Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: disallow conflicting TLS protocol options #27521

Closed
wants to merge 1 commit into from

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented May 1, 2019

Do not allow the minimum protocol level to be set higher than the max protocol level.

See: #26951, 109c097

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot nodejs-github-bot added the test Issues and PRs related to the tests. label May 1, 2019
@sam-github
Copy link
Contributor Author

@nodejs/crypto

@bnoordhuis
Copy link
Member

Shouldn't --tls-min-v1.3 --tls-max-v1.2 be an error? It doesn't result in a usable configuration so why go on?

@sam-github sam-github force-pushed the cli-tls-impossible branch 2 times, most recently from 927ad79 to c6533c3 Compare May 2, 2019 18:19
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: nodejs#26951, 109c097
@sam-github sam-github force-pushed the cli-tls-impossible branch from c6533c3 to 918c0ed Compare May 2, 2019 18:19
@sam-github sam-github changed the title test: check TLS config that breaks the defaults tls: disallow conflicting TLS protocol options May 2, 2019
@nodejs-github-bot
Copy link
Collaborator

@sam-github
Copy link
Contributor Author

Reworked this to disallow the option combination, PTAL @bnoordhuis @cjihrig

@@ -148,6 +148,11 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
errors->push_back("invalid value for --unhandled-rejections");
}

if (tls_min_v1_3 && tls_max_v1_2) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

node --tls-min-v1.3 --tls-max-v1.2 --tls-max-v1.3 currently does the right thing (sets min and max to 1.3) but this change makes it an error.

I'm okay with that, just pointing it out in case it's something we want to preserve. Changing the logic to tls_min_v1_3 && tls_max_v1_2 && !tls_max_v1_3 would do that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the check as it is. Having multiple flags that partially contradict each other could confuse people.

@@ -148,6 +148,11 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
errors->push_back("invalid value for --unhandled-rejections");
}

if (tls_min_v1_3 && tls_max_v1_2) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the check as it is. Having multiple flags that partially contradict each other could confuse people.

@cjihrig
Copy link
Contributor

cjihrig commented May 2, 2019

Still LGTM

Copy link
Member

@Trott Trott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. (Theoretically, throwing an error where there wasn't one before is generally semver-major but I don't think that logic applies here.)

@sam-github
Copy link
Contributor Author

Landed in cb848b4

@sam-github sam-github closed this May 3, 2019
@sam-github sam-github deleted the cli-tls-impossible branch May 3, 2019 23:12
sam-github added a commit that referenced this pull request May 3, 2019
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos pushed a commit that referenced this pull request May 4, 2019
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@targos targos mentioned this pull request May 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
test Issues and PRs related to the tests.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants