From f5204c5d3158fb141ee8e8dd77e20f179954a4ba Mon Sep 17 00:00:00 2001 From: Kumar Rishav Date: Sat, 14 Oct 2023 14:42:00 -0700 Subject: [PATCH] tls: fix order of setting cipher before setting cert and key Set the cipher list and cipher suite before anything else because @SECLEVEL= changes the security level and that affects subsequent operations. Fixes: https://github.com/nodejs/node/issues/36655 https://github.com/nodejs/node/issues/49549 Refs: https://github.com/orgs/nodejs/discussions/49634 https://github.com/orgs/nodejs/discussions/46545 --- lib/internal/tls/secure-context.js | 47 ++++++++++++++++-------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js index 0fa3098ffa10208..40d995f9890d53a 100644 --- a/lib/internal/tls/secure-context.js +++ b/lib/internal/tls/secure-context.js @@ -148,6 +148,31 @@ function configSecureContext(context, options = kEmptyObject, name = 'options') ticketKeys, } = options; + // Set the cipher list and cipher suite before anything else because + // @SECLEVEL= changes the security level and that affects subsequent + // operations. + if (ciphers !== undefined && ciphers !== null) + validateString(ciphers, `${name}.ciphers`); + + // Work around an OpenSSL API quirk. cipherList is for TLSv1.2 and below, + // cipherSuites is for TLSv1.3 (and presumably any later versions). TLSv1.3 + // cipher suites all have a standard name format beginning with TLS_, so split + // the ciphers and pass them to the appropriate API. + const { + cipherList, + cipherSuites, + } = processCiphers(ciphers, `${name}.ciphers`); + + if (cipherSuites !== '') + context.setCipherSuites(cipherSuites); + context.setCiphers(cipherList); + + if (cipherList === '' && + context.getMinProto() < TLS1_3_VERSION && + context.getMaxProto() > TLS1_2_VERSION) { + context.setMinProto(TLS1_3_VERSION); + } + // Add CA before the cert to be able to load cert's issuer in C++ code. // NOTE(@jasnell): ca, cert, and key are permitted to be falsy, so do not // change the checks to !== undefined checks. @@ -218,28 +243,6 @@ function configSecureContext(context, options = kEmptyObject, name = 'options') } } - if (ciphers !== undefined && ciphers !== null) - validateString(ciphers, `${name}.ciphers`); - - // Work around an OpenSSL API quirk. cipherList is for TLSv1.2 and below, - // cipherSuites is for TLSv1.3 (and presumably any later versions). TLSv1.3 - // cipher suites all have a standard name format beginning with TLS_, so split - // the ciphers and pass them to the appropriate API. - const { - cipherList, - cipherSuites, - } = processCiphers(ciphers, `${name}.ciphers`); - - if (cipherSuites !== '') - context.setCipherSuites(cipherSuites); - context.setCiphers(cipherList); - - if (cipherList === '' && - context.getMinProto() < TLS1_3_VERSION && - context.getMaxProto() > TLS1_2_VERSION) { - context.setMinProto(TLS1_3_VERSION); - } - validateString(ecdhCurve, `${name}.ecdhCurve`); context.setECDHCurve(ecdhCurve);