From 787303a9ec7fafc5f4a6867a7691bf461c5e44f7 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Wed, 19 Feb 2020 09:45:19 +0000
Subject: [PATCH] Revert new options using unsupported OpenSSL features

Signed-off-by: rpm-build <rpm-build>
---
 doc/api/crypto.md                             |  24 ---
 doc/api/errors.md                             |   5 -
 doc/api/https.md                              |  25 ---
 doc/api/tls.md                                | 117 +------------
 doc/node.1                                    |   5 -
 lib/_http_agent.js                            |  24 +--
 lib/_tls_common.js                            |  13 --
 lib/_tls_wrap.js                              | 141 +--------------
 lib/internal/crypto/cipher.js                 |  10 +-
 lib/internal/crypto/sig.js                    |  37 +---
 src/env.h                                     |   3 -
 src/node_crypto.cc                            | 161 ++----------------
 src/node_crypto.h                             |  26 +--
 src/node_crypto_common.cc                     |  12 +-
 src/node_errors.h                             |   2 -
 src/node_options.cc                           |   4 -
 src/node_options.h                            |   1 -
 src/tls_wrap.cc                               | 134 ---------------
 src/tls_wrap.h                                |  17 --
 test/fixtures/rsa-oaep-test-vectors.js        |  30 ----
 .../test-tls-enable-keylog-cli.js             |   0
 test/parallel/test-crypto-rsa-dsa.js          |  65 ++++---
 test/parallel/test-crypto-sign-verify.js      |  67 ++++----
 test/parallel/test-https-agent-keylog.js      |  44 -----
 test/parallel/test-tls-getcipher.js           |   4 -
 test/parallel/test-tls-keylog-tlsv13.js       |  10 +-
 test/parallel/test-tls-multi-key.js           |   2 -
 test/parallel/test-tls-multi-pfx.js           |   2 -
 test/parallel/test-tls-psk-circuit.js         |  72 --------
 test/parallel/test-tls-psk-errors.js          |  32 ----
 test/parallel/test-tls-set-sigalgs.js         |  74 --------
 31 files changed, 126 insertions(+), 1037 deletions(-)
 delete mode 100644 test/fixtures/rsa-oaep-test-vectors.js
 rename test/{parallel => known_issues}/test-tls-enable-keylog-cli.js (100%)
 delete mode 100644 test/parallel/test-https-agent-keylog.js
 delete mode 100644 test/parallel/test-tls-psk-circuit.js
 delete mode 100644 test/parallel/test-tls-psk-errors.js
 delete mode 100644 test/parallel/test-tls-set-sigalgs.js

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 6d6d75e..2dd32d1 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -1410,7 +1410,6 @@ changes:
 -->
 
 * `privateKey` {Object | string | Buffer | KeyObject}
-  * `dsaEncoding` {string}
   * `padding` {integer}
   * `saltLength` {integer}
 * `outputEncoding` {string} The [encoding][] of the return value.
@@ -1423,10 +1422,6 @@ If `privateKey` is not a [`KeyObject`][], this function behaves as if
 `privateKey` had been passed to [`crypto.createPrivateKey()`][]. If it is an
 object, the following additional properties can be passed:
 
-* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the
-  format of the generated signature. It can be one of the following:
-  * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
-  * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `padding` {integer} Optional padding value for RSA, one of the following:
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
   * `crypto.constants.RSA_PKCS1_PSS_PADDING`
@@ -1523,7 +1518,6 @@ changes:
 -->
 
 * `object` {Object | string | Buffer | KeyObject}
-  * `dsaEncoding` {string}
   * `padding` {integer}
   * `saltLength` {integer}
 * `signature` {string | Buffer | TypedArray | DataView}
@@ -1537,10 +1531,6 @@ If `object` is not a [`KeyObject`][], this function behaves as if
 `object` had been passed to [`crypto.createPublicKey()`][]. If it is an
 object, the following additional properties can be passed:
 
-* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the
-  format of the generated signature. It can be one of the following:
-  * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
-  * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `padding` {integer} Optional padding value for RSA, one of the following:
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
   * `crypto.constants.RSA_PKCS1_PSS_PADDING`
@@ -2464,9 +2454,6 @@ An array of supported digest functions can be retrieved using
 <!-- YAML
 added: v0.11.14
 changes:
-  - version: v12.11.0
-    pr-url: https://github.com/nodejs/node/pull/29489
-    description: The `oaepLabel` option was added.
   - version: v12.9.0
     pr-url: https://github.com/nodejs/node/pull/28335
     description: The `oaepHash` option was added.
@@ -2553,9 +2540,6 @@ be passed instead of a public key.
 <!-- YAML
 added: v0.11.14
 changes:
-  - version: v12.11.0
-    pr-url: https://github.com/nodejs/node/pull/29489
-    description: The `oaepLabel` option was added.
   - version: v12.9.0
     pr-url: https://github.com/nodejs/node/pull/28335
     description: The `oaepHash` option was added.
@@ -2941,10 +2925,6 @@ If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPrivateKey()`][]. If it is an object, the following
 additional properties can be passed:
 
-* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the
-  format of the generated signature. It can be one of the following:
-  * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
-  * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `padding` {integer} Optional padding value for RSA, one of the following:
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
   * `crypto.constants.RSA_PKCS1_PSS_PADDING`
@@ -2998,10 +2978,6 @@ If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPublicKey()`][]. If it is an object, the following
 additional properties can be passed:
 
-* `dsaEncoding` {string} For DSA and ECDSA, this option specifies the
-  format of the generated signature. It can be one of the following:
-  * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
-  * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `padding` {integer} Optional padding value for RSA, one of the following:
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
   * `crypto.constants.RSA_PKCS1_PSS_PADDING`
diff --git a/doc/api/errors.md b/doc/api/errors.md
index 51239ab..26e076d 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -1923,11 +1923,6 @@ vector for denial-of-service attacks.
 An attempt was made to issue Server Name Indication from a TLS server-side
 socket, which is only valid from a client.
 
-<a id="ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED"></a>
-### ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED
-
-Failed to set PSK identity hint. Hint may be too long.
-
 <a id="ERR_TRACE_EVENTS_CATEGORY_REQUIRED"></a>
 ### `ERR_TRACE_EVENTS_CATEGORY_REQUIRED`
 
diff --git a/doc/api/https.md b/doc/api/https.md
index c685b3f..3cb142d 100644
--- a/doc/api/https.md
+++ b/doc/api/https.md
@@ -45,31 +45,6 @@ changes:
 
     See [`Session Resumption`][] for information about TLS session reuse.
 
-#### Event: `'keylog'`
-<!-- YAML
-added: v12.16.0
--->
-
-* `line` {Buffer} Line of ASCII text, in NSS `SSLKEYLOGFILE` format.
-* `tlsSocket` {tls.TLSSocket} The `tls.TLSSocket` instance on which it was
-  generated.
-
-The `keylog` event is emitted when key material is generated or received by a
-connection managed by this agent (typically before handshake has completed, but
-not necessarily). This keying material can be stored for debugging, as it
-allows captured TLS traffic to be decrypted. It may be emitted multiple times
-for each socket.
-
-A typical use case is to append received lines to a common text file, which is
-later used by software (such as Wireshark) to decrypt the traffic:
-
-```js
-// ...
-https.globalAgent.on('keylog', (line, tlsSocket) => {
-  fs.appendFileSync('/tmp/ssl-keys.log', line, { mode: 0o600 });
-});
-```
-
 ## Class: `https.Server`
 <!-- YAML
 added: v0.3.4
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 04f5e23..34d6851 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -118,40 +118,6 @@ SNI (Server Name Indication) are TLS handshake extensions:
 * SNI: Allows the use of one TLS server for multiple hostnames with different
   SSL certificates.
 
-### Pre-shared keys
-
-<!-- type=misc -->
-
-TLS-PSK support is available as an alternative to normal certificate-based
-authentication. It uses a pre-shared key instead of certificates to
-authenticate a TLS connection, providing mutual authentication.
-TLS-PSK and public key infrastructure are not mutually exclusive. Clients and
-servers can accommodate both, choosing either of them during the normal cipher
-negotiation step.
-
-TLS-PSK is only a good choice where means exist to securely share a
-key with every connecting machine, so it does not replace PKI
-(Public Key Infrastructure) for the majority of TLS uses.
-The TLS-PSK implementation in OpenSSL has seen many security flaws in
-recent years, mostly because it is used only by a minority of applications.
-Please consider all alternative solutions before switching to PSK ciphers.
-Upon generating PSK it is of critical importance to use sufficient entropy as
-discussed in [RFC 4086][]. Deriving a shared secret from a password or other
-low-entropy sources is not secure.
-
-PSK ciphers are disabled by default, and using TLS-PSK thus requires explicitly
-specifying a cipher suite with the `ciphers` option. The list of available
-ciphers can be retrieved via `openssl ciphers -v 'PSK'`. All TLS 1.3
-ciphers are eligible for PSK but currently only those that use SHA256 digest are
-supported they can be retrieved via `openssl ciphers -v -s -tls1_3 -psk`.
-
-According to the [RFC 4279][], PSK identities up to 128 bytes in length and
-PSKs up to 64 bytes in length must be supported. As of OpenSSL 1.1.0
-maximum identity size is 128 bytes, and maximum PSK length is 256 bytes.
-
-The current implementation doesn't support asynchronous PSK callbacks due to the
-limitations of the underlying OpenSSL API.
-
 ### Client-initiated renegotiation attack mitigation
 
 <!-- type=misc -->
@@ -861,27 +827,16 @@ changes:
     pr-url: https://github.com/nodejs/node/pull/26625
     description: Return the minimum cipher version, instead of a fixed string
       (`'TLSv1/SSLv3'`).
-  - version: v12.16.0
-    pr-url: https://github.com/nodejs/node/pull/30637
-    description: Return the IETF cipher name as `standardName`.
 -->
 
 * Returns: {Object}
-  * `name` {string} OpenSSL name for the cipher suite.
-  * `standardName` {string} IETF name for the cipher suite.
+  * `name` {string} The name of the cipher suite.
   * `version` {string} The minimum TLS protocol version supported by this cipher
     suite.
 
 Returns an object containing information on the negotiated cipher suite.
 
-For example:
-```json
-{
-    "name": "AES128-SHA256",
-    "standardName": "TLS_RSA_WITH_AES_128_CBC_SHA256",
-    "version": "TLSv1.2"
-}
-```
+For example: `{ name: 'AES256-SHA', version: 'TLSv1.2' }`.
 
 See
 [SSL_CIPHER_get_name](https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html)
@@ -1082,18 +1037,6 @@ See [Session Resumption][] for more information.
 Note: `getSession()` works only for TLSv1.2 and below. For TLSv1.3, applications
 must use the [`'session'`][] event (it also works for TLSv1.2 and below).
 
-### `tlsSocket.getSharedSigalgs()`
-<!-- YAML
-added: v12.11.0
--->
-
-* Returns: {Array} List of signature algorithms shared between the server and
-the client in the order of decreasing preference.
-
-See
-[SSL_get_shared_sigalgs](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html)
-for more information.
-
 ### `tlsSocket.exportKeyingMaterial(length, label[, context])`
 <!-- YAML
 added: v12.17.0
@@ -1274,9 +1217,6 @@ being issued by trusted CA (`options.ca`).
 <!-- YAML
 added: v0.11.3
 changes:
-  - version: v12.16.0
-    pr-url: https://github.com/nodejs/node/pull/23188
-    description: The `pskCallback` option is now supported.
   - version: v12.9.0
     pr-url: https://github.com/nodejs/node/pull/27836
     description: Support the `allowHalfOpen` option.
@@ -1328,23 +1268,6 @@ changes:
     verified against the list of supplied CAs. An `'error'` event is emitted if
     verification fails; `err.code` contains the OpenSSL error code. **Default:**
     `true`.
-  * `pskCallback` {Function}
-    * hint: {string} optional message sent from the server to help client
-      decide which identity to use during negotiation.
-      Always `null` if TLS 1.3 is used.
-    * Returns: {Object} in the form
-      `{ psk: <Buffer|TypedArray|DataView>, identity: <string> }`
-      or `null` to stop the negotiation process. `psk` must be
-      compatible with the selected cipher's digest.
-      `identity` must use UTF-8 encoding.
-    When negotiating TLS-PSK (pre-shared keys), this function is called
-    with optional identity `hint` provided by the server or `null`
-    in case of TLS 1.3 where `hint` was removed.
-    It will be necessary to provide a custom `tls.checkServerIdentity()`
-    for the connection as the default one will try to check host name/IP
-    of the server against the certificate but that's not applicable for PSK
-    because there won't be a certificate present.
-    More information can be found in the [RFC 4279][].
   * `ALPNProtocols`: {string[]|Buffer[]|TypedArray[]|DataView[]|Buffer|
     TypedArray|DataView}
     An array of strings, `Buffer`s or `TypedArray`s or `DataView`s, or a
@@ -1460,10 +1383,6 @@ changes:
     pr-url: https://github.com/nodejs/node/pull/28973
     description: Added `privateKeyIdentifier` and `privateKeyEngine` options
                  to get private key from an OpenSSL engine.
-  - version: v12.11.0
-    pr-url: https://github.com/nodejs/node/pull/29598
-    description: Added `sigalgs` option to override supported signature
-                 algorithms.
   - version: v12.0.0
     pr-url: https://github.com/nodejs/node/pull/26209
     description: TLSv1.3 support added.
@@ -1524,12 +1443,6 @@ changes:
     order as their private keys in `key`. If the intermediate certificates are
     not provided, the peer will not be able to validate the certificate, and the
     handshake will fail.
-  * `sigalgs` {string} Colon-separated list of supported signature algorithms.
-    The list can contain digest algorithms (`SHA256`, `MD5` etc.), public key
-    algorithms (`RSA-PSS`, `ECDSA` etc.), combination of both (e.g
-    'RSA+SHA384') or TLS v1.3 scheme names (e.g. `rsa_pss_pss_sha512`).
-    See [OpenSSL man pages](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_sigalgs_list.html)
-    for more info.
   * `ciphers` {string} Cipher suite specification, replacing the default. For
     more information, see [modifying the default cipher suite][]. Permitted
     ciphers can be obtained via [`tls.getCiphers()`][]. Cipher names must be
@@ -1680,30 +1593,8 @@ changes:
     provided the default callback with high-level API will be used (see below).
   * `ticketKeys`: {Buffer} 48-bytes of cryptographically strong pseudo-random
     data. See [Session Resumption][] for more information.
-  * `pskCallback` {Function}
-    * socket: {tls.TLSSocket} the server [`tls.TLSSocket`][] instance for
-      this connection.
-    * identity: {string} identity parameter sent from the client.
-    * Returns: {Buffer|TypedArray|DataView} pre-shared key that must either be
-      a buffer or `null` to stop the negotiation process. Returned PSK must be
-      compatible with the selected cipher's digest.
-    When negotiating TLS-PSK (pre-shared keys), this function is called
-    with the identity provided by the client.
-    If the return value is `null` the negotiation process will stop and an
-    "unknown_psk_identity" alert message will be sent to the other party.
-    If the server wishes to hide the fact that the PSK identity was not known,
-    the callback must provide some random data as `psk` to make the connection
-    fail with "decrypt_error" before negotiation is finished.
-    PSK ciphers are disabled by default, and using TLS-PSK thus
-    requires explicitly specifying a cipher suite with the `ciphers` option.
-    More information can be found in the [RFC 4279][].
-  * `pskIdentityHint` {string} optional hint to send to a client to help
-    with selecting the identity during TLS-PSK negotiation. Will be ignored
-    in TLS 1.3. Upon failing to set pskIdentityHint `'tlsClientError'` will be
-    emitted with `'ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED'` code.
   * ...: Any [`tls.createSecureContext()`][] option can be provided. For
-    servers, the identity options (`pfx`, `key`/`cert` or `pskCallback`)
-    are usually required.
+    servers, the identity options (`pfx` or `key`/`cert`) are usually required.
   * ...: Any [`net.createServer()`][] option can be provided.
 * `secureConnectionListener` {Function}
 * Returns: {tls.Server}
@@ -1980,5 +1871,3 @@ where `secureSocket` has the same API as `pair.cleartext`.
 [cipher list format]: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
 [modifying the default cipher suite]: #tls_modifying_the_default_tls_cipher_suite
 [specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
-[RFC 4279]: https://tools.ietf.org/html/rfc4279
-[RFC 4086]: https://tools.ietf.org/html/rfc4086
diff --git a/doc/node.1 b/doc/node.1
index be92e73..cfaa4d4 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -345,11 +345,6 @@ Specify process.title on startup.
 Specify an alternative default TLS cipher list.
 Requires Node.js to be built with crypto support. (Default)
 .
-.It Fl -tls-keylog Ns = Ns Ar file
-Log TLS key material to a file. The key material is in NSS SSLKEYLOGFILE
-format and can be used by software (such as Wireshark) to decrypt the TLS
-traffic.
-.
 .It Fl -tls-max-v1.2
 Set default  maxVersion to 'TLSv1.2'. Use to disable support for TLSv1.3.
 .
diff --git a/lib/_http_agent.js b/lib/_http_agent.js
index 7fb4a49..084d6b1 100644
--- a/lib/_http_agent.js
+++ b/lib/_http_agent.js
@@ -32,7 +32,7 @@ const net = require('net');
 const EventEmitter = require('events');
 const debug = require('internal/util/debuglog').debuglog('http');
 const { async_id_symbol } = require('internal/async_hooks').symbols;
-const kOnKeylog = Symbol('onkeylog');
+
 // New Agent code.
 
 // The largest departure from the previous implementation is that
@@ -136,28 +136,10 @@ function Agent(options) {
       }
     }
   });
-
-  // Don't emit keylog events unless there is a listener for them.
-  this.on('newListener', maybeEnableKeylog);
 }
 ObjectSetPrototypeOf(Agent.prototype, EventEmitter.prototype);
 ObjectSetPrototypeOf(Agent, EventEmitter);
 
-function maybeEnableKeylog(eventName) {
-  if (eventName === 'keylog') {
-    this.removeListener('newListener', maybeEnableKeylog);
-    // Future sockets will listen on keylog at creation.
-    const agent = this;
-    this[kOnKeylog] = function onkeylog(keylog) {
-      agent.emit('keylog', keylog, this);
-    };
-    // Existing sockets will start listening on keylog now.
-    for (const socket of ObjectValues(this.sockets)) {
-      socket.on('keylog', this[kOnKeylog]);
-    }
-  }
-}
-
 Agent.defaultMaxSockets = Infinity;
 
 Agent.prototype.createConnection = net.createConnection;
@@ -351,10 +333,6 @@ function installListeners(agent, s, options) {
     s.removeListener('agentRemove', onRemove);
   }
   s.on('agentRemove', onRemove);
-
-  if (agent[kOnKeylog]) {
-    s.on('keylog', agent[kOnKeylog]);
-  }
 }
 
 Agent.prototype.removeSocket = function removeSocket(s, options) {
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index 32e4a77..1e36b54 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -150,19 +150,6 @@ exports.createSecureContext = function createSecureContext(options) {
     }
   }
 
-  const sigalgs = options.sigalgs;
-  if (sigalgs !== undefined) {
-    if (typeof sigalgs !== 'string') {
-      throw new ERR_INVALID_ARG_TYPE('options.sigalgs', 'string', sigalgs);
-    }
-
-    if (sigalgs === '') {
-      throw new ERR_INVALID_OPT_VALUE('sigalgs', sigalgs);
-    }
-
-    c.context.setSigalgs(sigalgs);
-  }
-
   const { privateKeyIdentifier, privateKeyEngine } = options;
   if (privateKeyIdentifier !== undefined) {
     if (privateKeyEngine === undefined) {
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index ff3deac..2ca8e6e 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -50,12 +50,10 @@ const { TCP, constants: TCPConstants } = internalBinding('tcp_wrap');
 const tls_wrap = internalBinding('tls_wrap');
 const { Pipe, constants: PipeConstants } = internalBinding('pipe_wrap');
 const { owner_symbol } = require('internal/async_hooks').symbols;
-const { isArrayBufferView } = require('internal/util/types');
 const { SecureContext: NativeSecureContext } = internalBinding('crypto');
 const { connResetException, codes } = require('internal/errors');
 const {
   ERR_INVALID_ARG_TYPE,
-  ERR_INVALID_ARG_VALUE,
   ERR_INVALID_CALLBACK,
   ERR_MULTIPLE_CALLBACK,
   ERR_SOCKET_CLOSED,
@@ -68,19 +66,15 @@ const {
   ERR_TLS_SNI_FROM_SERVER,
   ERR_TLS_INVALID_STATE
 } = codes;
-const { onpskexchange: kOnPskExchange } = internalBinding('symbols');
 const {
   getOptionValue,
   getAllowUnauthorized,
 } = require('internal/options');
 const {
   validateString,
-  validateBuffer,
   validateUint32
 } = require('internal/validators');
 const traceTls = getOptionValue('--trace-tls');
-const tlsKeylog = getOptionValue('--tls-keylog');
-const { appendFile } = require('fs');
 const kConnectOptions = Symbol('connect-options');
 const kDisableRenegotiation = Symbol('disable-renegotiation');
 const kErrorEmitted = Symbol('error-emitted');
@@ -88,8 +82,6 @@ const kHandshakeTimeout = Symbol('handshake-timeout');
 const kRes = Symbol('res');
 const kSNICallback = Symbol('snicallback');
 const kEnableTrace = Symbol('enableTrace');
-const kPskCallback = Symbol('pskcallback');
-const kPskIdentityHint = Symbol('pskidentityhint');
 const kPendingSession = Symbol('pendingSession');
 const kIsVerified = Symbol('verified');
 
@@ -315,67 +307,6 @@ function onnewsession(sessionId, session) {
     done();
 }
 
-function onPskServerCallback(identity, maxPskLen) {
-  const owner = this[owner_symbol];
-  const ret = owner[kPskCallback](owner, identity);
-  if (ret == null)
-    return undefined;
-
-  let psk;
-  if (isArrayBufferView(ret)) {
-    psk = ret;
-  } else {
-    if (typeof ret !== 'object') {
-      throw new ERR_INVALID_ARG_TYPE(
-        'ret',
-        ['Object', 'Buffer', 'TypedArray', 'DataView'],
-        ret
-      );
-    }
-    psk = ret.psk;
-    validateBuffer(psk, 'psk');
-  }
-
-  if (psk.length > maxPskLen) {
-    throw new ERR_INVALID_ARG_VALUE(
-      'psk',
-      psk,
-      `Pre-shared key exceeds ${maxPskLen} bytes`
-    );
-  }
-
-  return psk;
-}
-
-function onPskClientCallback(hint, maxPskLen, maxIdentityLen) {
-  const owner = this[owner_symbol];
-  const ret = owner[kPskCallback](hint);
-  if (ret == null)
-    return undefined;
-
-  if (typeof ret !== 'object')
-    throw new ERR_INVALID_ARG_TYPE('ret', 'Object', ret);
-
-  validateBuffer(ret.psk, 'psk');
-  if (ret.psk.length > maxPskLen) {
-    throw new ERR_INVALID_ARG_VALUE(
-      'psk',
-      ret.psk,
-      `Pre-shared key exceeds ${maxPskLen} bytes`
-    );
-  }
-
-  validateString(ret.identity, 'identity');
-  if (Buffer.byteLength(ret.identity) > maxIdentityLen) {
-    throw new ERR_INVALID_ARG_VALUE(
-      'identity',
-      ret.identity,
-      `PSK identity exceeds ${maxIdentityLen} bytes`
-    );
-  }
-
-  return { psk: ret.psk, identity: ret.identity };
-}
 
 function onkeylog(line) {
   debug('onkeylog');
@@ -649,8 +580,6 @@ TLSSocket.prototype._destroySSL = function _destroySSL() {
 };
 
 // Constructor guts, arbitrarily factored out.
-let warnOnTlsKeylog = true;
-let warnOnTlsKeylogError = true;
 TLSSocket.prototype._init = function(socket, wrap) {
   const options = this._tlsOptions;
   const ssl = this._handle;
@@ -730,23 +659,6 @@ TLSSocket.prototype._init = function(socket, wrap) {
     }
   }
 
-  if (tlsKeylog) {
-    if (warnOnTlsKeylog) {
-      warnOnTlsKeylog = false;
-      process.emitWarning('Using --tls-keylog makes TLS connections insecure ' +
-        'by writing secret key material to file ' + tlsKeylog);
-    }
-    this.on('keylog', (line) => {
-      appendFile(tlsKeylog, line, { mode: 0o600 }, (err) => {
-        if (err && warnOnTlsKeylogError) {
-          warnOnTlsKeylogError = false;
-          process.emitWarning('Failed to write TLS keylog (this warning ' +
-            'will not be repeated): ' + err);
-        }
-      });
-    });
-  }
-
   ssl.onerror = onerror;
 
   // If custom SNICallback was given, or if
@@ -767,32 +679,6 @@ TLSSocket.prototype._init = function(socket, wrap) {
     ssl.setALPNProtocols(ssl._secureContext.alpnBuffer);
   }
 
-  if (options.pskCallback && ssl.enablePskCallback) {
-    if (typeof options.pskCallback !== 'function') {
-      throw new ERR_INVALID_ARG_TYPE('pskCallback',
-                                     'function',
-                                     options.pskCallback);
-    }
-
-    ssl[kOnPskExchange] = options.isServer ?
-      onPskServerCallback : onPskClientCallback;
-
-    this[kPskCallback] = options.pskCallback;
-    ssl.enablePskCallback();
-
-    if (options.pskIdentityHint) {
-      if (typeof options.pskIdentityHint !== 'string') {
-        throw new ERR_INVALID_ARG_TYPE(
-          'options.pskIdentityHint',
-          'string',
-          options.pskIdentityHint
-        );
-      }
-      ssl.setPskIdentityHint(options.pskIdentityHint);
-    }
-  }
-
-
   if (options.handshakeTimeout > 0)
     this.setTimeout(options.handshakeTimeout, this._handleTimeout);
 
@@ -1003,7 +889,6 @@ function makeSocketMethodProxy(name) {
 
 [
   'getCipher',
-  'getSharedSigalgs',
   'getEphemeralKeyInfo',
   'getFinished',
   'getPeerFinished',
@@ -1016,7 +901,7 @@ function makeSocketMethodProxy(name) {
   TLSSocket.prototype[method] = makeSocketMethodProxy(method);
 });
 
-// TODO: support anonymous (nocert)
+// TODO: support anonymous (nocert) and PSK
 
 
 function onServerSocketSecure() {
@@ -1077,8 +962,6 @@ function tlsConnectionListener(rawSocket) {
     SNICallback: this[kSNICallback] || SNICallback,
     enableTrace: this[kEnableTrace],
     pauseOnConnect: this.pauseOnConnect,
-    pskCallback: this[kPskCallback],
-    pskIdentityHint: this[kPskIdentityHint],
   });
 
   socket.on('secure', onServerSocketSecure);
@@ -1186,8 +1069,6 @@ function Server(options, listener) {
 
   this[kHandshakeTimeout] = options.handshakeTimeout || (120 * 1000);
   this[kSNICallback] = options.SNICallback;
-  this[kPskCallback] = options.pskCallback;
-  this[kPskIdentityHint] = options.pskIdentityHint;
 
   if (typeof this[kHandshakeTimeout] !== 'number') {
     throw new ERR_INVALID_ARG_TYPE(
@@ -1199,18 +1080,6 @@ function Server(options, listener) {
       'options.SNICallback', 'function', options.SNICallback);
   }
 
-  if (this[kPskCallback] && typeof this[kPskCallback] !== 'function') {
-    throw new ERR_INVALID_ARG_TYPE(
-      'options.pskCallback', 'function', options.pskCallback);
-  }
-  if (this[kPskIdentityHint] && typeof this[kPskIdentityHint] !== 'string') {
-    throw new ERR_INVALID_ARG_TYPE(
-      'options.pskIdentityHint',
-      'string',
-      options.pskIdentityHint
-    );
-  }
-
   // constructor call
   net.Server.call(this, options, tlsConnectionListener);
 
@@ -1283,8 +1152,6 @@ Server.prototype.setSecureContext = function(options) {
   else
     this.crl = undefined;
 
-  this.sigalgs = options.sigalgs;
-
   if (options.ciphers)
     this.ciphers = options.ciphers;
   else
@@ -1326,7 +1193,6 @@ Server.prototype.setSecureContext = function(options) {
     clientCertEngine: this.clientCertEngine,
     ca: this.ca,
     ciphers: this.ciphers,
-    sigalgs: this.sigalgs,
     ecdhCurve: this.ecdhCurve,
     dhparam: this.dhparam,
     minVersion: this.minVersion,
@@ -1407,8 +1273,6 @@ Server.prototype.setOptions = deprecate(function(options) {
                                   .digest('hex')
                                   .slice(0, 32);
   }
-  if (options.pskCallback) this[kPskCallback] = options.pskCallback;
-  if (options.pskIdentityHint) this[kPskIdentityHint] = options.pskIdentityHint;
 }, 'Server.prototype.setOptions() is deprecated', 'DEP0122');
 
 // SNI Contexts High-Level API
@@ -1592,8 +1456,7 @@ exports.connect = function connect(...args) {
     session: options.session,
     ALPNProtocols: options.ALPNProtocols,
     requestOCSP: options.requestOCSP,
-    enableTrace: options.enableTrace,
-    pskCallback: options.pskCallback,
+    enableTrace: options.enableTrace
   });
 
   tlssock[kConnectOptions] = options;
diff --git a/lib/internal/crypto/cipher.js b/lib/internal/crypto/cipher.js
index ee1422d..941ebe0 100644
--- a/lib/internal/crypto/cipher.js
+++ b/lib/internal/crypto/cipher.js
@@ -52,16 +52,10 @@ function rsaFunctionFor(method, defaultPadding, keyType) {
         preparePrivateKey(options) :
         preparePublicOrPrivateKey(options);
     const padding = options.padding || defaultPadding;
-    const { oaepHash, oaepLabel } = options;
+    const { oaepHash } = options;
     if (oaepHash !== undefined && typeof oaepHash !== 'string')
       throw new ERR_INVALID_ARG_TYPE('options.oaepHash', 'string', oaepHash);
-    if (oaepLabel !== undefined && !isArrayBufferView(oaepLabel)) {
-      throw new ERR_INVALID_ARG_TYPE('options.oaepLabel',
-                                     ['Buffer', 'TypedArray', 'DataView'],
-                                     oaepLabel);
-    }
-    return method(data, format, type, passphrase, buffer, padding, oaepHash,
-                  oaepLabel);
+    return method(data, format, type, passphrase, buffer, padding, oaepHash);
   };
 }
 
diff --git a/lib/internal/crypto/sig.js b/lib/internal/crypto/sig.js
index 27930ce..1fd99f9 100644
--- a/lib/internal/crypto/sig.js
+++ b/lib/internal/crypto/sig.js
@@ -13,8 +13,6 @@ const { validateString } = require('internal/validators');
 const {
   Sign: _Sign,
   Verify: _Verify,
-  kSigEncDER,
-  kSigEncP1363,
   signOneShot: _signOneShot,
   verifyOneShot: _verifyOneShot
 } = internalBinding('crypto');
@@ -63,20 +61,6 @@ function getSaltLength(options) {
   return getIntOption('saltLength', options);
 }
 
-function getDSASignatureEncoding(options) {
-  if (typeof options === 'object') {
-    const { dsaEncoding = 'der' } = options;
-    if (dsaEncoding === 'der')
-      return kSigEncDER;
-    else if (dsaEncoding === 'ieee-p1363')
-      return kSigEncP1363;
-    else
-      throw new ERR_INVALID_OPT_VALUE('dsaEncoding', dsaEncoding);
-  }
-
-  return kSigEncDER;
-}
-
 function getIntOption(name, options) {
   const value = options[name];
   if (value !== undefined) {
@@ -99,11 +83,8 @@ Sign.prototype.sign = function sign(options, encoding) {
   const rsaPadding = getPadding(options);
   const pssSaltLength = getSaltLength(options);
 
-  // Options specific to (EC)DSA
-  const dsaSigEnc = getDSASignatureEncoding(options);
-
   const ret = this[kHandle].sign(data, format, type, passphrase, rsaPadding,
-                                 pssSaltLength, dsaSigEnc);
+                                 pssSaltLength);
 
   encoding = encoding || getDefaultEncoding();
   if (encoding && encoding !== 'buffer')
@@ -138,11 +119,8 @@ function signOneShot(algorithm, data, key) {
   const rsaPadding = getPadding(key);
   const pssSaltLength = getSaltLength(key);
 
-  // Options specific to (EC)DSA
-  const dsaSigEnc = getDSASignatureEncoding(key);
-
   return _signOneShot(keyData, keyFormat, keyType, keyPassphrase, data,
-                      algorithm, rsaPadding, pssSaltLength, dsaSigEnc);
+                      algorithm, rsaPadding, pssSaltLength);
 }
 
 function Verify(algorithm, options) {
@@ -173,15 +151,13 @@ Verify.prototype.verify = function verify(options, signature, sigEncoding) {
 
   // Options specific to RSA
   const rsaPadding = getPadding(options);
-  const pssSaltLength = getSaltLength(options);
 
-  // Options specific to (EC)DSA
-  const dsaSigEnc = getDSASignatureEncoding(options);
+  const pssSaltLength = getSaltLength(options);
 
   signature = getArrayBufferView(signature, 'signature', sigEncoding);
 
   return this[kHandle].verify(data, format, type, passphrase, signature,
-                              rsaPadding, pssSaltLength, dsaSigEnc);
+                              rsaPadding, pssSaltLength);
 };
 
 function verifyOneShot(algorithm, data, key, signature) {
@@ -207,9 +183,6 @@ function verifyOneShot(algorithm, data, key, signature) {
   const rsaPadding = getPadding(key);
   const pssSaltLength = getSaltLength(key);
 
-  // Options specific to (EC)DSA
-  const dsaSigEnc = getDSASignatureEncoding(key);
-
   if (!isArrayBufferView(signature)) {
     throw new ERR_INVALID_ARG_TYPE(
       'signature',
@@ -219,7 +192,7 @@ function verifyOneShot(algorithm, data, key, signature) {
   }
 
   return _verifyOneShot(keyData, keyFormat, keyType, keyPassphrase, signature,
-                        data, algorithm, rsaPadding, pssSaltLength, dsaSigEnc);
+                        data, algorithm, rsaPadding, pssSaltLength);
 }
 
 module.exports = {
diff --git a/src/env.h b/src/env.h
index 5731afe..e28292d 100644
--- a/src/env.h
+++ b/src/env.h
@@ -168,7 +168,6 @@ constexpr size_t kFsStatsBufferLength =
   V(no_message_symbol, "no_message_symbol")                                    \
   V(oninit_symbol, "oninit")                                                   \
   V(owner_symbol, "owner_symbol")                                              \
-  V(onpskexchange_symbol, "onpskexchange")                                     \
   V(resource_symbol, "resource_symbol")                                        \
   V(trigger_async_id_symbol, "trigger_async_id_symbol")                        \
 
@@ -330,7 +329,6 @@ constexpr size_t kFsStatsBufferLength =
   V(priority_string, "priority")                                               \
   V(process_string, "process")                                                 \
   V(promise_string, "promise")                                                 \
-  V(psk_string, "psk")                                                         \
   V(pubkey_string, "pubkey")                                                   \
   V(query_string, "query")                                                     \
   V(raw_string, "raw")                                                         \
@@ -358,7 +356,6 @@ constexpr size_t kFsStatsBufferLength =
   V(sni_context_string, "sni_context")                                         \
   V(source_string, "source")                                                   \
   V(stack_string, "stack")                                                     \
-  V(standard_name_string, "standardName")                                      \
   V(start_time_string, "startTime")                                            \
   V(status_string, "status")                                                   \
   V(stdio_string, "stdio")                                                     \
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 34fb29d..8d09305 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -686,7 +686,6 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
   env->SetProtoMethod(t, "addRootCerts", AddRootCerts);
   env->SetProtoMethod(t, "setCipherSuites", SetCipherSuites);
   env->SetProtoMethod(t, "setCiphers", SetCiphers);
-  env->SetProtoMethod(t, "setSigalgs", SetSigalgs);
   env->SetProtoMethod(t, "setECDHCurve", SetECDHCurve);
   env->SetProtoMethod(t, "setDHParam", SetDHParam);
   env->SetProtoMethod(t, "setMaxProto", SetMaxProto);
@@ -983,23 +982,6 @@ void SecureContext::SetKey(const FunctionCallbackInfo<Value>& args) {
   }
 }
 
-void SecureContext::SetSigalgs(const FunctionCallbackInfo<Value>& args) {
-  SecureContext* sc;
-  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
-  Environment* env = sc->env();
-  ClearErrorOnReturn clear_error_on_return;
-
-  CHECK_EQ(args.Length(), 1);
-  CHECK(args[0]->IsString());
-
-  const node::Utf8Value sigalgs(env->isolate(), args[0]);
-
-  int rv = SSL_CTX_set1_sigalgs_list(sc->ctx_.get(), *sigalgs);
-
-  if (rv == 0) {
-    return ThrowCryptoError(env, ERR_get_error());
-  }
-}
 
 #ifndef OPENSSL_NO_ENGINE
 // Helpers for the smart pointer.
@@ -2005,7 +1987,9 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) {
   env->SetProtoMethodNoSideEffect(t, "isSessionReused", IsSessionReused);
   env->SetProtoMethodNoSideEffect(t, "verifyError", VerifyError);
   env->SetProtoMethodNoSideEffect(t, "getCipher", GetCipher);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   env->SetProtoMethodNoSideEffect(t, "getSharedSigalgs", GetSharedSigalgs);
+#endif
   env->SetProtoMethodNoSideEffect(
       t, "exportKeyingMaterial", ExportKeyingMaterial);
   env->SetProtoMethod(t, "endParser", EndParser);
@@ -2447,6 +2431,7 @@ void SSLWrap<Base>::GetCipher(const FunctionCallbackInfo<Value>& args) {
 }
 
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 template <class Base>
 void SSLWrap<Base>::GetSharedSigalgs(const FunctionCallbackInfo<Value>& args) {
   Base* w;
@@ -2526,6 +2511,7 @@ void SSLWrap<Base>::GetSharedSigalgs(const FunctionCallbackInfo<Value>& args) {
   args.GetReturnValue().Set(
                  Array::New(env->isolate(), ret_arr.out(), ret_arr.length()));
 }
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
 
 template <class Base>
 void SSLWrap<Base>::ExportKeyingMaterial(
@@ -4735,9 +4721,6 @@ void CheckThrow(Environment* env, SignBase::Error error) {
     case SignBase::Error::kSignNotInitialised:
       return env->ThrowError("Not initialised");
 
-    case SignBase::Error::kSignMalformedSignature:
-      return env->ThrowError("Malformed signature");
-
     case SignBase::Error::kSignInit:
     case SignBase::Error::kSignUpdate:
     case SignBase::Error::kSignPrivateKey:
@@ -4852,85 +4835,6 @@ static int GetDefaultSignPadding([[maybe_unused]] const ManagedEVPPKey& key) {
 #endif // OPENSSL_VERSION_NUMBER < 0x10100000L
 }
 
-static const unsigned int kNoDsaSignature = static_cast<unsigned int>(-1);
-
-// Returns the maximum size of each of the integers (r, s) of the DSA signature.
-static unsigned int GetBytesOfRS(const ManagedEVPPKey& pkey) {
-  int bits, base_id = EVP_PKEY_base_id(pkey.get());
-
-  if (base_id == EVP_PKEY_DSA) {
-    DSA* dsa_key = EVP_PKEY_get0_DSA(pkey.get());
-    // Both r and s are computed mod q, so their width is limited by that of q.
-    bits = BN_num_bits(DSA_get0_q(dsa_key));
-  } else if (base_id == EVP_PKEY_EC) {
-    EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get());
-    const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key);
-    bits = EC_GROUP_order_bits(ec_group);
-  } else {
-    return kNoDsaSignature;
-  }
-
-  return (bits + 7) / 8;
-}
-
-static AllocatedBuffer ConvertSignatureToP1363(Environment* env,
-                                               const ManagedEVPPKey& pkey,
-                                               AllocatedBuffer&& signature) {
-  unsigned int n = GetBytesOfRS(pkey);
-  if (n == kNoDsaSignature)
-    return std::move(signature);
-
-  const unsigned char* sig_data =
-      reinterpret_cast<unsigned char*>(signature.data());
-
-  ECDSASigPointer asn1_sig(d2i_ECDSA_SIG(nullptr, &sig_data, signature.size()));
-  if (!asn1_sig)
-    return AllocatedBuffer();
-
-  AllocatedBuffer buf = env->AllocateManaged(2 * n);
-  unsigned char* data = reinterpret_cast<unsigned char*>(buf.data());
-
-  const BIGNUM* r = ECDSA_SIG_get0_r(asn1_sig.get());
-  const BIGNUM* s = ECDSA_SIG_get0_s(asn1_sig.get());
-  CHECK_EQ(n, static_cast<unsigned int>(BN_bn2binpad(r, data, n)));
-  CHECK_EQ(n, static_cast<unsigned int>(BN_bn2binpad(s, data + n, n)));
-
-  return buf;
-}
-
-static ByteSource ConvertSignatureToDER(
-      const ManagedEVPPKey& pkey,
-      const ArrayBufferViewContents<char>& signature) {
-  unsigned int n = GetBytesOfRS(pkey);
-  if (n == kNoDsaSignature)
-    return ByteSource::Foreign(signature.data(), signature.length());
-
-  const unsigned char* sig_data =
-      reinterpret_cast<const  unsigned char*>(signature.data());
-
-  if (signature.length() != 2 * n)
-    return ByteSource();
-
-  ECDSASigPointer asn1_sig(ECDSA_SIG_new());
-  CHECK(asn1_sig);
-  BIGNUM* r = BN_new();
-  CHECK_NOT_NULL(r);
-  BIGNUM* s = BN_new();
-  CHECK_NOT_NULL(s);
-  CHECK_EQ(r, BN_bin2bn(sig_data, n, r));
-  CHECK_EQ(s, BN_bin2bn(sig_data + n, n, s));
-  CHECK_EQ(1, ECDSA_SIG_set0(asn1_sig.get(), r, s));
-
-  unsigned char* data = nullptr;
-  int len = i2d_ECDSA_SIG(asn1_sig.get(), &data);
-
-  if (len <= 0)
-    return ByteSource();
-
-  CHECK_NOT_NULL(data);
-
-  return ByteSource::Allocated(reinterpret_cast<char*>(data), len);
-}
 
 static AllocatedBuffer Node_SignFinal(Environment* env,
                                       EVPMDPointer&& mdctx,
@@ -4991,8 +4895,7 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
 Sign::SignResult Sign::SignFinal(
     const ManagedEVPPKey& pkey,
     int padding,
-    const Maybe<int>& salt_len,
-    DSASigEnc dsa_sig_enc) {
+    const Maybe<int>& salt_len) {
   if (!mdctx_)
     return SignResult(kSignNotInitialised);
 
@@ -5004,10 +4907,6 @@ Sign::SignResult Sign::SignFinal(
   AllocatedBuffer buffer =
       Node_SignFinal(env(), std::move(mdctx), pkey, padding, salt_len);
   Error error = buffer.data() == nullptr ? kSignPrivateKey : kSignOk;
-  if (error == kSignOk && dsa_sig_enc == kSigEncP1363) {
-    buffer = ConvertSignatureToP1363(env(), pkey, std::move(buffer));
-    CHECK_NOT_NULL(buffer.data());
-  }
   return SignResult(error, std::move(buffer));
 }
 
@@ -5035,15 +4934,10 @@ void Sign::SignFinal(const FunctionCallbackInfo<Value>& args) {
     salt_len = Just<int>(args[offset + 1].As<Int32>()->Value());
   }
 
-  CHECK(args[offset + 2]->IsInt32());
-  DSASigEnc dsa_sig_enc =
-      static_cast<DSASigEnc>(args[offset + 2].As<Int32>()->Value());
-
   SignResult ret = sign->SignFinal(
       key,
       padding,
-      salt_len,
-      dsa_sig_enc);
+      salt_len);
 
   if (ret.error != kSignOk)
     return sign->CheckThrow(ret.error);
@@ -5087,10 +4981,6 @@ void SignOneShot(const FunctionCallbackInfo<Value>& args) {
     rsa_salt_len = Just<int>(args[offset + 3].As<Int32>()->Value());
   }
 
-  CHECK(args[offset + 4]->IsInt32());
-  DSASigEnc dsa_sig_enc =
-      static_cast<DSASigEnc>(args[offset + 4].As<Int32>()->Value());
-
   EVP_PKEY_CTX* pkctx = nullptr;
   EVPMDPointer mdctx(EVP_MD_CTX_new());
   if (!mdctx ||
@@ -5118,10 +5008,6 @@ void SignOneShot(const FunctionCallbackInfo<Value>& args) {
 
   signature.Resize(sig_len);
 
-  if (dsa_sig_enc == kSigEncP1363) {
-    signature = ConvertSignatureToP1363(env, key, std::move(signature));
-  }
-
   args.GetReturnValue().Set(signature.ToBuffer().ToLocalChecked());
 }
 
@@ -5229,6 +5115,7 @@ void Verify::VerifyFinal(const FunctionCallbackInfo<Value>& args) {
     salt_len = Just<int>(args[offset + 2].As<Int32>()->Value());
   }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   CHECK(args[offset + 3]->IsInt32());
   DSASigEnc dsa_sig_enc =
       static_cast<DSASigEnc>(args[offset + 3].As<Int32>()->Value());
@@ -5286,10 +5173,6 @@ void VerifyOneShot(const FunctionCallbackInfo<Value>& args) {
     rsa_salt_len = Just<int>(args[offset + 4].As<Int32>()->Value());
   }
 
-  CHECK(args[offset + 5]->IsInt32());
-  DSASigEnc dsa_sig_enc =
-      static_cast<DSASigEnc>(args[offset + 5].As<Int32>()->Value());
-
   EVP_PKEY_CTX* pkctx = nullptr;
   EVPMDPointer mdctx(EVP_MD_CTX_new());
   if (!mdctx ||
@@ -5300,18 +5183,11 @@ void VerifyOneShot(const FunctionCallbackInfo<Value>& args) {
   if (!ApplyRSAOptions(key, pkctx, rsa_padding, rsa_salt_len))
     return CheckThrow(env, SignBase::Error::kSignPublicKey);
 
-  ByteSource sig_bytes = ByteSource::Foreign(sig.data(), sig.length());
-  if (dsa_sig_enc == kSigEncP1363) {
-    sig_bytes = ConvertSignatureToDER(key, sig);
-    if (!sig_bytes)
-      return CheckThrow(env, SignBase::Error::kSignMalformedSignature);
-  }
-
   bool verify_result;
   const int r = EVP_DigestVerify(
     mdctx.get(),
-    reinterpret_cast<const unsigned char*>(sig_bytes.get()),
-    sig_bytes.size(),
+    reinterpret_cast<const unsigned char*>(sig.data()),
+    sig.length(),
     reinterpret_cast<const unsigned char*>(data.data()),
     data.length());
   switch (r) {
@@ -5335,8 +5211,6 @@ bool PublicKeyCipher::Cipher(Environment* env,
                              const ManagedEVPPKey& pkey,
                              int padding,
                              const EVP_MD* digest,
-                             const void* oaep_label,
-                             size_t oaep_label_len,
                              const unsigned char* data,
                              int len,
                              AllocatedBuffer* out) {
@@ -5353,17 +5227,6 @@ bool PublicKeyCipher::Cipher(Environment* env,
       return false;
   }
 
-  if (oaep_label_len != 0) {
-    // OpenSSL takes ownership of the label, so we need to create a copy.
-    void* label = OPENSSL_memdup(oaep_label, oaep_label_len);
-    CHECK_NOT_NULL(label);
-    if (0 >= EVP_PKEY_CTX_set0_rsa_oaep_label(ctx.get(),
-                reinterpret_cast<unsigned char*>(label),
-                                      oaep_label_len)) {
-      OPENSSL_free(label);
-      return false;
-    }
-  }
 
   size_t out_len = 0;
   if (EVP_PKEY_cipher(ctx.get(), nullptr, &out_len, data, len) <= 0)
@@ -5411,11 +5274,13 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
       return THROW_ERR_OSSL_EVP_INVALID_DIGEST(env);
   }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   ArrayBufferViewContents<unsigned char> oaep_label;
   if (!args[offset + 3]->IsUndefined()) {
     CHECK(args[offset + 3]->IsArrayBufferView());
     oaep_label.Read(args[offset + 3].As<ArrayBufferView>());
   }
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
 
   AllocatedBuffer out;
 
@@ -5424,8 +5289,6 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
       pkey,
       padding,
       digest,
-      oaep_label.data(),
-      oaep_label.length(),
       buf.data(),
       buf.length(),
       &out);
@@ -7363,8 +7226,10 @@ void Initialize(Local<Object> target,
   NODE_DEFINE_CONSTANT(target, kKeyTypeSecret);
   NODE_DEFINE_CONSTANT(target, kKeyTypePublic);
   NODE_DEFINE_CONSTANT(target, kKeyTypePrivate);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   NODE_DEFINE_CONSTANT(target, kSigEncDER);
   NODE_DEFINE_CONSTANT(target, kSigEncP1363);
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
   env->SetMethodNoSideEffect(target, "statelessDH", StatelessDiffieHellman);
   env->SetMethod(target, "randomBytes", RandomBytes);
   env->SetMethod(target, "signOneShot", SignOneShot);
diff --git a/src/node_crypto.h b/src/node_crypto.h
index f61ad3d..54abc0b 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -201,7 +201,6 @@ class SecureContext final : public BaseObject {
   static void AddRootCerts(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetCipherSuites(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetCiphers(const v8::FunctionCallbackInfo<v8::Value>& args);
-  static void SetSigalgs(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetECDHCurve(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetDHParam(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetOptions(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -324,7 +323,9 @@ class SSLWrap {
   static void IsSessionReused(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   static void GetSharedSigalgs(const v8::FunctionCallbackInfo<v8::Value>& args);
+#endif
   static void ExportKeyingMaterial(
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -396,13 +397,6 @@ class ByteSource {
   const char* get() const;
   size_t size() const;
 
-  inline operator bool() const {
-    return data_ != nullptr;
-  }
-
-  static ByteSource Allocated(char* data, size_t size);
-  static ByteSource Foreign(const char* data, size_t size);
-
   static ByteSource FromStringOrBuffer(Environment* env,
                                        v8::Local<v8::Value> value);
 
@@ -427,6 +421,7 @@ class ByteSource {
   size_t size_ = 0;
 
   ByteSource(const char* data, char* allocated_data, size_t size);
+
 public:
   static ByteSource Allocated(char* data, size_t size);
   static ByteSource Foreign(const char* data, size_t size);
@@ -675,8 +670,10 @@ class SignBase : public BaseObject {
     kSignNotInitialised,
     kSignUpdate,
     kSignPrivateKey,
-    kSignPublicKey,
-    kSignMalformedSignature
+    kSignPublicKey
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    , kSignMalformedSignature
+#endif
   } Error;
 
   SignBase(Environment* env, v8::Local<v8::Object> wrap);
@@ -695,10 +692,6 @@ class SignBase : public BaseObject {
   EVPMDPointer mdctx_;
 };
 
-enum DSASigEnc {
-  kSigEncDER, kSigEncP1363
-};
-
 class Sign : public SignBase {
  public:
   static void Initialize(Environment* env, v8::Local<v8::Object> target);
@@ -716,8 +709,7 @@ class Sign : public SignBase {
   SignResult SignFinal(
       const ManagedEVPPKey& pkey,
       int padding,
-      const v8::Maybe<int>& saltlen,
-      DSASigEnc dsa_sig_enc);
+      const v8::Maybe<int>& saltlen);
 
  protected:
   static void New(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -766,8 +758,6 @@ class PublicKeyCipher {
                      const ManagedEVPPKey& pkey,
                      int padding,
                      const EVP_MD* digest,
-                     const void* oaep_label,
-                     size_t oaep_label_size,
                      const unsigned char* data,
                      int len,
                      AllocatedBuffer* out);
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
index e33e52e..a1b8a20 100644
--- a/src/node_crypto_common.cc
+++ b/src/node_crypto_common.cc
@@ -216,6 +216,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
   if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {
     X509_free(peer_cert);
     err = SSL_get_verify_result(ssl.get());
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   } else {
     const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());
     const SSL_SESSION* sess = SSL_get_session(ssl.get());
@@ -227,6 +228,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
          SSL_session_reused(ssl.get()))) {
       return X509_V_OK;
     }
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
   }
   return err;
 }
@@ -407,12 +409,16 @@ MaybeLocal<Value> GetCipherName(
 }
 
 MaybeLocal<Value> GetCipherStandardName(
-    Environment* env,
-    const SSL_CIPHER* cipher) {
+    [[maybe_unused]] Environment* env,
+    [[maybe_unused]] const SSL_CIPHER* cipher) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   if (cipher == nullptr)
     return Undefined(env->isolate());
 
   return OneByteString(env->isolate(), SSL_CIPHER_standard_name(cipher));
+#else // OPENSSL_VERSION_NUMBER >= 0x10100000L
+  return Undefined(env->isolate());
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
 }
 
 MaybeLocal<Value> GetCipherVersion(
@@ -832,10 +838,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
                   info,
                   env->name_string(),
                   GetCipherName(env, ssl)) ||
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
       !Set<Value>(env->context(),
                   info,
                   env->standard_name_string(),
                   GetCipherStandardName(env, ssl)) ||
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
       !Set<Value>(env->context(),
                   info,
                   env->version_string(),
diff --git a/src/node_errors.h b/src/node_errors.h
index ad8c272..0afd537 100644
--- a/src/node_errors.h
+++ b/src/node_errors.h
@@ -52,7 +52,6 @@ void OnFatalError(const char* location, const char* message);
   V(ERR_STRING_TOO_LONG, Error)                                                \
   V(ERR_TLS_INVALID_PROTOCOL_METHOD, TypeError)                                \
   V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER, TypeError)                \
-  V(ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED, Error)                                \
   V(ERR_VM_MODULE_CACHED_DATA_REJECTED, Error)                                 \
   V(ERR_WASI_NOT_STARTED, Error)                                               \
   V(ERR_WORKER_INIT_FAILED, Error)                                             \
@@ -104,7 +103,6 @@ void OnFatalError(const char* location, const char* message);
     "Script execution was interrupted by `SIGINT`")                            \
   V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER,                           \
     "Cannot serialize externalized SharedArrayBuffer")                         \
-  V(ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED, "Failed to set PSK identity hint")    \
   V(ERR_WASI_NOT_STARTED, "wasi.start() has not been called")                  \
   V(ERR_WORKER_INIT_FAILED, "Worker initialization failure")                   \
   V(ERR_PROTO_ACCESS,                                                          \
diff --git a/src/node_options.cc b/src/node_options.cc
index 17a7e34..821502a 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -508,10 +508,6 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
 
   AddOption("--napi-modules", "", NoOp{}, kAllowedInEnvironment);
 
-  AddOption("--tls-keylog",
-            "log TLS decryption keys to named file for traffic analysis",
-            &EnvironmentOptions::tls_keylog, kAllowedInEnvironment);
-
   AddOption("--tls-min-v1.0",
             "set default TLS minimum to TLSv1.0 (default: TLSv1.2)",
             &EnvironmentOptions::tls_min_v1_0,
diff --git a/src/node_options.h b/src/node_options.h
index be57770..dee7e82 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -165,7 +165,6 @@ class EnvironmentOptions : public Options {
   bool tls_min_v1_3 = false;
   bool tls_max_v1_2 = false;
   bool tls_max_v1_3 = false;
-  std::string tls_keylog;
 
   std::vector<std::string> preload_modules;
 
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index 8fda8b9..7d2e43d 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -28,7 +28,6 @@
 #include "node_crypto_bio.h"  // NodeBIO
 // ClientHelloParser
 #include "node_crypto_clienthello-inl.h"
-#include "node_errors.h"
 #include "stream_base-inl.h"
 #include "util-inl.h"
 
@@ -43,11 +42,8 @@ using v8::Exception;
 using v8::Function;
 using v8::FunctionCallbackInfo;
 using v8::FunctionTemplate;
-using v8::Integer;
 using v8::Isolate;
 using v8::Local;
-using v8::Maybe;
-using v8::MaybeLocal;
 using v8::Object;
 using v8::ReadOnly;
 using v8::Signature;
@@ -1104,131 +1100,6 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg) {
   return SSL_TLSEXT_ERR_OK;
 }
 
-#ifndef OPENSSL_NO_PSK
-
-void TLSWrap::SetPskIdentityHint(const FunctionCallbackInfo<Value>& args) {
-  TLSWrap* p;
-  ASSIGN_OR_RETURN_UNWRAP(&p, args.Holder());
-  CHECK_NOT_NULL(p->ssl_);
-
-  Environment* env = p->env();
-  Isolate* isolate = env->isolate();
-
-  CHECK(args[0]->IsString());
-  node::Utf8Value hint(isolate, args[0].As<String>());
-
-  if (!SSL_use_psk_identity_hint(p->ssl_.get(), *hint)) {
-    Local<Value> err = node::ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED(isolate);
-    p->MakeCallback(env->onerror_string(), 1, &err);
-  }
-}
-
-void TLSWrap::EnablePskCallback(const FunctionCallbackInfo<Value>& args) {
-  TLSWrap* wrap;
-  ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
-  CHECK_NOT_NULL(wrap->ssl_);
-
-  SSL_set_psk_server_callback(wrap->ssl_.get(), PskServerCallback);
-  SSL_set_psk_client_callback(wrap->ssl_.get(), PskClientCallback);
-}
-
-unsigned int TLSWrap::PskServerCallback(SSL* s,
-                                        const char* identity,
-                                        unsigned char* psk,
-                                        unsigned int max_psk_len) {
-  TLSWrap* p = static_cast<TLSWrap*>(SSL_get_app_data(s));
-
-  Environment* env = p->env();
-  Isolate* isolate = env->isolate();
-  HandleScope scope(isolate);
-
-  MaybeLocal<String> maybe_identity_str =
-      v8::String::NewFromUtf8(isolate, identity, v8::NewStringType::kNormal);
-
-  v8::Local<v8::String> identity_str;
-  if (!maybe_identity_str.ToLocal(&identity_str)) return 0;
-
-  // Make sure there are no utf8 replacement symbols.
-  v8::String::Utf8Value identity_utf8(isolate, identity_str);
-  if (strcmp(*identity_utf8, identity) != 0) return 0;
-
-  Local<Value> argv[] = {identity_str,
-                         Integer::NewFromUnsigned(isolate, max_psk_len)};
-
-  MaybeLocal<Value> maybe_psk_val =
-      p->MakeCallback(env->onpskexchange_symbol(), arraysize(argv), argv);
-  Local<Value> psk_val;
-  if (!maybe_psk_val.ToLocal(&psk_val) || !psk_val->IsArrayBufferView())
-    return 0;
-
-  char* psk_buf = Buffer::Data(psk_val);
-  size_t psk_buflen = Buffer::Length(psk_val);
-
-  if (psk_buflen > max_psk_len) return 0;
-
-  memcpy(psk, psk_buf, psk_buflen);
-  return psk_buflen;
-}
-
-unsigned int TLSWrap::PskClientCallback(SSL* s,
-                                        const char* hint,
-                                        char* identity,
-                                        unsigned int max_identity_len,
-                                        unsigned char* psk,
-                                        unsigned int max_psk_len) {
-  TLSWrap* p = static_cast<TLSWrap*>(SSL_get_app_data(s));
-
-  Environment* env = p->env();
-  Isolate* isolate = env->isolate();
-  HandleScope scope(isolate);
-
-  Local<Value> argv[] = {Null(isolate),
-                         Integer::NewFromUnsigned(isolate, max_psk_len),
-                         Integer::NewFromUnsigned(isolate, max_identity_len)};
-  if (hint != nullptr) {
-    MaybeLocal<String> maybe_hint = String::NewFromUtf8(isolate, hint);
-
-    Local<String> local_hint;
-    if (!maybe_hint.ToLocal(&local_hint)) return 0;
-
-    argv[0] = local_hint;
-  }
-  MaybeLocal<Value> maybe_ret =
-      p->MakeCallback(env->onpskexchange_symbol(), arraysize(argv), argv);
-  Local<Value> ret;
-  if (!maybe_ret.ToLocal(&ret) || !ret->IsObject()) return 0;
-  Local<Object> obj = ret.As<Object>();
-
-  MaybeLocal<Value> maybe_psk_val = obj->Get(env->context(), env->psk_string());
-
-  Local<Value> psk_val;
-  if (!maybe_psk_val.ToLocal(&psk_val) || !psk_val->IsArrayBufferView())
-    return 0;
-
-  char* psk_buf = Buffer::Data(psk_val);
-  size_t psk_buflen = Buffer::Length(psk_val);
-
-  if (psk_buflen > max_psk_len) return 0;
-
-  MaybeLocal<Value> maybe_identity_val =
-      obj->Get(env->context(), env->identity_string());
-  Local<Value> identity_val;
-  if (!maybe_identity_val.ToLocal(&identity_val) || !identity_val->IsString())
-    return 0;
-  Local<String> identity_str = identity_val.As<String>();
-
-  String::Utf8Value identity_buf(isolate, identity_str);
-  size_t identity_len = identity_buf.length();
-
-  if (identity_len > max_identity_len) return 0;
-
-  memcpy(identity, *identity_buf, identity_len);
-  memcpy(psk, psk_buf, psk_buflen);
-
-  return psk_buflen;
-}
-
-#endif
 
 void TLSWrap::GetWriteQueueSize(const FunctionCallbackInfo<Value>& info) {
   TLSWrap* wrap;
@@ -1294,11 +1165,6 @@ void TLSWrap::Initialize(Local<Object> target,
   env->SetProtoMethod(t, "destroySSL", DestroySSL);
   env->SetProtoMethod(t, "enableCertCb", EnableCertCb);
 
-#ifndef OPENSSL_NO_PSK
-  env->SetProtoMethod(t, "setPskIdentityHint", SetPskIdentityHint);
-  env->SetProtoMethod(t, "enablePskCallback", EnablePskCallback);
-#endif
-
   StreamBase::AddMethods(env, t);
   SSLWrap<TLSWrap>::AddMethods(env, t);
 
diff --git a/src/tls_wrap.h b/src/tls_wrap.h
index 7bb33b4..14b7327 100644
--- a/src/tls_wrap.h
+++ b/src/tls_wrap.h
@@ -169,23 +169,6 @@ class TLSWrap : public AsyncWrap,
   static void SetServername(const v8::FunctionCallbackInfo<v8::Value>& args);
   static int SelectSNIContextCallback(SSL* s, int* ad, void* arg);
 
-#ifndef OPENSSL_NO_PSK
-  static void SetPskIdentityHint(
-      const v8::FunctionCallbackInfo<v8::Value>& args);
-  static void EnablePskCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args);
-  static unsigned int PskServerCallback(SSL* s,
-                                        const char* identity,
-                                        unsigned char* psk,
-                                        unsigned int max_psk_len);
-  static unsigned int PskClientCallback(SSL* s,
-                                        const char* hint,
-                                        char* identity,
-                                        unsigned int max_identity_len,
-                                        unsigned char* psk,
-                                        unsigned int max_psk_len);
-#endif
-
   crypto::SecureContext* sc_;
   // BIO buffers hold encrypted data.
   BIO* enc_in_ = nullptr;   // StreamListener fills this for SSL_read().
diff --git a/test/fixtures/rsa-oaep-test-vectors.js b/test/fixtures/rsa-oaep-test-vectors.js
deleted file mode 100644
index 47e681f..0000000
--- a/test/fixtures/rsa-oaep-test-vectors.js
+++ /dev/null
@@ -1,30 +0,0 @@
-{
-  "comment": "RSA-OAEP test vectors for test-crypto-rsa-dsa.js",
-  "decryptionTests": [
-    {
-      "ct": "16ece59cf985a8cf1a3434e4b9707c922c20638fdf9abf7e5dc7943f4136899348c54116d15b2c17563b9c7143f9d5b85b45615ad0598ea6d21c900f3957b65400612306a9bebae441f005646f7a7c97129a103ab54e777168ef966514adb17786b968ea0ff430a524904c4a11c683764b7c8dbb60df0952768381cdba4d665e5006034393a10d56d33e75b2714db824a18da46441ef7f94a34a7058c0bbad0394083a038558bcc6dd370f8e518e1bd8d73b296fc51d77da44799e4ee774926ded7910e8768f92db76f63107338d33354b735d3ad094240dbd7ffdfda27ef0255306dcf4a6462849492abd1a97fdd37743ff87c4d2ec89866c5cdbb696bd2b30"
-    },
-    {
-      "ct": "16ece59cf985a8cf1a3434e4b9707c922c20638fdf9abf7e5dc7943f4136899348c54116d15b2c17563b9c7143f9d5b85b45615ad0598ea6d21c900f3957b65400612306a9bebae441f005646f7a7c97129a103ab54e777168ef966514adb17786b968ea0ff430a524904c4a11c683764b7c8dbb60df0952768381cdba4d665e5006034393a10d56d33e75b2714db824a18da46441ef7f94a34a7058c0bbad0394083a038558bcc6dd370f8e518e1bd8d73b296fc51d77da44799e4ee774926ded7910e8768f92db76f63107338d33354b735d3ad094240dbd7ffdfda27ef0255306dcf4a6462849492abd1a97fdd37743ff87c4d2ec89866c5cdbb696bd2b30",
-      "oaepHash": "sha1"
-    },
-    {
-      "ct": "16ccf09afe5eb0130182b9fc1ca4af61a38e772047cac42146bfa0fa5879aa9639203e4d01442d212ff95bddfbe4661222215a2e91908c37ab926edea7cfc53f83357bc27f86af0f5f2818ae141f4e9e934d4e66189aff30f062c9c3f6eb9bc495a59082cb978f99b56ce5fa530a8469e46129258e5c42897cb194b6805e936e5cbbeaa535bad6b1d3cdfc92119b7dd325a2e6d2979e316bdacc9f80e29c7bbdf6846d738e380deadcb48df8c1e8aabf7a9dd2f8c71d6681dbec7dcadc01887c51288674268796bc77fdf8f1c94c9ca50b1cc7cddbaf4e56cb151d23e2c699d2844c0104ee2e7e9dcdb907cfab43339120a40c59ca54f32b8d21b48a29656c77",
-      "oaepHash": "sha256"
-    },
-    {
-      "ct": "831b72e8dd91841729ecbddf2647d6f19dc0094734f8803d8c651b5655a12ae6156b74d9b594bcc0eacd002728380b94f46e8657f130f354e03b6e7815ee257eda78dba296d67d24410c31c48e5875cc79e4bde594b412be5f357f57a7ac1f1d18b718e408df162d1795508e6a0616192b647ad942ea068a44fb2b323d35a3a61b926feb105d6c0b2a8fc8050222d1cf4a9e44da1f95bbc677fd643749c6c89ac551d072f04cd9320c97a8d94755c8a804954c082bed7fa59199a00aca154c14a7b584b63c538daf9b9c7c90abfca19387d2131f9d9b9ecfc8672249c33144d1be3bfc41558a13f994663661a3af24fd0a97619d508db36f5fc131af86fc68cf",
-      "oaepHash": "sha512"
-    },
-    {
-      "ct": "04a25a3dbe0a44b10b7dde19632ce0963e7a7e9876905cd4a4f68ba8e0bda593a738847235df4494f9c28927b165511d22006ef6fae0eb7fe01883e4ae495643328d21e13dad65e71e45f885c7e1e2fe77c39fa84b8bbd2d7d3ed72fea2bf3c87a5c864bdc41b45caa3d668ca3f35297f43dc97950fa959ee88031c8385da7628d03923dfd26a7e0568c95a2f38ec5760335b00fa30935abdd9ab5b3581fc319ff787c59930319707caa24fe9e5d0ce6c48eff4ee6e124fd6c595353acc29a194863dbf7b74d08edf7129ca52eb5f4ccf3888311e97602fcd37b476c41749b260efad4e0760064082f7c9ea0f8704134936b2e38fd0f82886486b5f7e5fb9696",
-      "oaepHash": "sha384",
-      "oaepLabel": "01020304"
-    },
-    {
-      "ct": "678f9ff724e0f48b48e6ff3cbdac5eb995d263da1c23f948d8d09411131f69f40da07f0c650e1aedc82fbaf0972a5d3b3e8f1f82cc4fa1780abfebb4e06b6827a52bf768b12388817c1e3ee1324342e05135733a4056a6cc02f5211172c338eb96e5e33c1d6f53560e3f3aab2419c13a600c4e67648088ffe8aac2cea8bce78e2ab899741cf7c9a9d5246cde6ce97aae0157f42db68eea380dec6dcd842c1e6900ae21d5275c4bf21810b5e1b0e1bc0441cbce34e00a31b9e857f6f2c791257d45997c278ea928f42e8cb6476f633f5de102fa0c4af964a9c4f4336869509e933ebc0aa94ad16b0b1db2aaa924f409a5f9f29dfbd88849c5eaa4818e1c3e335e",
-      "oaepHash": "sha1",
-      "oaepLabel": "00112233445566778899"
-    }
-  ]
-}
diff --git a/test/parallel/test-tls-enable-keylog-cli.js b/test/known_issues/test-tls-enable-keylog-cli.js
similarity index 100%
rename from test/parallel/test-tls-enable-keylog-cli.js
rename to test/known_issues/test-tls-enable-keylog-cli.js
diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js
index 9b8c3f6..247da16 100644
--- a/test/parallel/test-crypto-rsa-dsa.js
+++ b/test/parallel/test-crypto-rsa-dsa.js
@@ -202,21 +202,59 @@ assert.throws(() => {
 // The following RSA-OAEP test cases were created using the WebCrypto API to
 // ensure compatibility when using non-SHA1 hash functions.
 {
-  const { decryptionTests } =
-      JSON.parse(fixtures.readSync('rsa-oaep-test-vectors.js', 'utf8'));
-
-  for (const { ct, oaepHash, oaepLabel } of decryptionTests) {
+  function testDecrypt(oaepHash, ciphertext) {
     const decrypted = crypto.privateDecrypt({
       key: rsaPkcs8KeyPem,
-      oaepHash,
-      oaepLabel: oaepLabel ? Buffer.from(oaepLabel, 'hex') : undefined
-    }, Buffer.from(ct, 'hex'));
+      oaepHash
+    }, Buffer.from(ciphertext, 'hex'));
 
     assert.strictEqual(decrypted.toString('utf8'), 'Hello Node.js');
   }
+
+  testDecrypt(undefined, '16ece59cf985a8cf1a3434e4b9707c922c20638fdf9abf7e5dc' +
+                         '7943f4136899348c54116d15b2c17563b9c7143f9d5b85b4561' +
+                         '5ad0598ea6d21c900f3957b65400612306a9bebae441f005646' +
+                         'f7a7c97129a103ab54e777168ef966514adb17786b968ea0ff4' +
+                         '30a524904c4a11c683764b7c8dbb60df0952768381cdba4d665' +
+                         'e5006034393a10d56d33e75b2714db824a18da46441ef7f94a3' +
+                         '4a7058c0bbad0394083a038558bcc6dd370f8e518e1bd8d73b2' +
+                         '96fc51d77da44799e4ee774926ded7910e8768f92db76f63107' +
+                         '338d33354b735d3ad094240dbd7ffdfda27ef0255306dcf4a64' +
+                         '62849492abd1a97fdd37743ff87c4d2ec89866c5cdbb696bd2b' +
+                         '30');
+  testDecrypt('sha1', '16ece59cf985a8cf1a3434e4b9707c922c20638fdf9abf7e5dc794' +
+                      '3f4136899348c54116d15b2c17563b9c7143f9d5b85b45615ad059' +
+                      '8ea6d21c900f3957b65400612306a9bebae441f005646f7a7c9712' +
+                      '9a103ab54e777168ef966514adb17786b968ea0ff430a524904c4a' +
+                      '11c683764b7c8dbb60df0952768381cdba4d665e5006034393a10d' +
+                      '56d33e75b2714db824a18da46441ef7f94a34a7058c0bbad039408' +
+                      '3a038558bcc6dd370f8e518e1bd8d73b296fc51d77da44799e4ee7' +
+                      '74926ded7910e8768f92db76f63107338d33354b735d3ad094240d' +
+                      'bd7ffdfda27ef0255306dcf4a6462849492abd1a97fdd37743ff87' +
+                      'c4d2ec89866c5cdbb696bd2b30');
+  testDecrypt('sha256', '16ccf09afe5eb0130182b9fc1ca4af61a38e772047cac42146bf' +
+                        'a0fa5879aa9639203e4d01442d212ff95bddfbe4661222215a2e' +
+                        '91908c37ab926edea7cfc53f83357bc27f86af0f5f2818ae141f' +
+                        '4e9e934d4e66189aff30f062c9c3f6eb9bc495a59082cb978f99' +
+                        'b56ce5fa530a8469e46129258e5c42897cb194b6805e936e5cbb' +
+                        'eaa535bad6b1d3cdfc92119b7dd325a2e6d2979e316bdacc9f80' +
+                        'e29c7bbdf6846d738e380deadcb48df8c1e8aabf7a9dd2f8c71d' +
+                        '6681dbec7dcadc01887c51288674268796bc77fdf8f1c94c9ca5' +
+                        '0b1cc7cddbaf4e56cb151d23e2c699d2844c0104ee2e7e9dcdb9' +
+                        '07cfab43339120a40c59ca54f32b8d21b48a29656c77');
+  testDecrypt('sha512', '831b72e8dd91841729ecbddf2647d6f19dc0094734f8803d8c65' +
+                        '1b5655a12ae6156b74d9b594bcc0eacd002728380b94f46e8657' +
+                        'f130f354e03b6e7815ee257eda78dba296d67d24410c31c48e58' +
+                        '75cc79e4bde594b412be5f357f57a7ac1f1d18b718e408df162d' +
+                        '1795508e6a0616192b647ad942ea068a44fb2b323d35a3a61b92' +
+                        '6feb105d6c0b2a8fc8050222d1cf4a9e44da1f95bbc677fd6437' +
+                        '49c6c89ac551d072f04cd9320c97a8d94755c8a804954c082bed' +
+                        '7fa59199a00aca154c14a7b584b63c538daf9b9c7c90abfca193' +
+                        '87d2131f9d9b9ecfc8672249c33144d1be3bfc41558a13f99466' +
+                        '3661a3af24fd0a97619d508db36f5fc131af86fc68cf');
 }
 
-// Test invalid oaepHash and oaepLabel options.
+// Test invalid oaepHash options.
 for (const fn of [crypto.publicEncrypt, crypto.privateDecrypt]) {
   assert.throws(() => {
     fn({
@@ -237,17 +275,6 @@ for (const fn of [crypto.publicEncrypt, crypto.privateDecrypt]) {
       code: 'ERR_INVALID_ARG_TYPE'
     });
   }
-
-  for (const oaepLabel of [0, false, null, Symbol(), () => {}, {}, 'foo']) {
-    assert.throws(() => {
-      fn({
-        key: rsaPubPem,
-        oaepLabel
-      }, Buffer.alloc(10));
-    }, {
-      code: 'ERR_INVALID_ARG_TYPE'
-    });
-  }
 }
 
 // Test RSA key signing/verification
diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
index b70bfcc..d5eac77 100644
--- a/test/parallel/test-crypto-sign-verify.js
+++ b/test/parallel/test-crypto-sign-verify.js
@@ -501,45 +501,44 @@ assert.throws(
 });
 
 {
+  const privKey = fixtures.readKey('ec-key.pem');
+  const length = 64;
   const data = Buffer.from('Hello world');
   const keys = [['ec-key.pem', 64], ['dsa_private_1025.pem', 40]];
 
-  for (const [file, length] of keys) {
-    const privKey = fixtures.readKey(file);
-    [
-      crypto.createSign('sha1').update(data).sign(privKey),
-      crypto.sign('sha1', data, privKey),
-      crypto.sign('sha1', data, { key: privKey, dsaEncoding: 'der' })
-    ].forEach((sig) => {
-      // Signature length variability due to DER encoding
-      assert(sig.length >= length + 4 && sig.length <= length + 8);
-
-      assert.strictEqual(
-        crypto.createVerify('sha1').update(data).verify(privKey, sig),
-        true
-      );
-      assert.strictEqual(crypto.verify('sha1', data, privKey, sig), true);
-    });
+  [
+    crypto.createSign('sha1').update(data).sign(privKey),
+    crypto.sign('sha1', data, privKey),
+    crypto.sign('sha1', data, { key: privKey, dsaEncoding: 'der' })
+  ].forEach((sig) => {
+    // Signature length variability due to DER encoding
+    assert(sig.length >= length + 4 && sig.length <= length + 8);
 
-    // Test (EC)DSA signature conversion.
-    const opts = { key: privKey, dsaEncoding: 'ieee-p1363' };
-    let sig = crypto.sign('sha1', data, opts);
-    // Unlike DER signatures, IEEE P1363 signatures have a predictable length.
-    assert.strictEqual(sig.length, length);
-    assert.strictEqual(crypto.verify('sha1', data, opts, sig), true);
-    assert.strictEqual(crypto.createVerify('sha1')
-                             .update(data)
-                             .verify(opts, sig), true);
+    assert.strictEqual(
+      crypto.createVerify('sha1').update(data).verify(privKey, sig),
+      true
+    );
+    assert.strictEqual(crypto.verify('sha1', data, privKey, sig), true);
+  });
 
-    // Test invalid signature lengths.
-    for (const i of [-2, -1, 1, 2, 4, 8]) {
-      sig = crypto.randomBytes(length + i);
-      assert.throws(() => {
-        crypto.verify('sha1', data, opts, sig);
-      }, {
-        message: 'Malformed signature'
-      });
-    }
+  // Test (EC)DSA signature conversion.
+  const opts = { key: privKey, dsaEncoding: 'ieee-p1363' };
+  let sig = crypto.sign('sha1', data, opts);
+  // Unlike DER signatures, IEEE P1363 signatures have a predictable length.
+  assert.strictEqual(sig.length, length);
+  assert.strictEqual(crypto.verify('sha1', data, opts, sig), true);
+  assert.strictEqual(crypto.createVerify('sha1')
+    .update(data)
+    .verify(opts, sig), true);
+
+  // Test invalid signature lengths.
+  for (const i of [-2, -1, 1, 2, 4, 8]) {
+    sig = crypto.randomBytes(length + i);
+    assert.throws(() => {
+      crypto.verify('sha1', data, opts, sig);
+    }, {
+      message: 'Malformed signature'
+    });
   }
 
   // Test verifying externally signed messages.
diff --git a/test/parallel/test-https-agent-keylog.js b/test/parallel/test-https-agent-keylog.js
deleted file mode 100644
index 2fc13cb..0000000
--- a/test/parallel/test-https-agent-keylog.js
+++ /dev/null
@@ -1,44 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-const assert = require('assert');
-const https = require('https');
-const fixtures = require('../common/fixtures');
-
-const server = https.createServer({
-  key: fixtures.readKey('agent2-key.pem'),
-  cert: fixtures.readKey('agent2-cert.pem'),
-  // Amount of keylog events depends on negotiated protocol
-  // version, so force a specific one:
-  minVersion: 'TLSv1.3',
-  maxVersion: 'TLSv1.3',
-}, (req, res) => {
-  res.end('bye');
-}).listen(() => {
-  https.get({
-    port: server.address().port,
-    rejectUnauthorized: false,
-  }, (res) => {
-    res.resume();
-    res.on('end', () => {
-      // Trigger TLS connection reuse
-      https.get({
-        port: server.address().port,
-        rejectUnauthorized: false,
-      }, (res) => {
-        server.close();
-        res.resume();
-      });
-    });
-  });
-});
-
-const verifyKeylog = (line, tlsSocket) => {
-  assert(Buffer.isBuffer(line));
-  assert.strictEqual(tlsSocket.encrypted, true);
-};
-server.on('keylog', common.mustCall(verifyKeylog, 10));
-https.globalAgent.on('keylog', common.mustCall(verifyKeylog, 10));
diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
index 744276a..624f8ef 100644
--- a/test/parallel/test-tls-getcipher.js
+++ b/test/parallel/test-tls-getcipher.js
@@ -52,7 +52,6 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   }, common.mustCall(function() {
     const cipher = this.getCipher();
     assert.strictEqual(cipher.name, 'AES128-SHA256');
-    assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_128_CBC_SHA256');
     assert.strictEqual(cipher.version, 'TLSv1.2');
     this.end();
   }));
@@ -66,8 +65,6 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   }, common.mustCall(function() {
     const cipher = this.getCipher();
     assert.strictEqual(cipher.name, 'ECDHE-RSA-AES128-GCM-SHA256');
-    assert.strictEqual(cipher.standardName,
-                       'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256');
     assert.strictEqual(cipher.version, 'TLSv1.2');
     this.end();
   }));
@@ -89,7 +86,6 @@ tls.createServer({
   }, common.mustCall(() => {
     const cipher = client.getCipher();
     assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256');
-    assert.strictEqual(cipher.standardName, cipher.name);
     assert.strictEqual(cipher.version, 'TLSv1.3');
     client.end();
   }));
diff --git a/test/parallel/test-tls-keylog-tlsv13.js b/test/parallel/test-tls-keylog-tlsv13.js
index f26dece..0f65564 100644
--- a/test/parallel/test-tls-keylog-tlsv13.js
+++ b/test/parallel/test-tls-keylog-tlsv13.js
@@ -21,13 +21,9 @@ const server = tls.createServer({
     rejectUnauthorized: false,
   });
 
-  server.on('keylog', common.mustCall((line, tlsSocket) => {
-    assert(Buffer.isBuffer(line));
-    assert.strictEqual(tlsSocket.encrypted, true);
-  }, 5));
-  client.on('keylog', common.mustCall((line) => {
-    assert(Buffer.isBuffer(line));
-  }, 5));
+  const verifyBuffer = (line) => assert(Buffer.isBuffer(line));
+  server.on('keylog', common.mustCall(verifyBuffer, 5));
+  client.on('keylog', common.mustCall(verifyBuffer, 5));
 
   client.once('secureConnect', () => {
     server.close();
diff --git a/test/parallel/test-tls-multi-key.js b/test/parallel/test-tls-multi-key.js
index b9eaa05..c5e66f3 100644
--- a/test/parallel/test-tls-multi-key.js
+++ b/test/parallel/test-tls-multi-key.js
@@ -157,7 +157,6 @@ function test(options) {
     }, common.mustCall(function() {
       assert.deepStrictEqual(ecdsa.getCipher(), {
         name: 'ECDHE-ECDSA-AES256-GCM-SHA384',
-        standardName: 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
         version: 'TLSv1.2'
       });
       assert.strictEqual(ecdsa.getPeerCertificate().subject.CN, eccCN);
@@ -176,7 +175,6 @@ function test(options) {
     }, common.mustCall(function() {
       assert.deepStrictEqual(rsa.getCipher(), {
         name: 'ECDHE-RSA-AES256-GCM-SHA384',
-        standardName: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
         version: 'TLSv1.2'
       });
       assert.strictEqual(rsa.getPeerCertificate().subject.CN, rsaCN);
diff --git a/test/parallel/test-tls-multi-pfx.js b/test/parallel/test-tls-multi-pfx.js
index c20376a..3b0c059 100644
--- a/test/parallel/test-tls-multi-pfx.js
+++ b/test/parallel/test-tls-multi-pfx.js
@@ -42,11 +42,9 @@ const server = tls.createServer(options, function(conn) {
 process.on('exit', function() {
   assert.deepStrictEqual(ciphers, [{
     name: 'ECDHE-ECDSA-AES256-GCM-SHA384',
-    standardName: 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
     version: 'TLSv1.2'
   }, {
     name: 'ECDHE-RSA-AES256-GCM-SHA384',
-    standardName: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
     version: 'TLSv1.2'
   }]);
 });
diff --git a/test/parallel/test-tls-psk-circuit.js b/test/parallel/test-tls-psk-circuit.js
deleted file mode 100644
index 4bcdf36..0000000
--- a/test/parallel/test-tls-psk-circuit.js
+++ /dev/null
@@ -1,72 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const CIPHERS = 'PSK+HIGH:TLS_AES_128_GCM_SHA256';
-const USERS = {
-  UserA: Buffer.allocUnsafe(128),
-  UserB: Buffer.from('82072606b502b0f4025e90eb75fe137d', 'hex'),
-};
-const TEST_DATA = 'x';
-
-const serverOptions = {
-  ciphers: CIPHERS,
-  pskCallback(socket, id) {
-    assert.ok(socket instanceof tls.TLSSocket);
-    assert.ok(typeof id === 'string');
-    return USERS[id];
-  },
-};
-
-function test(secret, opts, error) {
-  const cb = !error ?
-    common.mustCall((c) => { c.pipe(c); }) :
-    common.mustNotCall();
-  const server = tls.createServer(serverOptions, cb);
-  server.listen(0, common.mustCall(() => {
-    const options = {
-      port: server.address().port,
-      ciphers: CIPHERS,
-      checkServerIdentity: () => {},
-      pskCallback: common.mustCall(() => secret),
-      ...opts,
-    };
-
-    if (!error) {
-      const client = tls.connect(options, common.mustCall(() => {
-        client.end(TEST_DATA);
-
-        client.on('data', common.mustCall((data) => {
-          assert.strictEqual(data.toString(), TEST_DATA);
-        }));
-        client.on('close', common.mustCall(() => server.close()));
-      }));
-    } else {
-      const client = tls.connect(options, common.mustNotCall());
-      client.on('error', common.mustCall((err) => {
-        assert.strictEqual(err.message, error);
-        server.close();
-      }));
-    }
-  }));
-}
-
-const DISCONNECT_MESSAGE =
-  'Client network socket disconnected before ' +
-  'secure TLS connection was established';
-
-test({ psk: USERS.UserA, identity: 'UserA' });
-test({ psk: USERS.UserA, identity: 'UserA' }, { maxVersion: 'TLSv1.2' });
-test({ psk: USERS.UserA, identity: 'UserA' }, { minVersion: 'TLSv1.3' });
-test({ psk: USERS.UserB, identity: 'UserB' });
-test({ psk: USERS.UserB, identity: 'UserB' }, { minVersion: 'TLSv1.3' });
-// Unrecognized user should fail handshake
-test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
-// Recognized user but incorrect secret should fail handshake
-test({ psk: USERS.UserA, identity: 'UserB' }, {}, DISCONNECT_MESSAGE);
-test({ psk: USERS.UserB, identity: 'UserB' });
diff --git a/test/parallel/test-tls-psk-errors.js b/test/parallel/test-tls-psk-errors.js
deleted file mode 100644
index 4864a66..0000000
--- a/test/parallel/test-tls-psk-errors.js
+++ /dev/null
@@ -1,32 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-{
-  // Check tlsClientError on invalid pskIdentityHint.
-
-  const server = tls.createServer({
-    ciphers: 'PSK+HIGH',
-    pskCallback: () => {},
-    pskIdentityHint: 'a'.repeat(512), // Too long identity hint.
-  });
-  server.on('tlsClientError', (err) => {
-    assert.ok(err instanceof Error);
-    assert.strictEqual(err.code, 'ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED');
-    server.close();
-  });
-  server.listen(0, () => {
-    const client = tls.connect({
-      port: server.address().port,
-      ciphers: 'PSK+HIGH',
-      checkServerIdentity: () => {},
-      pskCallback: () => {},
-    }, () => {});
-    client.on('error', common.expectsError({ code: 'ECONNRESET' }));
-  });
-}
diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/parallel/test-tls-set-sigalgs.js
deleted file mode 100644
index 59dc2ca..0000000
--- a/test/parallel/test-tls-set-sigalgs.js
+++ /dev/null
@@ -1,74 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto) common.skip('missing crypto');
-const fixtures = require('../common/fixtures');
-
-// Test sigalgs: option for TLS.
-
-const {
-  assert, connect, keys
-} = require(fixtures.path('tls-connect'));
-
-function assert_arrays_equal(left, right) {
-  assert.strictEqual(left.length, right.length);
-  for (let i = 0; i < left.length; i++) {
-    assert.strictEqual(left[i], right[i]);
-  }
-}
-
-function test(csigalgs, ssigalgs, shared_sigalgs, cerr, serr) {
-  assert(shared_sigalgs || serr || cerr, 'test missing any expectations');
-  connect({
-    client: {
-      checkServerIdentity: (servername, cert) => { },
-      ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
-      cert: keys.agent2.cert,
-      key: keys.agent2.key,
-      sigalgs: csigalgs
-    },
-    server: {
-      cert: keys.agent6.cert,
-      key: keys.agent6.key,
-      ca: keys.agent2.ca,
-      context: {
-        requestCert: true,
-        rejectUnauthorized: true
-      },
-      sigalgs: ssigalgs
-    },
-  }, common.mustCall((err, pair, cleanup) => {
-    if (shared_sigalgs) {
-      assert.ifError(err);
-      assert.ifError(pair.server.err);
-      assert.ifError(pair.client.err);
-      assert(pair.server.conn);
-      assert(pair.client.conn);
-      assert_arrays_equal(pair.server.conn.getSharedSigalgs(), shared_sigalgs);
-    } else {
-      if (serr) {
-        assert(pair.server.err);
-        assert(pair.server.err.code, serr);
-      }
-
-      if (cerr) {
-        assert(pair.client.err);
-        assert(pair.client.err.code, cerr);
-      }
-    }
-
-    return cleanup();
-  }));
-}
-
-// Have shared sigalgs
-test('RSA-PSS+SHA384', 'RSA-PSS+SHA384', ['RSA-PSS+SHA384']);
-test('RSA-PSS+SHA256:RSA-PSS+SHA512:ECDSA+SHA256',
-     'RSA-PSS+SHA256:ECDSA+SHA256',
-     ['RSA-PSS+SHA256', 'ECDSA+SHA256']);
-
-// Do not have shared sigalgs.
-test('RSA-PSS+SHA384', 'ECDSA+SHA256',
-     undefined, 'ECONNRESET', 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITMS');
-
-test('RSA-PSS+SHA384:ECDSA+SHA256', 'ECDSA+SHA384:RSA-PSS+SHA256',
-     undefined, 'ECONNRESET', 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITMS');
-- 
2.26.2