From 84a1b182321f497f6c08bb151cccc11683d21a04 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Tue, 20 Nov 2018 15:30:34 -0800
Subject: [PATCH 1/2] tls: add code for ERR_TLS_INVALID_PROTOCOL_METHOD

Add an error code property to invalid `secureProtocol` method
exceptions.

PR-URL: https://github.com/nodejs/node/pull/24729
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 doc/api/errors.md  |  6 ++++++
 src/node_crypto.cc | 23 ++++++++++++++++-------
 src/node_errors.h  |  1 +
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/doc/api/errors.md b/doc/api/errors.md
index 986c8e7e7e8d71..ee5421c0ec7d18 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -1724,6 +1724,12 @@ recommended to use 2048 bits or larger for stronger security.
 A TLS/SSL handshake timed out. In this case, the server must also abort the
 connection.
 
+<a id="ERR_TLS_INVALID_PROTOCOL_METHOD"></a>
+### ERR_TLS_INVALID_PROTOCOL_METHOD
+
+The specified  `secureProtocol` method is invalid. It is  either unknown, or
+disabled because it is insecure.
+
 <a id="ERR_TLS_INVALID_PROTOCOL_VERSION"></a>
 ### ERR_TLS_INVALID_PROTOCOL_VERSION
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 68af2f58b5cfee..69acc90e752da8 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -54,6 +54,8 @@ static const int X509_NAME_FLAGS = ASN1_STRFLGS_ESC_CTRL
 namespace node {
 namespace crypto {
 
+using node::THROW_ERR_TLS_INVALID_PROTOCOL_METHOD;
+
 using v8::Array;
 using v8::ArrayBufferView;
 using v8::Boolean;
@@ -413,17 +415,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
     // protocols are supported unless explicitly disabled (which we do below
     // for SSLv2 and SSLv3.)
     if (strcmp(*sslmethod, "SSLv2_method") == 0) {
-      return env->ThrowError("SSLv2 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv2_server_method") == 0) {
-      return env->ThrowError("SSLv2 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv2_client_method") == 0) {
-      return env->ThrowError("SSLv2 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv3_method") == 0) {
-      return env->ThrowError("SSLv3 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv3_server_method") == 0) {
-      return env->ThrowError("SSLv3 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) {
-      return env->ThrowError("SSLv3 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv23_method") == 0) {
       // noop
     } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) {
@@ -467,7 +475,8 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
       max_version = TLS1_2_VERSION;
       method = TLS_client_method();
     } else {
-      return env->ThrowError("Unknown method");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "Unknown method");
+      return;
     }
   }
 
diff --git a/src/node_errors.h b/src/node_errors.h
index 2e9fd761a8319d..835794b17820cc 100644
--- a/src/node_errors.h
+++ b/src/node_errors.h
@@ -55,6 +55,7 @@ void FatalException(v8::Isolate* isolate,
   V(ERR_SCRIPT_EXECUTION_INTERRUPTED, Error)                                 \
   V(ERR_SCRIPT_EXECUTION_TIMEOUT, Error)                                     \
   V(ERR_STRING_TOO_LONG, Error)                                              \
+  V(ERR_TLS_INVALID_PROTOCOL_METHOD, TypeError)                              \
   V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER, TypeError)              \
 
 #define V(code, type)                                                         \

From 71ca71a88dd94626d3fe7813c47eed3975b3bf91 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Wed, 27 Mar 2019 18:26:34 -0700
Subject: [PATCH 2/2] tls: revert change to invalid protocol error type

In https://github.com/nodejs/node/pull/24729, the error was changed to
be a TypeError, which is the standard type for this kind of error.
However, it was Error in 11.x and earlier, so revert that single aspect,
so the backport can be semver-minor.
---
 src/node_errors.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_errors.h b/src/node_errors.h
index 835794b17820cc..60abddf9f279a2 100644
--- a/src/node_errors.h
+++ b/src/node_errors.h
@@ -55,7 +55,7 @@ void FatalException(v8::Isolate* isolate,
   V(ERR_SCRIPT_EXECUTION_INTERRUPTED, Error)                                 \
   V(ERR_SCRIPT_EXECUTION_TIMEOUT, Error)                                     \
   V(ERR_STRING_TOO_LONG, Error)                                              \
-  V(ERR_TLS_INVALID_PROTOCOL_METHOD, TypeError)                              \
+  V(ERR_TLS_INVALID_PROTOCOL_METHOD, Error)                                  \
   V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER, TypeError)              \
 
 #define V(code, type)                                                         \