Skip to content

tls: disallow conflicting TLS protocol options#27521

Closed
sam-github wants to merge 1 commit intonodejs:masterfrom
sam-github:cli-tls-impossible
Closed

tls: disallow conflicting TLS protocol options#27521
sam-github wants to merge 1 commit intonodejs:masterfrom
sam-github:cli-tls-impossible

Conversation

@sam-github
Copy link
Contributor

@sam-github sam-github commented May 1, 2019
edited
Loading

Do not allow the minimum protocol level to be set higher than the max protocol level.

See: #26951, 109c097

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented May 1, 2019

Lite-CI: https://ci.nodejs.org/job/node-test-pull-request-lite-pipeline/3417

@nodejs-github-bot nodejs-github-bot added the test Issues and PRs related to the tests. label May 1, 2019
@sam-github
Copy link
Contributor Author

sam-github commented May 1, 2019

@nodejs/crypto

@bnoordhuis
Copy link
Member

bnoordhuis commented May 1, 2019

Shouldn't --tls-min-v1.3 --tls-max-v1.2 be an error? It doesn't result in a usable configuration so why go on?

Trott
Trott reviewed May 2, 2019
View reviewed changes
@sam-github sam-github force-pushed the cli-tls-impossible branch 2 times, most recently from 927ad79 to c6533c3 Compare May 2, 2019 18:19
@sam-github
tls: disallow conflicting TLS protocol options
918c0ed 
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: nodejs#26951, 109c097
@sam-github sam-github force-pushed the cli-tls-impossible branch from c6533c3 to 918c0ed Compare May 2, 2019 18:19
@sam-github sam-github changed the title test: check TLS config that breaks the defaults tls: disallow conflicting TLS protocol options May 2, 2019
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented May 2, 2019

CI: https://ci.nodejs.org/job/node-test-pull-request/22893/

@sam-github
Copy link
Contributor Author

sam-github commented May 2, 2019

Reworked this to disallow the option combination, PTAL @bnoordhuis @cjihrig

bnoordhuis
bnoordhuis approved these changes May 2, 2019
View reviewed changes
src/node_options.cc
errors->push_back("invalid value for --unhandled-rejections");
}

if (tls_min_v1_3 && tls_max_v1_2) {
Copy link
Member

@bnoordhuis bnoordhuis May 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

node --tls-min-v1.3 --tls-max-v1.2 --tls-max-v1.3 currently does the right thing (sets min and max to 1.3) but this change makes it an error.

I'm okay with that, just pointing it out in case it's something we want to preserve. Changing the logic to tls_min_v1_3 && tls_max_v1_2 && !tls_max_v1_3 would do that.

Copy link
Member

@BridgeAR BridgeAR May 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the check as it is. Having multiple flags that partially contradict each other could confuse people.

BridgeAR
BridgeAR approved these changes May 2, 2019
View reviewed changes
src/node_options.cc
errors->push_back("invalid value for --unhandled-rejections");
}

if (tls_min_v1_3 && tls_max_v1_2) {
Copy link
Member

@BridgeAR BridgeAR May 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would keep the check as it is. Having multiple flags that partially contradict each other could confuse people.

@cjihrig
Copy link
Contributor

cjihrig commented May 2, 2019

Still LGTM

Trott
Trott approved these changes May 3, 2019
View reviewed changes
Copy link
Member

@Trott Trott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. (Theoretically, throwing an error where there wasn't one before is generally semver-major but I don't think that logic applies here.)

@sam-github
Copy link
Contributor Author

sam-github commented May 3, 2019

Landed in cb848b4

@sam-github sam-github closed this May 3, 2019
@sam-github sam-github deleted the cli-tls-impossible branch May 3, 2019 23:12
sam-github added a commit that referenced this pull request May 3, 2019
@sam-github
tls: disallow conflicting TLS protocol options
cb848b4 
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos pushed a commit that referenced this pull request May 4, 2019
@sam-github @targos
tls: disallow conflicting TLS protocol options
7bbf951 
Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: #26951, 109c097

PR-URL: #27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
@targos targos mentioned this pull request May 6, 2019
Merged
This was referenced May 7, 2019
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced May 8, 2019
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bnoordhuis bnoordhuis bnoordhuis approved these changes

@Trott Trott Trott approved these changes

@cjihrig cjihrig cjihrig approved these changes

@BridgeAR BridgeAR BridgeAR approved these changes

Assignees

No one assigned

Labels

test Issues and PRs related to the tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sam-github @nodejs-github-bot @bnoordhuis @cjihrig @Trott @BridgeAR