From bf2c283555c6b2651d55ef37816616a16c3f37f5 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Thu, 28 Mar 2019 10:52:41 -0700
Subject: [PATCH] tls: add --tls-min-v1.2 CLI switch

For 11.x, the default minimum is TLSv1, so it needs a CLI switch to
change the default to the more secure minimum of TLSv1.2.

PR-URL: https://github.com/nodejs/node/pull/26951
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 doc/api/cli.md                                |  8 ++++++++
 doc/node.1                                    |  4 ++++
 lib/tls.js                                    |  2 ++
 src/node_options.cc                           |  4 ++++
 src/node_options.h                            |  1 +
 test/parallel/test-tls-cli-min-version-1.2.js | 15 +++++++++++++++
 6 files changed, 34 insertions(+)
 create mode 100644 test/parallel/test-tls-cli-min-version-1.2.js

diff --git a/doc/api/cli.md b/doc/api/cli.md
index 8c68db546b3742..3d4a1adb91aee2 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -475,6 +475,14 @@ added: REPLACEME
 Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
 with old TLS clients or servers.
 
+### `--tls-min-v1.2`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`minVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1
+and TLSv1.1 in favour of TLSv1.2, which is more secure.
+
 ### `--tls-min-v1.3`
 <!-- YAML
 added: REPLACEME
diff --git a/doc/node.1 b/doc/node.1
index 7bcb1edc59ab5d..4a3759ad0de031 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -250,6 +250,10 @@ or servers.
 Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
 or servers.
 .
+.It Fl -tls-min-v1.2
+Set default minVersion to 'TLSv1.2'. Use to disable support for TLSv1 and
+TLSv1.1 in favour of TLSv1.2, which is more secure.
+.
 .It Fl -tls-min-v1.3
 Set default minVersion to 'TLSv1.3'. Use to disable support for TLSv1.2 in
 favour of TLSv1.3, which is more secure.
diff --git a/lib/tls.js b/lib/tls.js
index e4dadaa284e6de..c951727e5589c3 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -58,6 +58,8 @@ if (getOptionValue('--tls-min-v1.0'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1';
 else if (getOptionValue('--tls-min-v1.1'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
+else if (getOptionValue('--tls-min-v1.2'))
+  exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
 else if (getOptionValue('--tls-min-v1.3'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
 else
diff --git a/src/node_options.cc b/src/node_options.cc
index 46ee2b9f6ad9ee..94e9f16ad218a9 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -336,6 +336,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "set default TLS minimum to TLSv1.1 (default: TLSv1)",
             &EnvironmentOptions::tls_min_v1_1,
             kAllowedInEnvironment);
+  AddOption("--tls-min-v1.2",
+            "set default TLS minimum to TLSv1.2 (default: TLSv1)",
+            &EnvironmentOptions::tls_min_v1_2,
+            kAllowedInEnvironment);
   AddOption("--tls-min-v1.3",
             "set default TLS minimum to TLSv1.3 (default: TLSv1)",
             &EnvironmentOptions::tls_min_v1_3,
diff --git a/src/node_options.h b/src/node_options.h
index 7c9da1c69b278a..c21e0caf407094 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -138,6 +138,7 @@ class EnvironmentOptions : public Options {
 
   bool tls_min_v1_0 = false;
   bool tls_min_v1_1 = false;
+  bool tls_min_v1_2 = false;
   bool tls_min_v1_3 = false;
   bool tls_max_v1_2 = false;
   bool tls_max_v1_3 = false;
diff --git a/test/parallel/test-tls-cli-min-version-1.2.js b/test/parallel/test-tls-cli-min-version-1.2.js
new file mode 100644
index 00000000000000..058dc180f6065e
--- /dev/null
+++ b/test/parallel/test-tls-cli-min-version-1.2.js
@@ -0,0 +1,15 @@
+// Flags: --tls-min-v1.2
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that node `--tls-min-v1.2` is supported.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');