Merge pull request #189 from skilbjo/main

Add option to disable TLS 1.0

Author: pimterry

src/mockttp.ts

@@ -723,6 +723,18 @@ export type MockttpHttpsOptions = CAOptions & {
      * here for additional configuration of this behaviour.
      */
     tlsInterceptOnly?: Array<{ hostname: string }>;
+
+    /**
+     * Set the TLS server options, used for incoming TLS connections.
+     *
+     * The only officially supported option for now is the minimum TLS version, which can
+     * be used to relax/tighten TLS requirements on clients. If not set, this defaults
+     * to your Node version's default TLS configuration. The full list of versions can be
+     * found at https://nodejs.org/api/tls.html#tlssocketgetprotocol.
+     */
+    tlsServerOptions?: {
+        minVersion?: 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
+    };
 };
 
 export interface MockttpOptions {

src/server/http-combo-server.ts

@@ -184,6 +184,7 @@ export async function createComboServer(
             cert: defaultCert.cert,
             ca: [defaultCert.ca],
             ...ALPNOption,
+            ...(options.https?.tlsServerOptions || {}),
             SNICallback: (domain: string, cb: Function) => {
                 if (options.debug) console.log(`Generating certificate for ${domain}`);
 

test/integration/https.spec.ts

@@ -2,6 +2,7 @@ import * as http from 'http';
 import * as tls from 'tls';
 import * as https from 'https';
 import * as fs from 'fs/promises';
+import * as semver from 'semver';
 
 import { getLocal } from "../..";
 import {
@@ -11,7 +12,8 @@ import {
     delay,
     openRawSocket,
     openRawTlsSocket,
-    http2ProxyRequest
+    http2ProxyRequest,
+    DETAILED_TLS_ERROR_CODES
 } from "../test-utils";
 import { streamToBuffer } from '../../src/util/buffer-utils';
 
@@ -418,5 +420,82 @@ describe("When configured for HTTPS", () => {
                 );
             });
         });
+
+        describe("with TLS version restrictions", () => {
+            const server = getLocal({
+                https: {
+                    keyPath: './test/fixtures/test-ca.key',
+                    certPath: './test/fixtures/test-ca.pem',
+                    tlsServerOptions: {
+                        minVersion: 'TLSv1.2'
+                    } as any
+                }
+            });
+
+            beforeEach(async () => {
+                await server.start();
+                await server.forAnyRequest().thenReply(200, "Mock response");
+            });
+
+            afterEach(async () => {
+                await server.stop();
+            });
+
+            it("should accept TLS 1.2 connections", async () => {
+                const tlsSocket = await openRawTlsSocket(server, {
+                    rejectUnauthorized: false,
+                    minVersion: 'TLSv1.2',
+                    maxVersion: 'TLSv1.2'
+                });
+
+                expect(tlsSocket.getProtocol()).to.equal('TLSv1.2');
+                tlsSocket.destroy();
+            });
+
+            it("should reject TLS 1.0 connections", async () => {
+                try {
+                    await openRawTlsSocket(server, {
+                        rejectUnauthorized: false,
+                        minVersion: 'TLSv1',
+                        maxVersion: 'TLSv1'
+                    });
+                    throw new Error('Expected connection to fail');
+                } catch (e: any) {
+                    expect(e.code).to.equal(
+                        semver.satisfies(process.version, DETAILED_TLS_ERROR_CODES)
+                            ? 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'
+                            : 'ECONNRESET'
+                    );
+                }
+            });
+
+            it("should reject TLS 1.1 connections", async () => {
+                try {
+                    await openRawTlsSocket(server, {
+                        rejectUnauthorized: false,
+                        minVersion: 'TLSv1.1',
+                        maxVersion: 'TLSv1.1'
+                    });
+                    throw new Error('Expected connection to fail');
+                } catch (e: any) {
+                    expect(e.code).to.equal(
+                        semver.satisfies(process.version, DETAILED_TLS_ERROR_CODES)
+                            ? 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'
+                            : 'ECONNRESET'
+                    );
+                }
+            });
+
+            it("should accept TLS 1.3 connections when TLS 1.2 is minimum", async () => {
+                const tlsSocket = await openRawTlsSocket(server, {
+                    rejectUnauthorized: false,
+                    minVersion: 'TLSv1.3',
+                    maxVersion: 'TLSv1.3'
+                });
+
+                expect(tlsSocket.getProtocol()).to.equal('TLSv1.3');
+                tlsSocket.destroy();
+            });
+        });
     });
-});
+});

test/test-utils.ts

@@ -257,6 +257,7 @@ export async function startDnsServer(callback: (question: dns2.DnsQuestion) => s
 
 export const H2_TLS_ON_TLS_SUPPORTED = ">=12.17";
 export const HTTP_ABORTSIGNAL_SUPPORTED = ">=14.17";
+export const DETAILED_TLS_ERROR_CODES = ">=18";
 export const NATIVE_FETCH_SUPPORTED = ">=18";
 export const SOCKET_RESET_SUPPORTED = "^16.17 || >=18.3";
 export const BROKEN_H1_OVER_H2_TUNNELLING = "^18.8";