tls: add --tls-min-v1.2 CLI switch

For 11.x, the default minimum is TLSv1, so it needs a CLI switch to change the default to the more secure minimum of TLSv1.2. PR-URL: https://github.com/nodejs/node/pull/26951 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
2025-08-15 13:48:44 +02:00 · 2019-03-28 10:52:41 -07:00 · 2019-03-28 10:52:41 -07:00 · bf2c283555
commit bf2c283555
parent 7aeca270f6
6 changed files with 34 additions and 0 deletions
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@ -475,6 +475,14 @@ added: REPLACEME
 Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
 with old TLS clients or servers.
 ### `--tls-min-v1.2`
 <!-- YAML
 added: REPLACEME
 -->
 Set default [`minVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1
 and TLSv1.1 in favour of TLSv1.2, which is more secure.
 ### `--tls-min-v1.3`
 <!-- YAML
 added: REPLACEME
--- a/doc/node.1
+++ b/doc/node.1
@ -250,6 +250,10 @@ or servers.
 Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
 or servers.
 .
 .It Fl -tls-min-v1.2
 Set default minVersion to 'TLSv1.2'. Use to disable support for TLSv1 and
 TLSv1.1 in favour of TLSv1.2, which is more secure.
 .
 .It Fl -tls-min-v1.3
 Set default minVersion to 'TLSv1.3'. Use to disable support for TLSv1.2 in
 favour of TLSv1.3, which is more secure.
--- a/lib/tls.js
+++ b/lib/tls.js
@ -58,6 +58,8 @@ if (getOptionValue('--tls-min-v1.0'))
  exports.DEFAULT_MIN_VERSION = 'TLSv1';
 else if (getOptionValue('--tls-min-v1.1'))
  exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
 else if (getOptionValue('--tls-min-v1.2'))
  exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
 else if (getOptionValue('--tls-min-v1.3'))
  exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
 else
--- a/src/node_options.cc
+++ b/src/node_options.cc
@ -336,6 +336,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
            "set default TLS minimum to TLSv1.1 (default: TLSv1)",
            &EnvironmentOptions::tls_min_v1_1,
            kAllowedInEnvironment);
  AddOption("--tls-min-v1.2",
            "set default TLS minimum to TLSv1.2 (default: TLSv1)",
            &EnvironmentOptions::tls_min_v1_2,
            kAllowedInEnvironment);
  AddOption("--tls-min-v1.3",
            "set default TLS minimum to TLSv1.3 (default: TLSv1)",
            &EnvironmentOptions::tls_min_v1_3,
--- a/src/node_options.h
+++ b/src/node_options.h
@ -138,6 +138,7 @@ class EnvironmentOptions : public Options {
  bool tls_min_v1_0 = false;
  bool tls_min_v1_1 = false;
  bool tls_min_v1_2 = false;
  bool tls_min_v1_3 = false;
  bool tls_max_v1_2 = false;
  bool tls_max_v1_3 = false;
--- a/test/parallel/test-tls-cli-min-version-1.2.js
+++ b/test/parallel/test-tls-cli-min-version-1.2.js
@ -0,0 +1,15 @@
 // Flags: --tls-min-v1.2
 'use strict';
 const common = require('../common');
 if (!common.hasCrypto) common.skip('missing crypto');
 // Check that node `--tls-min-v1.2` is supported.
 const assert = require('assert');
 const tls = require('tls');
 assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
 assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');
 // Check the min-max version protocol versions against these CLI settings.
 require('./test-tls-min-max-version.js');