`"ERR_SSL_NO_CIPHER_MATCH"` error when specifying TLS cipher suites

[jloleysens]

Version

v18.17.1

Platform

Darwin 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:05 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T6000 arm64

Subsystem

tls

What steps will reproduce the bug?

Run

require('node:https').createServer({ minVersion: 'TLSv1.3', ciphers: 'TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256'})

Weirdly, setting ECDHE-RSA-AES128-GCM-SHA256 at the end like 'TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256' causes it work work even though 'ECDHE-RSA-AES128-GCM-SHA256' is from TLSv1.2.

How often does it reproduce? Is there a required condition?

Always

What is the expected behavior? Why is that the expected behavior?

The call to https.createServer should succeed and use the cipher suites specified AND (bonus) disallow specifying cipher suites not supported by the current protocol.

What do you see instead?

Uncaught Error: error:0A0000B9:SSL routines::no cipher match
    at configSecureContext (node:internal/tls/secure-context:231:11)
    at Object.createSecureContext (node:_tls_common:117:3)
    at Server.setSecureContext (node:_tls_wrap:1362:27)
    at Server (node:_tls_wrap:1226:8)
    at new Server (node:https:74:3)
    at Object.createServer (node:https:112:10) {
  library: 'SSL routines',
  reason: 'no cipher match',
  code: 'ERR_SSL_NO_CIPHER_MATCH'
}

Additional information

> tls.DEFAULT_CIPHERS
'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA'

[bnoordhuis]

This is the result of node trying to make the ciphers option work for both TLSv1.2 and 1.3 because openssl has different APIs for them (SSL_CTX_set_cipher_list vs. SSL_CTX_set_ciphersuites.)

Node parses the string but it doesn't understand bang syntax and treats it as a TLSv1.2 cipher. PR welcome. Untested, but I think the fix looks something like this:

diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js
index 36d33e6ac8..0fa3098ffa 100644
--- a/lib/internal/tls/secure-context.js
+++ b/lib/internal/tls/secure-context.js
@@ -99,21 +99,25 @@ function processCiphers(ciphers, name) {
   const cipherList =
     ArrayPrototypeJoin(
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            !StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return false;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return false;
+          return true;
         }), ':');
 
   const cipherSuites =
     ArrayPrototypeJoin(
       ArrayPrototypeFilter(
         ciphers,
         (cipher) => {
-          return cipher.length > 0 &&
-            StringPrototypeStartsWith(cipher, 'TLS_');
+          if (cipher.length === 0) return false;
+          if (StringPrototypeStartsWith(cipher, 'TLS_')) return true;
+          if (StringPrototypeStartsWith(cipher, '!TLS_')) return true;
+          return false;
         }), ':');
 
   // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its
   // not possible to handshake with no suites.
   if (cipherSuites === '' && cipherList === '')