squash! add --tls-v1.0 and --tls-v1.1 flags

doc/api/cli.md

@@ -323,6 +323,22 @@ added: v4.0.0
 Specify an alternative default TLS cipher list. Requires Node.js to be built
 with crypto support (default).
 
+### `--tls-v1.0`
+<!-- YAML
+added: REPLACEME
+-->
+
+Enable TLSv1.0. This should only be used for compatibility with old TLS
+clients or servers.
+
+### `--tls-v1.1`
+<!-- YAML
+added: REPLACEME
+-->
+
+Enable TLSv1.1. This should only be used for compatibility with old TLS
+clients or servers.
+
 ### `--trace-deprecation`
 <!-- YAML
 added: v0.8.0

doc/node.1

@@ -183,6 +183,14 @@ Specify process.title on startup.
 Specify an alternative default TLS cipher list.
 Requires Node.js to be built with crypto support. (Default)
 .
+.It Fl -tls-v1.0
+Enable TLSv1.0. This should only be used for compatibility with old TLS
+clients or servers.
+.
+.It Fl -tls-v1.1
+Enable TLSv1.1. This should only be used for compatibility with old TLS
+clients or servers.
+.
 .It Fl -trace-deprecation
 Print stack traces for deprecations.
 .

src/node_crypto.cc

@@ -400,6 +400,9 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   int max_version = 0;
   const SSL_METHOD* method = TLS_method();
 
+  if (env->options()->tls_v1_1) min_version = TLS1_1_VERSION;
+  if (env->options()->tls_v1_0) min_version = TLS1_VERSION;
+
   if (args.Length() == 1 && args[0]->IsString()) {
     const node::Utf8Value sslmethod(env->isolate(), args[0]);
 

src/node_options.cc

@@ -189,6 +189,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
 
   AddOption("--napi-modules", "", NoOp{}, kAllowedInEnvironment);
 
+#if HAVE_OPENSSL
+  AddOption("--tls-v1.0",
+            "enable TLSv1.0",
+            &EnvironmentOptions::tls_v1_0,
+            kAllowedInEnvironment);
+  AddOption("--tls-v1.1",
+            "enable TLSv1.1",
+            &EnvironmentOptions::tls_v1_1,
+            kAllowedInEnvironment);
+#endif
+
   Insert(&DebugOptionsParser::instance,
          &EnvironmentOptions::get_debug_options);
 }

src/node_options.h

@@ -92,6 +92,11 @@ class EnvironmentOptions : public Options {
   bool print_eval = false;
   bool force_repl = false;
 
+#if HAVE_OPENSSL
+  bool tls_v1_0 = false;
+  bool tls_v1_1 = false;
+#endif
+
   std::vector<std::string> preload_modules;
 
   std::vector<std::string> user_argv;

test/parallel/test-https-agent-additional-options.js

@@ -1,3 +1,4 @@
+// Flags: --tls-v1.1
 'use strict';
 const common = require('../common');
 if (!common.hasCrypto)
@@ -11,8 +12,7 @@ const fixtures = require('../common/fixtures');
 const options = {
   key: fixtures.readKey('agent1-key.pem'),
   cert: fixtures.readKey('agent1-cert.pem'),
-  ca: fixtures.readKey('ca1-cert.pem'),
-  secureProtocol: 'TLS_method',
+  ca: fixtures.readKey('ca1-cert.pem')
 };
 
 const server = https.Server(options, function(req, res) {
@@ -35,7 +35,7 @@ const updatedValues = new Map([
   ['ecdhCurve', 'secp384r1'],
   ['honorCipherOrder', true],
   ['secureOptions', crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE],
-  ['secureProtocol', 'TLSv1_method'],
+  ['secureProtocol', 'TLSv1_1_method'],
   ['sessionIdContext', 'sessionIdContext'],
 ]);
 

test/parallel/test-https-agent-session-eviction.js

@@ -1,3 +1,4 @@
+// Flags: --tls-v1.0
 'use strict';
 
 const common = require('../common');
@@ -54,8 +55,7 @@ function faultyServer(port) {
 function second(server, session) {
   const req = https.request({
     port: server.address().port,
-    rejectUnauthorized: false,
-    secureProtocol: 'TLS_method',
+    rejectUnauthorized: false
   }, function(res) {
     res.resume();
   });

test/parallel/test-process-env-allowed-flags.js

@@ -51,7 +51,8 @@ require('../common');
 // assert all "canonical" flags begin with dash(es)
 {
   process.allowedNodeEnvironmentFlags.forEach((flag) => {
-    assert(/^--?[a-z8_-]+$/.test(flag), `Unexpected format for flag ${flag}`);
+    assert(/^--?[a-z0-9._-]+$/.test(flag),
+           `Unexpected format for flag ${flag}`);
   });
 }