `../common/fixtures' module to begin normalizing `test/fixtures` use. Our test code is a bit inconsistent with regards to use of the fixtures directory. Some code uses `path.join()`, some code uses string concats, some other code uses template strings, etc. In mnay cases, significant duplication of code is seen when accessing fixture files, etc. This updates many (but by no means all) of the tests in the test suite to use the new consistent API. There are still many more to update, which would make an excelent Code-n-Learn exercise. PR-URL: https://github.com/nodejs/node/pull/14332 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Michaël Zasso <targos@protonmail.com> 2017-07-17 15:33:46 -07:00			`const fixtures = require('../common/fixtures');`
build,src: remove sslv3 support SSLv3 is susceptible to downgrade attacks. Provide secure defaults, disable v3 protocol support entirely. PR-URL: https://github.com/iojs/io.js/pull/315 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> 2015-01-13 00:45:31 +01:00
test: move test_[key\|ca\|cert] to fixtures/keys/ Lots of changes, but mostly just search/replace of fixtures.readSync(...) to fixtures.readKey([new key]...) Benchmarks modified to use fixtures.readKey(...): benchmark/tls/throughput.js benchmark/tls/tls-connect.js benchmark/tls/secure-pair.js Also be sure to review the change to L16 of test/parallel/test-crypto-sign-verify.js PR-URL: https://github.com/nodejs/node/pull/27962 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> 2019-05-29 11:43:44 -07:00			`const cert = fixtures.readKey('rsa_cert.crt');`
			`const key = fixtures.readKey('rsa_private.pem');`
test: use shorthand properties PR-URL: https://github.com/nodejs/node/pull/18105 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Weijia Wang <starkwang@126.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2018-01-11 19:03:58 +01:00			`const server = tls.createServer({ cert, key }, common.mustNotCall());`
test: swap var->const/let and equal->strictEqual Change instances of var with const/let. Change assert.equal to assert.strictEqual. PR-URL: https://github.com/nodejs/node/pull/9888 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-12-01 11:01:54 -05:00			`const errors = [];`
			`let stderr = '';`
build,src: remove sslv3 support SSLv3 is susceptible to downgrade attacks. Provide secure defaults, disable v3 protocol support entirely. PR-URL: https://github.com/iojs/io.js/pull/315 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> 2015-01-13 00:45:31 +01:00
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 03:06:56 -04:00			`server.listen(0, '127.0.0.1', function() {`
test: reduce string concatenations PR-URL: https://github.com/nodejs/node/pull/12735 Refs: https://github.com/nodejs/node/pull/12455 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> 2017-04-28 04:06:42 +03:00			const address = `${this.address().address}:${this.address().port}`;
test: swap var->const/let and equal->strictEqual Change instances of var with const/let. Change assert.equal to assert.strictEqual. PR-URL: https://github.com/nodejs/node/pull/9888 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-12-01 11:01:54 -05:00			`const args = ['s_client',`
benchmark,lib,test: adjust for linting Formatting changes for upcoming linter update. PR-URL: https://github.com/nodejs/node/pull/10561 Reviewed-By: Teddy Katz <teddy.katz@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> 2016-12-31 21:39:57 -08:00			`'-ssl3',`
			`'-connect', address];`
test: add -no_rand_screen to s_client opts on Win RAND_screen() causes stability issues in invoking openssl-cli s_client on win2008r2 in CI. Disable to use it by adding -no_rand_screen options to all tls tests that use common.opensslCli. Fixes: https://github.com/nodejs/io.js/issues/2150 PR-URL: https://github.com/nodejs/io.js/pull/2209 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Joao Reis <reis@janeasystems.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> 2015-07-18 11:59:55 +09:00
test: move crypto related common utilities in common/crypto Since `common/crypto` already exists, it makes sense to keep crypto-related utilities there. The only exception being common.hasCrypto which is needed up front to determine if tests should be skipped. Eliminate the redundant check in hasFipsCrypto and just use crypto.getFips() directly where needed. PR-URL: https://github.com/nodejs/node/pull/56714 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2025-01-24 16:58:32 -08:00			`const client = spawn(opensslCli, args, { stdio: 'pipe' });`
test: don't assume openssl s_client supports -ssl3 Scan the child process's stderr for an 'unknown flag' error message and mark the test as skipped if found. Fixes: https://github.com/nodejs/node/issues/3927 PR-URL: https://github.com/nodejs/node/pull/4204 Reviewed-By: Rich Trott <rtrott@gmail.com> 2015-12-08 23:46:07 +01:00			`client.stdout.pipe(process.stdout);`
			`client.stderr.pipe(process.stderr);`
			`client.stderr.setEncoding('utf8');`
test: update arrow function style This commit applies new arrow function linting rules across the codebase. As it turns out, the only offenders were in the test directory. PR-URL: https://github.com/nodejs/node/pull/4813 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com> Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> 2016-01-28 10:21:57 -05:00			`client.stderr.on('data', (data) => stderr += data);`
test: don't assume openssl s_client supports -ssl3 Scan the child process's stderr for an 'unknown flag' error message and mark the test as skipped if found. Fixes: https://github.com/nodejs/node/issues/3927 PR-URL: https://github.com/nodejs/node/pull/4204 Reviewed-By: Rich Trott <rtrott@gmail.com> 2015-12-08 23:46:07 +01:00
build,src: remove sslv3 support SSLv3 is susceptible to downgrade attacks. Provide secure defaults, disable v3 protocol support entirely. PR-URL: https://github.com/iojs/io.js/pull/315 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> 2015-01-13 00:45:31 +01:00			`client.once('exit', common.mustCall(function(exitCode) {`
test: swap var->const/let and equal->strictEqual Change instances of var with const/let. Change assert.equal to assert.strictEqual. PR-URL: https://github.com/nodejs/node/pull/9888 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-12-01 11:01:54 -05:00			`assert.strictEqual(exitCode, 1);`
build,src: remove sslv3 support SSLv3 is susceptible to downgrade attacks. Provide secure defaults, disable v3 protocol support entirely. PR-URL: https://github.com/iojs/io.js/pull/315 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> 2015-01-13 00:45:31 +01:00			`server.close();`
			`}));`
			`});`

test: update arrow function style This commit applies new arrow function linting rules across the codebase. As it turns out, the only offenders were in the test directory. PR-URL: https://github.com/nodejs/node/pull/4813 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com> Reviewed-By: Michaël Zasso <mic.besace@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> 2016-01-28 10:21:57 -05:00			`server.on('tlsClientError', (err) => errors.push(err));`
test: don't assume openssl s_client supports -ssl3 Scan the child process's stderr for an 'unknown flag' error message and mark the test as skipped if found. Fixes: https://github.com/nodejs/node/issues/3927 PR-URL: https://github.com/nodejs/node/pull/4204 Reviewed-By: Rich Trott <rtrott@gmail.com> 2015-12-08 23:46:07 +01:00
			`process.on('exit', function() {`
test: fix test-tls-no-sslv3 for OpenSSL 3 OpenSSL 3 has changed the format of the error message for an unknown option to the CLI. Update the test to allow for the older and newer message formats. PR-URL: https://github.com/nodejs/node/pull/38027 Refs: https://github.com/openssl/openssl/pull/10774 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2021-04-01 16:18:28 +01:00			`if (/[Uu]nknown option:? -ssl3/.test(stderr)) {`
test: simplify test skipping * Make common.skip() exit. Also add common.printSkipMessage() for partial skips. * Don't make needless things before skip PR-URL: https://github.com/nodejs/node/pull/14021 Fixes: https://github.com/nodejs/node/issues/14016 Reviewed-By: Refael Ackermann <refack@gmail.com> 2017-07-01 02:29:09 +03:00			common.printSkipMessage('`openssl s_client -ssl3` not supported.');
test: don't assume openssl s_client supports -ssl3 Scan the child process's stderr for an 'unknown flag' error message and mark the test as skipped if found. Fixes: https://github.com/nodejs/node/issues/3927 PR-URL: https://github.com/nodejs/node/pull/4204 Reviewed-By: Rich Trott <rtrott@gmail.com> 2015-12-08 23:46:07 +01:00			`} else {`
test: swap var->const/let and equal->strictEqual Change instances of var with const/let. Change assert.equal to assert.strictEqual. PR-URL: https://github.com/nodejs/node/pull/9888 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-12-01 11:01:54 -05:00			`assert.strictEqual(errors.length, 1);`
test: remove OpenSSL 1.0.2 error message compat While upgrading from OpenSSL 1.0.2 to 1.1.1, these tests were modified to recognize error messages from both OpenSSL releases. Given that OpenSSL 1.0.2 has been unsupported for years, it is safe to remove the older message patterns. Refs: https://github.com/nodejs/node/pull/16130 PR-URL: https://github.com/nodejs/node/pull/46709 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2023-02-22 07:09:11 +01:00			`assert(/:version too low/.test(errors[0].message));`
test: don't assume openssl s_client supports -ssl3 Scan the child process's stderr for an 'unknown flag' error message and mark the test as skipped if found. Fixes: https://github.com/nodejs/node/issues/3927 PR-URL: https://github.com/nodejs/node/pull/4204 Reviewed-By: Rich Trott <rtrott@gmail.com> 2015-12-08 23:46:07 +01:00			`}`
			`});`