From 52b56939499f778ed717d488c2b11bee69654217 Mon Sep 17 00:00:00 2001
From: Chemi Atlow <chemi@atlow.co.il>
Date: Wed, 4 Oct 2023 10:17:35 +0300
Subject: [PATCH] tls: ciphers allow bang syntax

Fixes: https://github.com/nodejs/node/issues/49699
PR-URL: https://github.com/nodejs/node/pull/49712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
---
 lib/internal/tls/secure-context.js    | 12 ++++++++----
 test/parallel/test-tls-set-ciphers.js |  5 +++--
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js
index 36d33e6ac8e2e3..0fa3098ffa1020 100644
--- a/lib/internal/tls/secure-context.js
+++ b/lib/internal/tls/secure-context.js
@@ -101,8 +101,10 @@ function processCiphers(ciphers, name) {
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            !StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return false;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return false;
+          return true;
         }), ':');
 
   const cipherSuites =
@@ -110,8 +112,10 @@ function processCiphers(ciphers, name) {
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return true;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return true;
+          return false;
         }), ':');
 
   // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index b66c419cf5f4d1..313c5e238956b0 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -1,7 +1,7 @@
 'use strict';
 const common = require('../common');
-if (!common.hasCrypto)
-  common.skip('missing crypto');
+if (!common.hasOpenSSL3)
+  common.skip('missing crypto, or OpenSSL version lower than 3');
 
 const fixtures = require('../common/fixtures');
 const { inspect } = require('util');
@@ -85,6 +85,7 @@ test('AES256-SHA', U, 'AES256-SHA');
 
 test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
 test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
+test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM_SHA384');
 
 // Do not have shared ciphers.
 test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',