Skip to content

Commit 3504da0

Browse files
committed
Fix support for TLSv1 via ignoreHostHttpsErrors on modern Node
Previously we'd assumed that the OpenSSL v3 upgrade in modern node made this unavailable without command line flags. In fact, it is possible to set the security level on a per-context basis, so we can still use this to access old TLS servers compatibly! This changes adds that, and completely removes the test's compatibility check & skip for this feature.
1 parent 82e570d commit 3504da0

File tree

3 files changed

+9
-7
lines changed

3 files changed

+9
-7
lines changed

src/rules/passthrough-handling.ts

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,14 @@ export const getUpstreamTlsOptions = (strictChecks: boolean): tls.SecureContextO
7373
'AES128-GCM-SHA256',
7474
'AES256-GCM-SHA384',
7575
'AES128-SHA',
76-
'AES256-SHA'
76+
'AES256-SHA',
77+
78+
// This magic cipher is the very obtuse way that OpenSSL downgrades the overall
79+
// security level to allow various legacy settings, protocols & ciphers:
80+
...(!strictChecks
81+
? ['@SECLEVEL=0']
82+
: []
83+
)
7784
].join(':'),
7885
secureOptions: strictChecks
7986
? SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC

test/integration/proxying/https-proxying.spec.ts

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ import {
1616
makeDestroyable,
1717
DestroyableServer,
1818
H2_TLS_ON_TLS_SUPPORTED,
19-
OLD_TLS_SUPPORTED,
2019
ignoreNetworkError,
2120
SOCKET_RESET_SUPPORTED
2221
} from "../../test-utils";
@@ -252,10 +251,6 @@ nodeOnly(() => {
252251

253252
describe("given a TLSv1 upstream server", () => {
254253

255-
before(function () {
256-
if (!semver.satisfies(process.version, OLD_TLS_SUPPORTED)) this.skip();
257-
});
258-
259254
let oldServerPort: number;
260255
let oldServer: DestroyableServer<https.Server>;
261256

@@ -270,6 +265,7 @@ nodeOnly(() => {
270265
...cert,
271266
minVersion: 'TLSv1',
272267
maxVersion: 'TLSv1',
268+
ciphers: 'DEFAULT@SECLEVEL=0'
273269
}, (_req, res) => {
274270
res.writeHead(200);
275271
res.end('OK');

test/test-utils.ts

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -257,7 +257,6 @@ export async function startDnsServer(callback: (question: dns2.DnsQuestion) => s
257257

258258
export const H2_TLS_ON_TLS_SUPPORTED = ">=12.17";
259259
export const HTTP_ABORTSIGNAL_SUPPORTED = ">=14.17";
260-
export const OLD_TLS_SUPPORTED = "<17"; // In 17+ TLS < v1.2 is only available with legacy OpenSSL flag
261260
export const NATIVE_FETCH_SUPPORTED = ">=18";
262261
export const SOCKET_RESET_SUPPORTED = "^16.17 || >=18.3";
263262
export const BROKEN_H1_OVER_H2_TUNNELLING = "^18.8";

0 commit comments

Comments
 (0)