Merge pull request #140 from azerum/fix-new-curves-supported

pimterry · web-flow · commit 51bb2c1fc9ea · 2023-04-28T18:43:08.000+02:00
fix #139
diff --git a/src/rules/passthrough-handling.ts b/src/rules/passthrough-handling.ts
@@ -7,6 +7,7 @@ import { CompletedBody, Headers } from '../types';
 import { byteLength } from '../util/util';
 import { asBuffer } from '../util/buffer-utils';
 import { isMockttpBody, encodeBodyBuffer } from '../util/request-utils';
+import { areFFDHECurvesSupported } from '../util/openssl-compat';
 
 import {
     CallbackRequestResult,
@@ -15,7 +16,7 @@ import {
 
 // TLS settings for proxied connections, intended to avoid TLS fingerprint blocking
 // issues so far as possible, by closely emulating a Firefox Client Hello:
-const NEW_CURVES_SUPPORTED = Number(process.versions.node.split('.')[0]) >= 17;
+const NEW_CURVES_SUPPORTED = areFFDHECurvesSupported(process.versions.openssl);
 
 const SSL_OP_TLSEXT_PADDING = 1 << 4;
 const SSL_OP_NO_ENCRYPT_THEN_MAC = 1 << 19;
diff --git a/src/util/openssl-compat.ts b/src/util/openssl-compat.ts
@@ -0,0 +1,26 @@
+import * as semver from 'semver';
+
+export function areFFDHECurvesSupported(opensslVersion: string | undefined) {
+    // FFDHE curves (ffdhe2048, ffdhe3072) are only avaliable from
+    // OpenSSL 3+
+
+    // Before 3.0.0, OpenSSL has followed non-semver version
+    // format (see https://wiki.openssl.org/index.php/Versioning).
+    // For example, there was a version `1.1.1t`. `semver` package, however
+    // can parse such versions with `loose: true` option
+
+    // If not version is available, assume that the curves are not supported
+    if (!opensslVersion) {
+        return false;
+    }
+
+    try {
+        const m = semver.major(opensslVersion, true);
+        return m >= 3;
+    }
+    catch {
+        // For any weirdly formed version where even the major part cannot be found,
+        // we assume that the curves are not supported for safety
+        return false;
+    }
+}
diff --git a/test/openssl-compat.spec.ts b/test/openssl-compat.spec.ts
@@ -0,0 +1,24 @@
+import { expect } from 'chai';
+import { areFFDHECurvesSupported } from '../src/util/openssl-compat';
+
+describe('areFFDHECurvesSupported', () => {
+    it('True only for 3+ versions', () => {
+        expect(areFFDHECurvesSupported('1.0.0')).to.be.false;
+        expect(areFFDHECurvesSupported('3.0.0')).to.be.true;
+        expect(areFFDHECurvesSupported('4.2.1')).to.be.true;
+    });
+
+    it('Copes with older OpenSSL versions format', () => {
+        expect(areFFDHECurvesSupported('1.0.1a')).to.be.false;
+        expect(areFFDHECurvesSupported('1.1.1t')).to.be.false;
+    });
+
+    it('Assumes false for weird versions', () => {
+        // Just in case
+        expect(areFFDHECurvesSupported('-1.0.0')).to.be.false;
+    });
+
+    it('Assumes false when version is uknown', () => {
+        expect(areFFDHECurvesSupported(undefined)).to.be.false;
+    });
+});
