From 4b976df9e21563b7f331efb19343927ff37af2f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Wed, 19 Sep 2018 19:40:44 +0200
Subject: [PATCH] tls: fix DEP0083 after upgrading to OpenSSL 1.1.0

Setting ecdhCurve to false is already unsupported, so the deprecation
should already be EOL. The test was skipped ever since we upgraded to
OpenSSL 1.1.0.

PR-URL: https://github.com/nodejs/node/pull/22953
Refs: https://github.com/nodejs/node/pull/16130
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
---
 doc/api/deprecations.md                |  9 ++--
 doc/api/tls.md                         |  6 ++-
 lib/_tls_common.js                     | 12 -----
 test/parallel/test-tls-ecdh-disable.js | 66 --------------------------
 4 files changed, 11 insertions(+), 82 deletions(-)
 delete mode 100644 test/parallel/test-tls-ecdh-disable.js

diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md
index 3e880a0cc68218..01e6afeeb261cd 100644
--- a/doc/api/deprecations.md
+++ b/doc/api/deprecations.md
@@ -1628,17 +1628,20 @@ the `REPLServer` itself. Do not use this function.
 ### DEP0083: Disabling ECDH by setting ecdhCurve to false
 <!-- YAML
 changes:
+  - version: v10.0.0
+    pr-url: https://github.com/nodejs/node/pull/19794
+    description: End-of-Life.
   - version: v9.2.0
     pr-url: https://github.com/nodejs/node/pull/16130
     description: Runtime deprecation.
 -->
 
-Type: Runtime
+Type: End-of-Life.
 
 The `ecdhCurve` option to `tls.createSecureContext()` and `tls.TLSSocket` could
-be set to `false` to disable ECDH entirely on the server only. This mode is
+be set to `false` to disable ECDH entirely on the server only. This mode was
 deprecated in preparation for migrating to OpenSSL 1.1.0 and consistency with
-the client. Use the `ciphers` parameter instead.
+the client and is now unsupported. Use the `ciphers` parameter instead.
 
 <a id="DEP0084"></a>
 ### DEP0084: requiring bundled internal dependencies
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 417449c097385a..05f584ab7127d8 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1007,6 +1007,10 @@ argument.
 <!-- YAML
 added: v0.11.13
 changes:
+  - version: v10.0.0
+    pr-url: https://github.com/nodejs/node/pull/19794
+    description: The `ecdhCurve` cannot be set to `false` anymore due to a
+                 change in OpenSSL.
   - version: v9.3.0
     pr-url: https://github.com/nodejs/node/pull/14903
     description: The `options` parameter can now include `clientCertEngine`.
@@ -1060,7 +1064,7 @@ changes:
     discarded and DHE ciphers will not be available.
   * `ecdhCurve` {string} A string describing a named curve or a colon separated
     list of curve NIDs or names, for example `P-521:P-384:P-256`, to use for
-    ECDH key agreement, or `false` to disable ECDH. Set to `auto` to select the
+    ECDH key agreement. Set to `auto` to select the
     curve automatically. Use [`crypto.getCurves()`][] to obtain a list of
     available curve names. On recent releases, `openssl ecparam -list_curves`
     will also display the name and description of each available elliptic curve.
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index de96fa687dcc02..60995278a37857 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -69,16 +69,6 @@ function validateKeyCert(name, value) {
 exports.SecureContext = SecureContext;
 
 
-function ecdhCurveWarning() {
-  if (ecdhCurveWarning.emitted) return;
-  process.emitWarning('{ ecdhCurve: false } is deprecated.',
-                      'DeprecationWarning',
-                      'DEP0083');
-  ecdhCurveWarning.emitted = true;
-}
-ecdhCurveWarning.emitted = false;
-
-
 exports.createSecureContext = function createSecureContext(options, context) {
   if (!options) options = {};
 
@@ -154,8 +144,6 @@ exports.createSecureContext = function createSecureContext(options, context) {
     c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
   else if (options.ecdhCurve)
     c.context.setECDHCurve(options.ecdhCurve);
-  else
-    ecdhCurveWarning();
 
   if (options.dhparam) {
     const warning = c.context.setDHParam(options.dhparam);
diff --git a/test/parallel/test-tls-ecdh-disable.js b/test/parallel/test-tls-ecdh-disable.js
deleted file mode 100644
index f06063200c5f36..00000000000000
--- a/test/parallel/test-tls-ecdh-disable.js
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright Joyent, Inc. and other Node contributors.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a
-// copy of this software and associated documentation files (the
-// "Software"), to deal in the Software without restriction, including
-// without limitation the rights to use, copy, modify, merge, publish,
-// distribute, sublicense, and/or sell copies of the Software, and to permit
-// persons to whom the Software is furnished to do so, subject to the
-// following conditions:
-//
-// The above copyright notice and this permission notice shall be included
-// in all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
-// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
-// USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-// Test that the usage of elliptic curves are not permitted if disabled during
-// server initialization.
-
-'use strict';
-const common = require('../common');
-const { readKey } = require('../common/fixtures');
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-if (!common.opensslCli)
-  common.skip('missing openssl-cli');
-
-const OPENSSL_VERSION_NUMBER =
-  require('crypto').constants.OPENSSL_VERSION_NUMBER;
-if (OPENSSL_VERSION_NUMBER >= 0x10100000)
-  common.skip('false ecdhCurve not supported in OpenSSL 1.1.0');
-
-const assert = require('assert');
-const tls = require('tls');
-const exec = require('child_process').exec;
-
-const options = {
-  key: readKey('agent2-key.pem'),
-  cert: readKey('agent2-cert.pem'),
-  ciphers: 'ECDHE-RSA-AES128-SHA',
-  ecdhCurve: false
-};
-
-common.expectWarning('DeprecationWarning',
-                     '{ ecdhCurve: false } is deprecated.',
-                     'DEP0083');
-
-const server = tls.createServer(options, common.mustNotCall());
-
-server.listen(0, '127.0.0.1', common.mustCall(function() {
-  const cmd = `"${common.opensslCli}" s_client -cipher ${
-    options.ciphers} -connect 127.0.0.1:${this.address().port}`;
-
-  exec(cmd, common.mustCall(function(err, stdout, stderr) {
-    // Old versions of openssl will still exit with 0 so we
-    // can't just check if err is not null.
-    assert(stderr.includes('handshake failure'));
-    server.close();
-  }));
-}));