@@ -8,7 +8,7 @@ if (!common.hasCrypto) {
|
8 | 8 | common.skip('missing crypto'); |
9 | 9 | } |
10 | 10 | |
11 | | -const { opensslCli } = require('../common/crypto'); |
| 11 | +const { opensslCli, hasOpenSSL } = require('../common/crypto'); |
12 | 12 | const crypto = require('crypto'); |
13 | 13 | |
14 | 14 | if (!opensslCli) { |
@@ -24,11 +24,17 @@ function loadPEM(n) {
|
24 | 24 | return fixtures.readKey(`${n}.pem`); |
25 | 25 | } |
26 | 26 | |
| 27 | +// OpenSSL 4.0 disables support for deprecated elliptic curves from RFC 8422 |
| 28 | +// (including secp256k1) by default. |
| 29 | +const ecdhCurve = hasOpenSSL(4, 0) ? |
| 30 | +'prime256v1:secp521r1' : |
| 31 | +'secp256k1:prime256v1:secp521r1'; |
| 32 | + |
27 | 33 | const options = { |
28 | 34 | key: loadPEM('agent2-key'), |
29 | 35 | cert: loadPEM('agent2-cert'), |
30 | 36 | ciphers: '-ALL:ECDHE-RSA-AES128-SHA256', |
31 | | -ecdhCurve: 'secp256k1:prime256v1:secp521r1', |
| 37 | + ecdhCurve, |
32 | 38 | maxVersion: 'TLSv1.2', |
33 | 39 | }; |
34 | 40 | |
@@ -60,6 +66,11 @@ const server = tls.createServer(options, (conn) => {
|
60 | 66 | unsupportedCurves.push('brainpoolP256r1'); |
61 | 67 | } |
62 | 68 | |
| 69 | +// Deprecated RFC 8422 curves are disabled by default in OpenSSL 4.0. |
| 70 | +if (hasOpenSSL(4, 0)) { |
| 71 | +unsupportedCurves.push('secp256k1'); |
| 72 | +} |
| 73 | + |
63 | 74 | unsupportedCurves.forEach((ecdhCurve) => { |
64 | 75 | assert.throws(() => tls.createServer({ ecdhCurve }), |
65 | 76 | /Error: Failed to set ECDH curve/); |
|