Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: ciphers allow bang syntax #49712

Merged
merged 1 commit into from
Oct 4, 2023

Conversation

atlowChemi
Copy link
Member

Fixes: #49699

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. labels Sep 19, 2023
@atlowChemi
Copy link
Member Author

Still want to add a UT, was not sure exactly what, will have a go at it later today

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, these exceed (by a fairly wide margin) the threshold of what's still legible. I'd break them up in separate statements.

@atlowChemi atlowChemi force-pushed the cipher-suites branch 2 times, most recently from a439f5d to a55d146 Compare September 21, 2023 06:32
@atlowChemi atlowChemi added the request-ci Add this label to start a Jenkins CI on a PR. label Sep 21, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Sep 21, 2023
@nodejs-github-bot
Copy link
Collaborator

@atlowChemi
Copy link
Member Author

@bnoordhuis The CI failed with the following:

not ok 2966 parallel/test-tls-set-ciphers
  ---
  duration_ms: 283.21700
  severity: fail
  exitcode: 1
  stack: |-
    test: AES256-SHA 9 expect U U ERR_INVALID_ARG_TYPE
       (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-tls-set-ciphers.js:121:1)
    client undefined
    server ERR_INVALID_ARG_TYPE
    test: AES256-SHA : expect U U ERR_INVALID_ARG_VALUE
       (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-tls-set-ciphers.js:123:1)
    client undefined
    server ERR_INVALID_ARG_VALUE
    test: TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256 U expect TLS_AES_256_GCM_SHA384 U U
       (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-tls-set-ciphers.js:88:1)
    node:assert:991
        throw newErr;
        ^
    
    AssertionError [ERR_ASSERTION]: ifError got unwanted exception: error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match
        at /home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-tls-set-ciphers.js:63:12
        at /home/iojs/build/workspace/node-test-commit-linux-containered/test/common/index.js:474:15
        at /home/iojs/build/workspace/node-test-commit-linux-containered/test/common/index.js:474:15
        at Server.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux-containered/test/fixtures/tls-connect.js:78:9)
        at configSecureContext (node:internal/tls/secure-context:234:13)
        at Object.createSecureContext (node:_tls_common:116:3)
        at Object.connect (node:_tls_wrap:1748:48)
        at Server.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux-containered/test/fixtures/tls-connect.js:65:13)
        at Object.onceWrapper (node:events:628:28)
        at Server.emit (node:events:514:28)
        at emitListeningNT (node:net:1906:10)
        at process.processTicksAndRejections (node:internal/process/task_queues:81:21) {
      generatedMessage: false,
      code: 'ERR_ASSERTION',
      actual: Error: error:1426E0B9:SSL routines:ciphersuite_cb:no cipher match
          at configSecureContext (node:internal/tls/secure-context:234:13)
          at Object.createSecureContext (node:_tls_common:116:3)
          at Object.connect (node:_tls_wrap:1748:48)
          at Server.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux-containered/test/fixtures/tls-connect.js:65:13)
          at Object.onceWrapper (node:events:628:28)
          at Server.emit (node:events:514:28)
          at emitListeningNT (node:net:1906:10)
          at process.processTicksAndRejections (node:internal/process/task_queues:81:21) {
        library: 'SSL routines',
        function: 'ciphersuite_cb',
        reason: 'no cipher match',
        code: 'ERR_SSL_NO_CIPHER_MATCH'
      },
      expected: null,
      operator: 'ifError'
    }
    
    Node.js v21.0.0-pre

Do you think we should skip this test-case on a specific platform etc?

@bnoordhuis
Copy link
Member

On the one hand, I'd like to better understand why the test fails with openssl 1.1.1. On the other hand, it's EOL and not worth sinking a lot of time in. I've opened nodejs/build#3496 to discuss removing the buildbots.

Aside 1: doc/api/tls.md tells you to consult https://www.openssl.org/docs/man1.1.1/man1/openssl-ciphers.html (why the 1.1.1 version?) for the cipher list syntax. We don't support the full syntax (e.g. + and -) and I don't think it's important that we do but the docs should make it clear only a subset is supported.

Aside 2: test/parallel/test-tls-set-ciphers.js has pretty much the same bug as lib/internal/tls/secure-context.js but the line length rather obscures it:

if ((typeof ciphers === 'string' || ciphers instanceof String) && ciphers.length > 0 && !ciphers.includes('TLS_'))
return 'TLSv1.2';

@mhdawson
Copy link
Member

@atlowChemi as discussed in nodejs/build#3496 would you mind adding a check against (common.hasOpenSSL3 || common.hasOpenSSL31) so that the failing test would only run only in builds that don't use 1.1.1 for now?

@atlowChemi atlowChemi added request-ci Add this label to start a Jenkins CI on a PR. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Sep 30, 2023
@atlowChemi atlowChemi added the request-ci Add this label to start a Jenkins CI on a PR. label Sep 30, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Sep 30, 2023
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@atlowChemi atlowChemi added the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 4, 2023
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Oct 4, 2023
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/49712
✔  Done loading data for nodejs/node/pull/49712
----------------------------------- PR info ------------------------------------
Title      tls: ciphers allow bang syntax (#49712)
Author     Chemi Atlow  (@atlowChemi)
Branch     atlowChemi:cipher-suites -> nodejs:main
Labels     tls, needs-ci
Commits    1
 - tls: ciphers allow bang syntax
Committers 1
 - atlowChemi 
PR-URL: /~https://github.com/nodejs/node/pull/49712
Fixes: /~https://github.com/nodejs/node/issues/49699
Reviewed-By: Ben Noordhuis 
------------------------------ Generated metadata ------------------------------
PR-URL: /~https://github.com/nodejs/node/pull/49712
Fixes: /~https://github.com/nodejs/node/issues/49699
Reviewed-By: Ben Noordhuis 
--------------------------------------------------------------------------------
   ⚠  Commits were pushed since the last approving review:
   ⚠  - tls: ciphers allow bang syntax
   ℹ  This PR was created on Tue, 19 Sep 2023 07:27:31 GMT
   ✔  Approvals: 1
   ✔  - Ben Noordhuis (@bnoordhuis): /~https://github.com/nodejs/node/pull/49712#pullrequestreview-1637126331
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2023-10-03T22:12:16Z: https://ci.nodejs.org/job/node-test-pull-request/54509/
- Querying data for job/node-test-pull-request/54509/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
/~https://github.com/nodejs/node/actions/runs/6401257256

@atlowChemi atlowChemi added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Oct 4, 2023
@MoLow MoLow added the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 4, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Oct 4, 2023
@nodejs-github-bot nodejs-github-bot merged commit fae1af0 into nodejs:main Oct 4, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in fae1af0

@atlowChemi atlowChemi deleted the cipher-suites branch October 4, 2023 08:02
alexfernandez pushed a commit to alexfernandez/node that referenced this pull request Nov 1, 2023
Fixes: nodejs#49699
PR-URL: nodejs#49712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
targos pushed a commit that referenced this pull request Nov 11, 2023
Fixes: #49699
PR-URL: #49712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
debadree25 pushed a commit to debadree25/node that referenced this pull request Apr 15, 2024
Fixes: nodejs#49699
PR-URL: nodejs#49712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

"ERR_SSL_NO_CIPHER_MATCH" error when specifying TLS cipher suites
5 participants