--tls-cipher-list=DEFAULT@SECLEVEL=0 doesn't compatible with tls1.3 #43419
Labels
tls
Issues and PRs related to the tls subsystem.
Comments
|
Another test case is using crypto-policies ciphers,
The root cause is we seem to assume that there are no default cipher suites |
AdamMajer
added a commit
to AdamMajer/node
that referenced
this issue
Jun 14, 2022
In the manual page, there is a stement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites are available. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptible, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: nodejs#43419
benzhuo
changed the title
|
@AdamMajer Thanks very much. when the fix will be released ? |
AdamMajer
added a commit
to AdamMajer/node
that referenced
this issue
Jun 20, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: nodejs#43419
AdamMajer
added a commit
to AdamMajer/node
that referenced
this issue
Jun 20, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: nodejs#43419
|
This will have to be merged first and then released in 18.x. It will appear in the changes and also in the pull request when it gets merged for next 18.x release or possibly backported to older versions. I guess a week or two at least before 18.x |
AdamMajer
added a commit
to AdamMajer/node
that referenced
this issue
Jun 20, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: nodejs#43419
nodejs-github-bot
pushed a commit
that referenced
this issue
Jun 27, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: #43419 PR-URL: #43427 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: James M Snell <jasnell@gmail.com>
targos
pushed a commit
that referenced
this issue
Jul 12, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: #43419 PR-URL: #43427 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: James M Snell <jasnell@gmail.com>
targos
pushed a commit
that referenced
this issue
Jul 20, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: #43419 PR-URL: #43427 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: James M Snell <jasnell@gmail.com>
targos
pushed a commit
that referenced
this issue
Jul 31, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: #43419 PR-URL: #43427 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: James M Snell <jasnell@gmail.com>
guangwong
pushed a commit
to noslate-project/node
that referenced
this issue
Oct 10, 2022
In the manual page, there is a statement that ciphersuites contain explicit default settings - all TLS 1.3 ciphersuites enabled. In node, we assume that an empty setting mean no ciphersuites and we disable TLS 1.3. A correct approach to disabling TLS 1.3 is to disable TLS 1.3 and by not override the default ciphersuits with an empty string. So, only override OpenSSL's TLS 1.3 ciphersuites with an explicit list of ciphers. If none are acceptable, the correct approach is to disable TLS 1.3 instead elsewhere. Fixes: nodejs/node#43419 PR-URL: nodejs/node#43427 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
v18.2.0
Platform
Microsoft Windows NT 10.0.19042.0 x64
Subsystem
No response
What steps will reproduce the bug?
I try to set --tls-cipher-list=DEFAULT@SECLEVEL=0, which can connect with tls1.0 , but can not connect with tls1.3.
but, if I use the openssl3.0, and set the SECLEVEL=0, it works well both connect 1.0 and 1.3.
How often does it reproduce? Is there a required condition?
No response
What is the expected behavior?
how to set the option that make it can work same as openssl, that can connect both 1.0 and 1.3. I knows 1.0 and 1.1 has been deprecated.
openssl 3.0.3 connect snip
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 539B67CDF41CD89F10161EA93683556D9D300B46280FAB64A8EC819467EC914F
Session-ID-ctx:
Resumption PSK: 603B795602CA3D5EAD2882C86BAE29663B3955FD667D6EA1F83CD6DE3C704EAE
What do you see instead?
error:0A0000B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:c:\ws\deps\openssl\openssl\ssl\statem\statem_clnt.c:3749:No ciphers enabled for max supported SSL/TLS version
Additional information
No response
The text was updated successfully, but these errors were encountered: