tls: ciphers allow bang syntax

Fixes: #49699
PR-URL: #49712
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>

lib/internal/tls/secure-context.js

@@ -101,17 +101,21 @@ function processCiphers(ciphers, name) {
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            !StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return false;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return false;
+          return true;
         }), ':');
 
   const cipherSuites =
     ArrayPrototypeJoin(
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return true;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return true;
+          return false;
         }), ':');
 
   // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its

test/parallel/test-tls-set-ciphers.js

@@ -1,7 +1,7 @@
 'use strict';
 const common = require('../common');
-if (!common.hasCrypto)
-  common.skip('missing crypto');
+if (!common.hasOpenSSL3)
+  common.skip('missing crypto, or OpenSSL version lower than 3');
 
 const fixtures = require('../common/fixtures');
 const { inspect } = require('util');
@@ -85,6 +85,7 @@ test('AES256-SHA', U, 'AES256-SHA');
 
 test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
 test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
+test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM_SHA384');
 
 // Do not have shared ciphers.
 test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',