diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index 94468e47e23f75..521bc5ce9f193e 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -8,11 +8,13 @@ const { assert, connect, keys, tls } = require(fixtures.path('tls-connect')); const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION; +const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION; // For v11.x, the default is fixed and cannot be changed via CLI. assert.strictEqual(DEFAULT_MIN_VERSION, 'TLSv1'); -function test(cmin, cmax, cprot, smin, smax, sprot, expect) { +function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { + assert(proto || cerr || serr, 'test missing any expectations'); connect({ client: { checkServerIdentity: (servername, cert) => { }, @@ -29,23 +31,52 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) { secureProtocol: sprot, }, }, common.mustCall((err, pair, cleanup) => { - if (expect && !expect.match(/^TLS/)) { - assert(err.message.match(expect)); + function u(_) { return _ === undefined ? 'U' : _; } + console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot), + 'expect', u(proto), u(cerr), u(serr)); + if (!proto) { + console.log('client', pair.client.err ? pair.client.err.code : undefined); + console.log('server', pair.server.err ? pair.server.err.code : undefined); + // 11.x doesn't have https://github.com/nodejs/node/pull/24729 + if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' && + pair.client.err && + pair.client.err.message.includes('methods disabled')) + pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD'; + if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' && + pair.server.err && + pair.server.err.message.includes('methods disabled')) + pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD'; + if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' && + pair.client.err && + pair.client.err.message.includes('Unknown method')) + pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD'; + if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' && + pair.server.err && + pair.server.err.message.includes('Unknown method')) + pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD'; + if (cerr) { + assert(pair.client.err); + // Accept these codes as aliases, the one reported depends on the + // OpenSSL version. + if (cerr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' && + pair.client.err.code === 'ERR_SSL_VERSION_TOO_LOW') + cerr = 'ERR_SSL_VERSION_TOO_LOW'; + assert.strictEqual(pair.client.err.code, cerr); + } + if (serr) { + assert(pair.server.err); + assert.strictEqual(pair.server.err.code, serr); + } return cleanup(); } - if (expect) { - assert.ifError(pair.server.err); - assert.ifError(pair.client.err); - assert(pair.server.conn); - assert(pair.client.conn); - assert.strictEqual(pair.client.conn.getProtocol(), expect); - assert.strictEqual(pair.server.conn.getProtocol(), expect); - return cleanup(); - } - - assert(pair.server.err); - assert(pair.client.err); + assert.ifError(err); + assert.ifError(pair.server.err); + assert.ifError(pair.client.err); + assert(pair.server.conn); + assert(pair.client.conn); + assert.strictEqual(pair.client.conn.getProtocol(), proto); + assert.strictEqual(pair.server.conn.getProtocol(), proto); return cleanup(); })); } @@ -56,18 +87,28 @@ const U = undefined; test(U, U, U, U, U, U, 'TLSv1.2'); // Insecure or invalid protocols cannot be enabled. -test(U, U, U, U, U, 'SSLv2_method', 'SSLv2 methods disabled'); -test(U, U, U, U, U, 'SSLv3_method', 'SSLv3 methods disabled'); -test(U, U, 'SSLv2_method', U, U, U, 'SSLv2 methods disabled'); -test(U, U, 'SSLv3_method', U, U, U, 'SSLv3 methods disabled'); -test(U, U, 'hokey-pokey', U, U, U, 'Unknown method'); -test(U, U, U, U, U, 'hokey-pokey', 'Unknown method'); +test(U, U, U, U, U, 'SSLv2_method', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'SSLv3_method', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv2_method', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv3_method', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'hokey-pokey', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'hokey-pokey', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); // Cannot use secureProtocol and min/max versions simultaneously. -test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', 'conflicts with secureProtocol'); -test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', 'conflicts with secureProtocol'); -test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol'); -test('TLSv1.2', U, 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol'); +test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', + U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); +test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', + U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); +test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, + U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); +test('TLSv1.2', U, 'TLS1_2_method', U, U, U, + U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); // TLS_method means "any supported protocol". test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2'); @@ -82,17 +123,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1'); test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2'); if (DEFAULT_MIN_VERSION === 'TLSv1.2') { - test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', null); - test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', null); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null); + test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); } if (DEFAULT_MIN_VERSION === 'TLSv1.1') { test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); - test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', null); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', null); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); } if (DEFAULT_MIN_VERSION === 'TLSv1') { @@ -110,18 +157,34 @@ test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1'); // The default default. if (DEFAULT_MIN_VERSION === 'TLSv1.2') { - test(U, U, 'TLSv1_1_method', U, U, U, null); - test(U, U, 'TLSv1_method', U, U, U, null); - test(U, U, U, U, U, 'TLSv1_1_method', null); - test(U, U, U, U, U, 'TLSv1_method', null); + test(U, U, 'TLSv1_1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'TLSv1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + + if (DEFAULT_MAX_VERSION === 'TLSv1.2') { + test(U, U, U, U, U, 'TLSv1_1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + test(U, U, U, U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + } else { + assert(false, 'unreachable'); + } } // The default with --tls-v1.1. if (DEFAULT_MIN_VERSION === 'TLSv1.1') { test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); - test(U, U, 'TLSv1_method', U, U, U, null); + test(U, U, 'TLSv1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); - test(U, U, U, U, U, 'TLSv1_method', null); + + if (DEFAULT_MAX_VERSION === 'TLSv1.2') { + test(U, U, U, U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + } else { + assert(false, 'unreachable'); + } } // The default with --tls-v1.0.