Expose a way to specify TLS version by node command line

[devanshu1111]

Is your feature request related to a problem? Please describe.
Yes, we want to be TLS1.2 compliant. Checking the whole repository to make the whole code TLS1.2 complaint. We liked the existing idea of specifying cipher suit at "node --tls-cipher-list="ECDHE-RSA-AES128-SHA" server.js". We need similar command to specify TLS version.

Describe the solution you'd like
To specify the TLS version at node commandline. Similar to "node --tls-cipher-list="ECDHE-RSA-AES128-SHA" server.js"

Describe alternatives you've considered
Please describe alternative solutions or features you have considered.

[addaleax]

The following CLI flags are available for current versions of Node:

  --tls-max-v1.2                            set default TLS maximum to TLSv1.2 (default: TLSv1.3)
  --tls-max-v1.3                            set default TLS maximum to TLSv1.3 (default: TLSv1.3)
  --tls-min-v1.0                            set default TLS minimum to TLSv1.0 (default: TLSv1.2)
  --tls-min-v1.1                            set default TLS minimum to TLSv1.1 (default: TLSv1.2)
  --tls-min-v1.3                            set default TLS minimum to TLSv1.3 (default: TLSv1.2)

Do any of these look like what you need?

[devanshu1111]

Hi Team,
Is there a plan to backport it to version 10.0x ? It would be a huge help to us.

[bnoordhuis]

It's under discussion, see #27432 (comment) (cc @sam-github)

I'll close this out as answered.

[sam-github]

Reopened to track this as a feature (rather than making another).

These are meaningful for 10.x, so I can implement them (hopefully fairly easily, I'll take a look today or tomorrow):

• --tls-min-v1.0/v1.1/v1.2
• --tls-max-v1.0/v1.1/v1.2

While TLS1.3 does not exist for 10.x, what about --tls-max-v1.3 and --tls-min-v1.3?

I can either:

1. not implement them (using them will error on unknown option)
2. implement them by:

• making TLS not have any implicit protocols for --tls-min-v1.3 (connections are only possible for apps that replace the defaults with specific config)
• having it be a no-op for --tls-max-v1.3

3. ...?

[sam-github]

@devanshu1111 ☝️ opinions as to what would be helpful to you?

[devanshu1111]

Thanks for looking into this.
We would like to have 1. not implement them (using them will error on unknown option) for TLSv-1.3.

[devanshu1111]

Thanks, please let us know the specific version under 10.x when it gets implemented.

[BethGriggs]

These options in exist in Node.js 12 (https://nodejs.org/dist/latest-v12.x/docs/api/cli.html#cli_tls_max_v1_2). The last ask in this issue was to backport to Node.js 10, which is now End-of-life.

edit: scratch that - they were shipped in v10.20.0 via #27946

[sameh1993]

whats the flag for node 14.16.0 ??