Skip to content

fix(https): add option to disable TLS 1.0 cxns #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Mar 18, 2025
Merged

fix(https): add option to disable TLS 1.0 cxns #189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dd60991
fix(https): add option to disable TLS 1.0 cxns
skilbjo Mar 15, 2025
98bde8d
address review feedback
skilbjo Mar 18, 2025
aa78e8e
Tweak tlsServerOptions type & docs
pimterry Mar 18, 2025
437babb
Fix TLS options tests for old Node & browsers
pimterry Mar 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions src/mockttp.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -723,6 +723,18 @@ export type MockttpHttpsOptions = CAOptions & {
* here for additional configuration of this behaviour.
*/
tlsInterceptOnly?: Array<{ hostname: string }>;

/**
* Set the TLS server options, used for incoming TLS connections.
*
* The only officially supported option for now is the minimum TLS version, which can
* be used to relax/tighten TLS requirements on clients. If not set, this defaults
* to your Node version's default TLS configuration. The full list of versions can be
* found at https://nodejs.org/api/tls.html#tlssocketgetprotocol.
*/
tlsServerOptions?: {
minVersion?: 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
};
};

export interface MockttpOptions {
Expand Down
1 change: 1 addition & 0 deletions src/server/http-combo-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ export async function createComboServer(
cert: defaultCert.cert,
ca: [defaultCert.ca],
...ALPNOption,
...(options.https?.tlsServerOptions || {}),
SNICallback: (domain: string, cb: Function) => {
if (options.debug) console.log(`Generating certificate for ${domain}`);

Expand Down
83 changes: 81 additions & 2 deletions test/integration/https.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import * as http from 'http';
import * as tls from 'tls';
import * as https from 'https';
import * as fs from 'fs/promises';
import * as semver from 'semver';

import { getLocal } from "../..";
import {
Expand All @@ -11,7 +12,8 @@ import {
delay,
openRawSocket,
openRawTlsSocket,
http2ProxyRequest
http2ProxyRequest,
DETAILED_TLS_ERROR_CODES
} from "../test-utils";
import { streamToBuffer } from '../../src/util/buffer-utils';

Expand Down Expand Up @@ -418,5 +420,82 @@ describe("When configured for HTTPS", () => {
);
});
});

describe("with TLS version restrictions", () => {
const server = getLocal({
https: {
keyPath: './test/fixtures/test-ca.key',
certPath: './test/fixtures/test-ca.pem',
tlsServerOptions: {
minVersion: 'TLSv1.2'
} as any
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indentation has gone all funky here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have another look? if not happy, would you let me know how you lint the project? i was expecting to find a lint script to run npm run lint.

});

beforeEach(async () => {
await server.start();
await server.forAnyRequest().thenReply(200, "Mock response");
});

afterEach(async () => {
await server.stop();
});

it("should accept TLS 1.2 connections", async () => {
const tlsSocket = await openRawTlsSocket(server, {
rejectUnauthorized: false,
minVersion: 'TLSv1.2',
maxVersion: 'TLSv1.2'
});

expect(tlsSocket.getProtocol()).to.equal('TLSv1.2');
tlsSocket.destroy();
});

it("should reject TLS 1.0 connections", async () => {
try {
await openRawTlsSocket(server, {
rejectUnauthorized: false,
minVersion: 'TLSv1',
maxVersion: 'TLSv1'
});
throw new Error('Expected connection to fail');
} catch (e: any) {
expect(e.code).to.equal(
semver.satisfies(process.version, DETAILED_TLS_ERROR_CODES)
? 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'
: 'ECONNRESET'
);
}
});

it("should reject TLS 1.1 connections", async () => {
try {
await openRawTlsSocket(server, {
rejectUnauthorized: false,
minVersion: 'TLSv1.1',
maxVersion: 'TLSv1.1'
});
throw new Error('Expected connection to fail');
} catch (e: any) {
expect(e.code).to.equal(
semver.satisfies(process.version, DETAILED_TLS_ERROR_CODES)
? 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'
: 'ECONNRESET'
);
}
});

it("should accept TLS 1.3 connections when TLS 1.2 is minimum", async () => {
const tlsSocket = await openRawTlsSocket(server, {
rejectUnauthorized: false,
minVersion: 'TLSv1.3',
maxVersion: 'TLSv1.3'
});

expect(tlsSocket.getProtocol()).to.equal('TLSv1.3');
tlsSocket.destroy();
});
});
});
});
});
1 change: 1 addition & 0 deletions test/test-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,7 @@ export async function startDnsServer(callback: (question: dns2.DnsQuestion) => s

export const H2_TLS_ON_TLS_SUPPORTED = ">=12.17";
export const HTTP_ABORTSIGNAL_SUPPORTED = ">=14.17";
export const DETAILED_TLS_ERROR_CODES = ">=18";
export const NATIVE_FETCH_SUPPORTED = ">=18";
export const SOCKET_RESET_SUPPORTED = "^16.17 || >=18.3";
export const BROKEN_H1_OVER_H2_TUNNELLING = "^18.8";
Expand Down