tls: re-define max supported version as 1.2

Several secureProtocol strings allow any supported TLS version as the maximum, but our maximum supported protocol version is TLSv1.2 even if someone configures a build against an OpenSSL that supports TLSv1.3. Fixes: #24658
nodejs · Dec 17, 2018 · 058a96d · 058a96d
1 parent 3439c95
commit 058a96d
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -518,6 +518,12 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
  SSL_SESS_CACHE_NO_AUTO_CLEAR);
 
  SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);
+
+ if (max_version == 0) {
+ // Selecting some secureProtocol methods allows the TLS version to be "any
+ // supported", but we don't support TLSv1.3, even if OpenSSL does.
+ max_version = TLS1_2_VERSION;
+ }
  SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
 
  // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was