diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js index 36d33e6ac8e2e3..0fa3098ffa1020 100644 --- a/lib/internal/tls/secure-context.js +++ b/lib/internal/tls/secure-context.js @@ -101,8 +101,10 @@ function processCiphers(ciphers, name) { ArrayPrototypeFilter( ciphers, (cipher) => { - return cipher.length > 0 && - !StringPrototypeStartsWith(cipher, 'TLS_'); + if (cipher.length === 0) return false; + if (StringPrototypeStartsWith(cipher, 'TLS_')) return false; + if (StringPrototypeStartsWith(cipher, '!TLS_')) return false; + return true; }), ':'); const cipherSuites = @@ -110,8 +112,10 @@ function processCiphers(ciphers, name) { ArrayPrototypeFilter( ciphers, (cipher) => { - return cipher.length > 0 && - StringPrototypeStartsWith(cipher, 'TLS_'); + if (cipher.length === 0) return false; + if (StringPrototypeStartsWith(cipher, 'TLS_')) return true; + if (StringPrototypeStartsWith(cipher, '!TLS_')) return true; + return false; }), ':'); // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js index b66c419cf5f4d1..313c5e238956b0 100644 --- a/test/parallel/test-tls-set-ciphers.js +++ b/test/parallel/test-tls-set-ciphers.js @@ -1,7 +1,7 @@ 'use strict'; const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); +if (!common.hasOpenSSL3) + common.skip('missing crypto, or OpenSSL version lower than 3'); const fixtures = require('../common/fixtures'); const { inspect } = require('util'); @@ -85,6 +85,7 @@ test('AES256-SHA', U, 'AES256-SHA'); test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384'); test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384'); +test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM_SHA384'); // Do not have shared ciphers. test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',