Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: disallow conflicting TLS protocol options #27521

Closed
wants to merge 1 commit into from
Closed

tls: disallow conflicting TLS protocol options #27521

wants to merge 1 commit into from

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented May 1, 2019
edited
Loading

Do not allow the minimum protocol level to be set higher than the max protocol level.

See: #26951, 109c097

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

Lite-CI: https://ci.nodejs.org/job/node-test-pull-request-lite-pipeline/3417

@nodejs-github-bot nodejs-github-bot added the test Issues and PRs related to the tests. label May 1, 2019
@sam-github
Copy link
Contributor Author

@nodejs/crypto

@bnoordhuis
Copy link
Member

Shouldn't --tls-min-v1.3 --tls-max-v1.2 be an error? It doesn't result in a usable configuration so why go on?

@sam-github sam-github force-pushed the cli-tls-impossible branch 2 times, most recently from 927ad79 to c6533c3 Compare May 2, 2019 18:19
@sam-github
tls: disallow conflicting TLS protocol options
918c0ed 
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: nodejs#26951, 109c097
@sam-github sam-github changed the title test: check TLS config that breaks the defaults tls: disallow conflicting TLS protocol options May 2, 2019
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/22893/

@sam-github
Copy link
Contributor Author

Reworked this to disallow the option combination, PTAL @bnoordhuis @cjihrig

bnoordhuis
bnoordhuis approved these changes May 2, 2019
View reviewed changes
src/node_options.cc
@@ -148,6 +148,11 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
errors->push_back("invalid value for --unhandled-rejections");
}

if (tls_min_v1_3 && tls_max_v1_2) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

node --tls-min-v1.3 --tls-max-v1.2 --tls-max-v1.3 currently does the right thing (sets min and max to 1.3) but this change makes it an error.

I'm okay with that, just pointing it out in case it's something we want to preserve. Changing the logic to tls_min_v1_3 && tls_max_v1_2 && !tls_max_v1_3 would do that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the check as it is. Having multiple flags that partially contradict each other could confuse people.

BridgeAR
BridgeAR approved these changes May 2, 2019
View reviewed changes
src/node_options.cc
@@ -148,6 +148,11 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
errors->push_back("invalid value for --unhandled-rejections");
}

if (tls_min_v1_3 && tls_max_v1_2) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the check as it is. Having multiple flags that partially contradict each other could confuse people.

@cjihrig
Copy link
Contributor

cjihrig commented May 2, 2019

Still LGTM

Trott
Trott approved these changes May 3, 2019
View reviewed changes
Copy link
Member

@Trott Trott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. (Theoretically, throwing an error where there wasn't one before is generally semver-major but I don't think that logic applies here.)

@sam-github
Copy link
Contributor Author

Landed in cb848b4

@sam-github sam-github closed this May 3, 2019
@sam-github sam-github deleted the cli-tls-impossible branch May 3, 2019 23:12
sam-github added a commit that referenced this pull request May 3, 2019
@sam-github
tls: disallow conflicting TLS protocol options
cb848b4 
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos pushed a commit that referenced this pull request May 4, 2019
@sam-github @targos
tls: disallow conflicting TLS protocol options
7bbf951 
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@targos targos mentioned this pull request May 6, 2019
Merged
This was referenced May 7, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced May 8, 2019
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BridgeAR BridgeAR BridgeAR approved these changes

@cjihrig cjihrig cjihrig approved these changes

@Trott Trott Trott approved these changes

@bnoordhuis bnoordhuis bnoordhuis approved these changes

Assignees
No one assigned
Labels
test Issues and PRs related to the tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sam-github @nodejs-github-bot @bnoordhuis @cjihrig @Trott @BridgeAR