crypto: don't disable TLS 1.3 without suites

In the manual page, there is a stement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites are available. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptible, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: #43419
nodejs · Jun 14, 2022 · 1b1db2d · 1b1db2d
1 parent 3d0a0b6
commit 1b1db2d
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js
@@ -225,15 +225,10 @@ function configSecureContext(context, options = kEmptyObject, name = 'options')
     cipherSuites,
   } = processCiphers(ciphers, `${name}.ciphers`);
 
-  context.setCipherSuites(cipherSuites);
+  if (cipherSuites !== '')
+    context.setCipherSuites(cipherSuites);
   context.setCiphers(cipherList);
 
-  if (cipherSuites === '' &&
-      context.getMaxProto() > TLS1_2_VERSION &&
-      context.getMinProto() < TLS1_3_VERSION) {
-    context.setMaxProto(TLS1_2_VERSION);
-  }
-
   if (cipherList === '' &&
       context.getMinProto() < TLS1_3_VERSION &&
       context.getMaxProto() > TLS1_2_VERSION) {