nodejs/test/parallel/test-tls-reduced-SECLEVEL-in-cipher.js

'use strict';
const common = require('../common');

if (!common.hasCrypto)
  common.skip('missing crypto');

const assert = require('assert');
const tls = require('tls');
const fixtures = require('../common/fixtures');

{
  const options = {
    key: fixtures.readKey('agent11-key.pem'),
    cert: fixtures.readKey('agent11-cert.pem'),
    ciphers: 'DEFAULT'
  };

  // Should throw error as key is too small because openssl v3 doesn't allow it
  assert.throws(() => tls.createServer(options, common.mustNotCall()),
                /key too small/i);

  // Reducing SECLEVEL to 0 in ciphers retains compatibility with previous versions of OpenSSL like using a small key.
  // As ciphers are getting set before the cert and key get loaded.
  options.ciphers = 'DEFAULT:@SECLEVEL=0';
  assert.ok(tls.createServer(options, common.mustNotCall()));
}
tls: fix order of setting cipher before setting cert and key Set the cipher list and cipher suite before anything else because @SECLEVEL=<n> changes the security level and that affects subsequent operations. Fixes: https://github.com/nodejs/node/issues/36655 Fixes: https://github.com/nodejs/node/issues/49549 Refs: https://github.com/orgs/nodejs/discussions/49634 Refs: https://github.com/orgs/nodejs/discussions/46545 Refs: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html PR-URL: https://github.com/nodejs/node/pull/50186 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> 2023-10-16 19:55:36 +00:00			`'use strict';`
			`const common = require('../common');`

			`if (!common.hasCrypto)`
			`common.skip('missing crypto');`

			`const assert = require('assert');`
			`const tls = require('tls');`
			`const fixtures = require('../common/fixtures');`

			`{`
			`const options = {`
			`key: fixtures.readKey('agent11-key.pem'),`
			`cert: fixtures.readKey('agent11-cert.pem'),`
			`ciphers: 'DEFAULT'`
			`};`

			`// Should throw error as key is too small because openssl v3 doesn't allow it`
			`assert.throws(() => tls.createServer(options, common.mustNotCall()),`
			`/key too small/i);`

			`// Reducing SECLEVEL to 0 in ciphers retains compatibility with previous versions of OpenSSL like using a small key.`
			`// As ciphers are getting set before the cert and key get loaded.`
			`options.ciphers = 'DEFAULT:@SECLEVEL=0';`
			`assert.ok(tls.createServer(options, common.mustNotCall()));`
			`}`