tls: ciphers allow bang syntax

Fixes: #49699
nodejs · Sep 21, 2023 · a55d146 · a55d146
1 parent 480ab8c
commit a55d146
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js
@@ -101,24 +101,27 @@ function processCiphers(ciphers, name) {
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            !StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return false;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return false;
+          return true;
         }), ':');
 
   const cipherSuites =
     ArrayPrototypeJoin(
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return true;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return true;
+          return false;
         }), ':');
 
   // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its
   // not possible to handshake with no suites.
   if (cipherSuites === '' && cipherList === '')
     throw new ERR_INVALID_ARG_VALUE(name, ciphers);
-
   return { cipherList, cipherSuites };
 }
 

diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
@@ -16,6 +16,7 @@ const {
 function test(cciphers, sciphers, cipher, cerr, serr, options) {
   assert(cipher || cerr || serr, 'test missing any expectations');
   const where = inspect(new Error()).split('\n')[2].replace(/[^(]*/, '');
+  const minVersion = options?.minVersion;
 
   const max_tls_ver = (ciphers, options) => {
     if (options instanceof Object && Object.hasOwn(options, 'maxVersion'))
@@ -32,12 +33,14 @@ function test(cciphers, sciphers, cipher, cerr, serr, options) {
       ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
       ciphers: cciphers,
       maxVersion: max_tls_ver(cciphers, options),
+      ...(minVersion && { minVersion }),
     },
     server: {
       cert: keys.agent6.cert,
       key: keys.agent6.key,
       ciphers: sciphers,
       maxVersion: max_tls_ver(sciphers, options),
+      ...(minVersion && { minVersion }),
     },
   }, common.mustCall((err, pair, cleanup) => {
     function u(_) { return _ === undefined ? 'U' : _; }
@@ -85,6 +88,7 @@ test('AES256-SHA', U, 'AES256-SHA');
 
 test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
 test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
+test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM_SHA384');
 
 // Do not have shared ciphers.
 test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',