Fix support for TLSv1 via ignoreHostHttpsErrors on modern Node

Previously we'd assumed that the OpenSSL v3 upgrade in modern node made this unavailable without command line flags. In fact, it is possible to set the security level on a per-context basis, so we can still use this to access old TLS servers compatibly! This changes adds that, and completely removes the test's compatibility check & skip for this feature.
httptoolkit · May 13, 2024 · 3504da0 · 3504da0
1 parent 82e570d
commit 3504da0
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 7 deletions.
diff --git a/src/rules/passthrough-handling.ts b/src/rules/passthrough-handling.ts
@@ -73,7 +73,14 @@ export const getUpstreamTlsOptions = (strictChecks: boolean): tls.SecureContextO
         'AES128-GCM-SHA256',
         'AES256-GCM-SHA384',
         'AES128-SHA',
-        'AES256-SHA'
+        'AES256-SHA',
+
+        // This magic cipher is the very obtuse way that OpenSSL downgrades the overall
+        // security level to allow various legacy settings, protocols & ciphers:
+        ...(!strictChecks
+            ? ['@SECLEVEL=0']
+            : []
+        )
     ].join(':'),
     secureOptions: strictChecks
         ? SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC

diff --git a/test/integration/proxying/https-proxying.spec.ts b/test/integration/proxying/https-proxying.spec.ts
@@ -16,7 +16,6 @@ import {
     makeDestroyable,
     DestroyableServer,
     H2_TLS_ON_TLS_SUPPORTED,
-    OLD_TLS_SUPPORTED,
     ignoreNetworkError,
     SOCKET_RESET_SUPPORTED
 } from "../../test-utils";
@@ -252,10 +251,6 @@ nodeOnly(() => {
 
             describe("given a TLSv1 upstream server", () => {
 
-                before(function () {
-                    if (!semver.satisfies(process.version, OLD_TLS_SUPPORTED)) this.skip();
-                });
-
                 let oldServerPort: number;
                 let oldServer: DestroyableServer<https.Server>;
 
@@ -270,6 +265,7 @@ nodeOnly(() => {
                         ...cert,
                         minVersion: 'TLSv1',
                         maxVersion: 'TLSv1',
+                        ciphers: 'DEFAULT@SECLEVEL=0'
                     }, (_req, res) => {
                         res.writeHead(200);
                         res.end('OK');

diff --git a/test/test-utils.ts b/test/test-utils.ts
@@ -257,7 +257,6 @@ export async function startDnsServer(callback: (question: dns2.DnsQuestion) => s
 
 export const H2_TLS_ON_TLS_SUPPORTED = ">=12.17";
 export const HTTP_ABORTSIGNAL_SUPPORTED = ">=14.17";
-export const OLD_TLS_SUPPORTED = "<17"; // In 17+ TLS < v1.2 is only available with legacy OpenSSL flag
 export const NATIVE_FETCH_SUPPORTED = ">=18";
 export const SOCKET_RESET_SUPPORTED = "^16.17 || >=18.3";
 export const BROKEN_H1_OVER_H2_TUNNELLING = "^18.8";