Validate secureProtocol in TLS and add tests for protocol methods

2026-02-16 22:01:47 +00:00 · 2025-05-29 19:54:40 +00:00
2 changed files with 82 additions and 0 deletions
--- a/src/js/node/tls.ts
+++ b/src/js/node/tls.ts
@@ -244,6 +244,31 @@ var InternalSecureContext = class SecureContext {

      this.secureOptions = secureOptions;

+      // Validate secureProtocol if provided
+      if (options.secureProtocol !== undefined) {
+        if (typeof options.secureProtocol !== "string") {
+          throw new TypeError("secureProtocol argument must be a string");
+        }
+        
+        // List of valid protocol methods supported by OpenSSL
+        const validProtocolMethods = [
+          'TLS_method',
+          'TLSv1_method',
+          'TLSv1_1_method', 
+          'TLSv1_2_method',
+          'TLSv1_3_method',
+          'SSLv3_method',
+          'SSLv23_method',
+          'DTLS_method',
+          'DTLSv1_method',
+          'DTLSv1_2_method'
+        ];
+        
+        if (!validProtocolMethods.includes(options.secureProtocol)) {
+          throw $ERR_TLS_INVALID_PROTOCOL_METHOD(`Unknown method: ${options.secureProtocol}`);
+        }
+      }
+
      if (!$isUndefinedOrNull(options.privateKeyIdentifier)) {
        if ($isUndefinedOrNull(options.privateKeyEngine)) {
          // prettier-ignore
--- a/test/js/node/test/parallel/test-tls-no-sslv23.js
+++ b/test/js/node/test/parallel/test-tls-no-sslv23.js
@@ -0,0 +1,57 @@
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'blargh' });
+}, {
+  code: 'ERR_TLS_INVALID_PROTOCOL_METHOD',
+  message: 'Unknown method: blargh',
+});
+
+const errMessageSSLv2 = /SSLv2 methods disabled/;
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'SSLv2_method' });
+}, errMessageSSLv2);
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' });
+}, errMessageSSLv2);
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' });
+}, errMessageSSLv2);
+
+const errMessageSSLv3 = /SSLv3 methods disabled/;
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'SSLv3_method' });
+}, errMessageSSLv3);
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' });
+}, errMessageSSLv3);
+
+assert.throws(function() {
+  tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' });
+}, errMessageSSLv3);
+
+// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are
+// still accepted.  They are OpenSSL's way of saying that all known protocols
+// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.)
+tls.createSecureContext({ secureProtocol: 'SSLv23_method' });
+tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' });
+tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' });