diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index cea10a6ab3ba15..3339f4b912dc92 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -24,6 +24,7 @@ all: \ dh512.pem \ dh1024.pem \ dh2048.pem \ + dh3072.pem \ dherror.pem \ dh_private.pem \ dh_public.pem \ @@ -596,6 +597,9 @@ dh1024.pem: dh2048.pem: openssl dhparam -out dh2048.pem 2048 +dh3072.pem: + openssl dhparam -out dh3072.pem 3072 + dherror.pem: dh1024.pem sed 's/^[^-].*/AAAAAAAAAA/g' dh1024.pem > dherror.pem diff --git a/test/fixtures/keys/dh3072.pem b/test/fixtures/keys/dh3072.pem new file mode 100644 index 00000000000000..50e0533d891b8c --- /dev/null +++ b/test/fixtures/keys/dh3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEAmV6aZ8ADnmRQoF9aGlV1AmajCkoc2eEltua1KpGFrxM0cr99gcS9 +/zxTDo8ixwPoHBOOBD+9MN6KbSJ+61xvu9yQ2qt8HfNcUI7QZxdVQ4ZHCQM3Jw8h +BPHFgjpx8w/pteZ3+L42felUxbd8/qfDv+gKsfuxrm6Ht7zzKLfbX9oNdJwpxX7N +yGP3nNadYDM/ZmvmEY8xh2dwLHSMaAP1gxuWiitdYXX60Yg6EFgIotznqbdW075D +KccGTTseFx9gNbxYkW33qX/p5IAf3wRFmptiRWCol88NHTDqtQRs0nhVQ1R28tiL +rQhSJLHLSa4esF+whfC64oXECr2AtarcKWG+LX1dEWI4SXqurnBPiBoyqfVWHS4b +PVgR90LlBJoXqblhsVrd+CkJI7ULDJmSA/cpgCqXH6vSvhb40yr5rpU4vZz+zhHY +CTXVpH95JD35PiZOfQYhfDA4LGvfICPLIH7E8YL5v2F6Xxsf8trI5KiAs1S3TN8b +lsLV6og5VoPXAgEC +-----END DH PARAMETERS----- diff --git a/test/parallel/test-tls-client-mindhsize.js b/test/parallel/test-tls-client-mindhsize.js index 585632d37a20c8..15c086842e1e4a 100644 --- a/test/parallel/test-tls-client-mindhsize.js +++ b/test/parallel/test-tls-client-mindhsize.js @@ -35,11 +35,12 @@ function test(size, err, next) { }); server.listen(0, function() { - // Client set minimum DH parameter size to 2048 bits so that - // it fails when it make a connection to the tls server where - // dhparams is 1024 bits + // Client set minimum DH parameter size to 2048 or 3072 bits + // so that it fails when it makes a connection to the tls + // server where is too small + const minDHSize = common.hasOpenSSL(3, 2) ? 3072 : 2048; const client = tls.connect({ - minDHSize: 2048, + minDHSize: minDHSize, port: this.address().port, rejectUnauthorized: false, maxVersion: 'TLSv1.2', @@ -60,16 +61,27 @@ function test(size, err, next) { // A client connection fails with an error when a client has an // 2048 bits minDHSize option and a server has 1024 bits dhparam function testDHE1024() { - test(1024, true, testDHE2048); + test(1024, true, testDHE2048(false, null)); +} + +// Test a client connection when a client has an +// 2048 bits minDHSize option +function testDHE2048(expect_to_fail, next) { + test(2048, expect_to_fail, next); } // A client connection successes when a client has an -// 2048 bits minDHSize option and a server has 2048 bits dhparam -function testDHE2048() { - test(2048, false, null); +// 3072 bits minDHSize option and a server has 3072 bits dhparam +function testDHE3072() { + test(3072, false, null); } -testDHE1024(); +if (common.hasOpenSSL(3, 2)) { + // Minimum size for OpenSSL 3.2 is 2048 by default + testDHE2048(true, testDHE3072); +} else { + testDHE1024(); +} assert.throws(() => test(512, true, common.mustNotCall()), /DH parameter is less than 1024 bits/);