From 4ba04fcbfd74f9b214c6dd25d82dad5a87cf8465 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>

Date: Wed, 13 Jul 2022 14:30:43 +0200

Subject: [PATCH] Disable unsupported OpenSSL features

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

- Disable no-certificate PSK authentication

  There is no obvious way to reimplement it using only OpenSSL 1.0 public APIs.

- Disable queries for standard cipher name

  OpenSSL 1.0 does not record said names.

- Remove ClientHello getters

  The disabled functions internally use

  `SSL_client_hello_get0_ext`/`SSL_client_hello_get0_ciphers`,

  which are not available on legacy OpenSSL.

  There may be another way to get to the same data,

  but nothing jumps out in the OpenSSL 1.0.2 documentation.

- Remove TLSv1.3 CLI options

- Remove usage of OPENSSL_secure_{malloc,clear_free}

  Unsupported in OpenSSL 1.0.

  The expected semantics is the same as using the regular versions,

  so the possibility of using the secure heap was simply removed.

- Revert "src,deps,build,test: add OpenSSL config appname"

  This reverts commit 8e8aef836cb9807c9fe5ca350f1e7febdb40c3a7.

Signed-off-by: Jan Staněk <jstanek@redhat.com>

---

 BUILDING.md                                   | 14 ------

 configure.py                                  |  8 ----

 doc/api/cli.md                                | 18 --------

 doc/api/tls.md                                | 15 +++----

 src/env.h                                     | 11 ++++-

 src/node.cc                                   | 43 -------------------

 src/node_crypto.cc                            |  8 +++-

 src/node_crypto_common.cc                     | 12 ++++++

 src/node_crypto_common.h                      |  6 +++

 src/node_options.cc                           | 10 ++++-

 test/fixtures/openssl_fips_disabled.cnf       |  2 +-

 test/fixtures/openssl_fips_enabled.cnf        |  2 +-

 .../test-tls-cli-max-version-1.3.js           |  0

 .../test-tls-cli-min-max-conflict.js          |  0

 .../test-tls-cli-min-version-1.3.js           |  0

 test/parallel/test-crypto-fips.js             |  2 +-

 16 files changed, 53 insertions(+), 98 deletions(-)

 rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)

 rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)

 rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)

diff --git a/BUILDING.md b/BUILDING.md

index 0ae3c09d99..5d2459eb76 100644

--- a/BUILDING.md

+++ b/BUILDING.md

@@ -52,7 +52,6 @@ file a new issue.

   * [Build with a specific ICU](#build-with-a-specific-icu)

     * [Unix/macOS](#unixmacos-3)

     * [Windows](#windows-4)

-* [Configuring OpenSSL config appname](#configure-openssl-appname)

 * [Building Node.js with FIPS-compliant OpenSSL](#building-nodejs-with-fips-compliant-openssl)

 * [Building Node.js with external core modules](#building-nodejs-with-external-core-modules)

   * [Unix/macOS](#unixmacos-4)

@@ -767,19 +766,6 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)

 > .\vcbuild full-icu

 ```

-### Configure OpenSSL appname

-

-Node.js can use an OpenSSL configuration file by specifying the environment

-variable `OPENSSL_CONF`, or using the command line option `--openssl-conf`, and

-if none of those are specified will default to reading the default OpenSSL

-configuration file `openssl.cnf`. Node.js will only read a section that is by

-default named `nodejs_conf`, but this name can be overridden using the following

-configure option:

-

-```console

-$ ./configure --openssl-conf-name=<some_conf_name>

-```

-

 ## Building Node.js with FIPS-compliant OpenSSL

 The current version of Node.js does not support FIPS.

diff --git a/configure.py b/configure.py

index 892e1d4202..2ea4eb69f5 100755

--- a/configure.py

+++ b/configure.py

@@ -176,12 +176,6 @@ parser.add_option("--link-module",

          "e.g. /root/x/y.js will be referenced via require('root/x/y'). "

          "Can be used multiple times")

-parser.add_option("--openssl-conf-name",

-    action="store",

-    dest="openssl_conf_name",

-    default='nodejs_conf',

-    help="The OpenSSL config appname (config section name) used by Node.js")

-

 parser.add_option('--openssl-default-cipher-list',

     action='store',

     dest='openssl_default_cipher_list',

@@ -1343,8 +1337,6 @@ def configure_openssl(o):

   if options.openssl_no_asm:

     variables['openssl_no_asm'] = 1

-  o['defines'] += ['NODE_OPENSSL_CONF_NAME=' + options.openssl_conf_name]

-

   if options.without_ssl:

     def without_ssl_error(option):

       error('--without-ssl is incompatible with %s' % option)

diff --git a/doc/api/cli.md b/doc/api/cli.md

index ff5dff244e..61bac086bf 100644

--- a/doc/api/cli.md

+++ b/doc/api/cli.md

@@ -902,14 +902,6 @@ added:

 Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for

 TLSv1.3.

-### `--tls-max-v1.3`

-

-added: v12.0.0

--->

-

-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support

-for TLSv1.3.

-

 ### `--tls-min-v1.0`

 added:

@@ -941,14 +933,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for

 12.x and later, but the option is supported for compatibility with older Node.js

 versions.

-### `--tls-min-v1.3`

-

-added: v12.0.0

--->

-

-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support

-for TLSv1.2, which is not as secure as TLSv1.3.

-

 ### `--trace-atomics-wait`

 added: v14.3.0

@@ -1391,11 +1375,9 @@ Node.js options that are allowed are:

 * `--tls-cipher-list`

 * `--tls-keylog`

 * `--tls-max-v1.2`

-* `--tls-max-v1.3`

 * `--tls-min-v1.0`

 * `--tls-min-v1.1`

 * `--tls-min-v1.2`

-* `--tls-min-v1.3`

 * `--trace-atomics-wait`

 * `--trace-deprecation`

 * `--trace-event-categories`

diff --git a/doc/api/tls.md b/doc/api/tls.md

index 271dd095fb..0e8125fffd 100644

--- a/doc/api/tls.md

+++ b/doc/api/tls.md

@@ -1988,10 +1988,10 @@ added: v11.4.0

 * {string} The default value of the `maxVersion` option of

   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS

-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.

-  **Default:** `'TLSv1.3'`, unless changed using CLI options. Using

-  `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets

-  the default to `'TLSv1.3'`. If multiple of the options are provided, the

+  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.

+  **Default:** `'TLSv1.2'`, unless changed using CLI options. Using

+  `--tls-max-v1.2` sets the default to `'TLSv1.2'`.

+  If multiple of the options are provided, the

   highest maximum is used.

 ## `tls.DEFAULT_MIN_VERSION`

@@ -2001,12 +2001,11 @@ added: v11.4.0

 * {string} The default value of the `minVersion` option of

   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS

-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.

+  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.

   **Default:** `'TLSv1.2'`, unless changed using CLI options. Using

   `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets

-  the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to

-  `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is

-  used.

+  the default to `'TLSv1.1'`. If multiple of the options are provided,

+  the lowest minimum is used.

 [CVE-2021-44531]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531

 [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites

diff --git a/src/env.h b/src/env.h

index 824202ef52..90b04e2b1f 100644

--- a/src/env.h

+++ b/src/env.h

@@ -50,6 +50,8 @@

 #include <unordered_set>

 #include <vector>

+#include <node-ssl-shim/ssl-shim.h>

+

 namespace node {

 namespace contextify {

@@ -141,6 +143,13 @@ constexpr size_t kFsStatsBufferLength =

 // Make sure that any macro V defined for use with the PER_ISOLATE_* macros is

 // undefined again after use.

+// Some symbols/strings are not defined when using legacy OpenSSL

+#if OPENSSL_IS_LEGACY

+#   define NODE_ENV_STANDARD_NAME_STRING

+#else // OPENSSL_IS_LEGACY

+#   define NODE_ENV_STANDARD_NAME_STRING V(standard_name_string, "standardName")

+#endif // OPENSSL_IS_LEGACY

+

 // Private symbols are per-isolate primitives but Environment proxies them

 // for the sake of convenience.  Strings should be ASCII-only and have a

 // "node:" prefix to avoid name clashes with third-party code.

@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =

   V(sni_context_string, "sni_context")                                         \

   V(source_string, "source")                                                   \

   V(stack_string, "stack")                                                     \

-  V(standard_name_string, "standardName")                                      \

+  NODE_ENV_STANDARD_NAME_STRING                                                \

   V(start_time_string, "startTime")                                            \

   V(status_string, "status")                                                   \

   V(stdio_string, "stdio")                                                     \

diff --git a/src/node.cc b/src/node.cc

index d3b884aa66..683e36c1a5 100644

--- a/src/node.cc

+++ b/src/node.cc

@@ -44,7 +44,6 @@

 #if HAVE_OPENSSL

 #include "allocated_buffer-inl.h"  // Inlined functions needed by node_crypto.h

 #include "node_crypto.h"

-#include <openssl/conf.h>

 #endif

 #if defined(NODE_HAVE_I18N_SUPPORT)

@@ -155,9 +154,6 @@ uint64_t node_start_time;

 struct V8Platform v8_platform;

 }  // namespace per_process

-// The section in the OpenSSL configuration file to be loaded.

-const char* conf_section_name = STRINGIFY(NODE_OPENSSL_CONF_NAME);

-

 #ifdef __POSIX__

 void SignalExit(int signo, siginfo_t* info, void* ucontext) {

   ResetStdio();

@@ -979,7 +975,6 @@ void Init(int* argc,

     argv[i] = strdup(argv_[i].c_str());

 }

-

 InitializationResult InitializeOncePerProcess(int argc, char** argv) {

   // Initialized the enabled list for Debug() calls with system

   // environment variables.

@@ -1045,44 +1040,6 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {

     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))

       crypto::UseExtraCaCerts(extra_ca_certs);

   }

-

-  // Passing NULL as the config file will allow the default openssl.cnf file

-  // to be loaded, but the default section in that file will not be used,

-  // instead only the section that matches the value of conf_section_name

-  // will be read from the default configuration file.

-  const char* conf_file = nullptr;

-  // Use OPENSSL_CONF environment variable is set.

-  std::string env_openssl_conf;

-  credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);

-  if (!env_openssl_conf.empty()) {

-    conf_file = env_openssl_conf.c_str();

-  }

-  // Use --openssl-conf command line option if specified.

-  if (!per_process::cli_options->openssl_config.empty()) {

-    conf_file = per_process::cli_options->openssl_config.c_str();

-  }

-

-  OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();

-  OPENSSL_INIT_set_config_filename(settings, conf_file);

-  OPENSSL_INIT_set_config_appname(settings, conf_section_name);

-  OPENSSL_INIT_set_config_file_flags(settings,

-                                     CONF_MFLAGS_IGNORE_MISSING_FILE);

-

-  OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, settings);

-  OPENSSL_INIT_free(settings);

-

-  if (ERR_peek_error() != 0) {

-    int ossl_error_code = ERR_GET_REASON(ERR_peek_error());

-    if (ossl_error_code != EVP_R_FIPS_MODE_NOT_SUPPORTED) {

-      result.exit_code = ossl_error_code;

-      result.early_return = true;

-      fprintf(stderr, "%s", "OpenSSL configuration error:\n");

-      ERR_print_errors_fp(stderr);

-      return result;

-    }

-  }

-

-

   // In the case of FIPS builds we should make sure

   // the random source is properly initialized first.

   if (FIPS_mode()) {

diff --git a/src/node_crypto.cc b/src/node_crypto.cc

index 975a148fc8..8bb34ab620 100644

--- a/src/node_crypto.cc

+++ b/src/node_crypto.cc

@@ -7124,11 +7124,15 @@ namespace {

 // make use of secure heap, this has the same semantics as

 // using OPENSSL_malloc. However, if the secure heap is

 // initialized, SecureBuffer will automatically use it.

+//

+// RHEL 7 Note: secure_{malloc,clear_free} is not available in OpenSSL 1.0

+// As in this case the expected behaviour is to fall back to their

+// "regular" counterparts, the "secure" calls were replaced with them.

 void SecureBuffer(const FunctionCallbackInfo<Value>& args) {

   CHECK(args[0]->IsUint32());

   Environment* env = Environment::GetCurrent(args);

   uint32_t len = args[0].As<Uint32>()->Value();

-  char* data = static_cast<char*>(OPENSSL_secure_malloc(len));

+  char* data = static_cast<char*>(OPENSSL_malloc(len));

   if (data == nullptr) {

     // There's no memory available for the allocation.

     // Return nothing.

@@ -7140,7 +7144,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {

           data,

           len,

           [](void* data, size_t len, void* deleter_data) {

-            OPENSSL_secure_clear_free(data, len);

+            OPENSSL_clear_free(data, len);

           },

           data);

   Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);

diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc

index 7d313dd3df..a7bde45094 100644

--- a/src/node_crypto_common.cc

+++ b/src/node_crypto_common.cc

@@ -143,6 +143,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)

   if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {

     X509_free(peer_cert);

     err = SSL_get_verify_result(ssl.get());

+#if !OPENSSL_IS_LEGACY

   } else {

     const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());

     const SSL_SESSION* sess = SSL_get_session(ssl.get());

@@ -154,6 +155,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)

          SSL_session_reused(ssl.get()))) {

       return X509_V_OK;

     }

+#endif // !OPENSSL_IS_LEGACY

   }

   return err;

 }

@@ -171,6 +173,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {

   return err;

 }

+#if !OPENSSL_IS_LEGACY

 const char* GetClientHelloALPN(const SSLPointer& ssl) {

   const unsigned char* buf;

   size_t len;

@@ -217,6 +220,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {

     return nullptr;

   return reinterpret_cast<const char*>(buf + 5);

 }

+#endif // !OPENSSL_IS_LEGACY

 const char* GetServerName(SSL* ssl) {

   return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

@@ -330,11 +334,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {

   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);

 }

+#if !OPENSSL_IS_LEGACY

 MaybeLocal<Value> GetCipherStandardName(

     Environment* env,

     const SSL_CIPHER* cipher) {

   return GetCipherValue(env, cipher, SSL_CIPHER_standard_name);

 }

+#endif // !OPENSSL_IS_LEGACY

 MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {

 #if OPENSSL_IS_LEGACY

@@ -1088,16 +1094,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {

   return GetCipherName(env, SSL_get_current_cipher(ssl.get()));

 }

+#if !OPENSSL_IS_LEGACY

 MaybeLocal<Value> GetCipherStandardName(

     Environment* env,

     const SSLPointer& ssl) {

   return GetCipherStandardName(env, SSL_get_current_cipher(ssl.get()));

 }

+#endif // !OPENSSL_IS_LEGACY

 MaybeLocal<Value> GetCipherVersion(Environment* env, const SSLPointer& ssl) {

   return GetCipherVersion(env, SSL_get_current_cipher(ssl.get()));

 }

+#if !OPENSSL_IS_LEGACY

 MaybeLocal<Array> GetClientHelloCiphers(

     Environment* env,

     const SSLPointer& ssl) {

@@ -1130,6 +1139,7 @@ MaybeLocal<Array> GetClientHelloCiphers(

   Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);

   return scope.Escape(ret);

 }

+#endif // !OPENSSL_IS_LEGACY

 MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {

@@ -1140,10 +1150,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {

                   info,

                   env->name_string(),

                   GetCipherName(env, ssl)) ||

+#if !OPENSSL_IS_LEGACY

       !Set<Value>(env->context(),

                   info,

                   env->standard_name_string(),

                   GetCipherStandardName(env, ssl)) ||

+#endif // !OPENSSL_IS_LEGACY

       !Set<Value>(env->context(),

                   info,

                   env->version_string(),

diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h

index bf58df18f6..8e1ac58cd7 100644

--- a/src/node_crypto_common.h

+++ b/src/node_crypto_common.h

@@ -67,15 +67,19 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)

 int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);

+#if !OPENSSL_IS_LEGACY

 const char* GetClientHelloALPN(const SSLPointer& ssl);

 const char* GetClientHelloServerName(const SSLPointer& ssl);

+#endif // !OPENSSL_IS_LEGACY

 const char* GetServerName(SSL* ssl);

+#if !OPENSSL_IS_LEGACY

 v8::MaybeLocal<v8::Array> GetClientHelloCiphers(

     Environment* env,

     const SSLPointer& ssl);

+#endif // !OPENSSL_IS_LEGACY

 bool SetGroups(SecureContext* sc, const char* groups);

@@ -91,9 +95,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(

     Environment* env,

     const SSLPointer& ssl);

+#if !OPENSSL_IS_LEGACY

 v8::MaybeLocal<v8::Value> GetCipherStandardName(

     Environment* env,

     const SSLPointer& ssl);

+#endif // !OPENSSL_IS_LEGACY

 v8::MaybeLocal<v8::Value> GetCipherVersion(

     Environment* env,

diff --git a/src/node_options.cc b/src/node_options.cc

index 06847ce332..66b9e4e917 100644

--- a/src/node_options.cc

+++ b/src/node_options.cc

@@ -9,6 +9,8 @@

 #include <sstream>

 #include <cstdlib>  // strtoul, errno

+#include <node-ssl-shim/features.h>

+

 using v8::Boolean;

 using v8::Context;

 using v8::FunctionCallbackInfo;

@@ -113,10 +115,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {

     errors->push_back("invalid value for --unhandled-rejections");

   }

+#if !OPENSSL_IS_LEGACY

   if (tls_min_v1_3 && tls_max_v1_2) {

     errors->push_back("either --tls-min-v1.3 or --tls-max-v1.2 can be "

                       "used, not both");

   }

+#endif // !OPENSSL_IS_LEGACY

   if (heap_snapshot_near_heap_limit < 0) {

     errors->push_back("--heap-snapshot-near-heap-limit must not be negative");

@@ -563,14 +567,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

             "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",

             &EnvironmentOptions::tls_min_v1_2,

             kAllowedInEnvironment);

+#if !OPENSSL_IS_LEGACY

   AddOption("--tls-min-v1.3",

             "set default TLS minimum to TLSv1.3 (default: TLSv1.2)",

             &EnvironmentOptions::tls_min_v1_3,

             kAllowedInEnvironment);

+#endif // !OPENSSL_IS_LEGACY

   AddOption("--tls-max-v1.2",

-            "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",

+            "set default TLS maximum to TLSv1.2 (default: TLSv1.2)",

             &EnvironmentOptions::tls_max_v1_2,

             kAllowedInEnvironment);

+#if !OPENSSL_IS_LEGACY

   // Current plan is:

   // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3

   // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2

@@ -579,6 +586,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

             "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",

             &EnvironmentOptions::tls_max_v1_3,

             kAllowedInEnvironment);

+#endif // !OPENSSL_IS_LEGACY

 }

 PerIsolateOptionsParser::PerIsolateOptionsParser(

diff --git a/test/fixtures/openssl_fips_disabled.cnf b/test/fixtures/openssl_fips_disabled.cnf

index 253c6906e3..8668370fac 100644

--- a/test/fixtures/openssl_fips_disabled.cnf

+++ b/test/fixtures/openssl_fips_disabled.cnf

@@ -1,6 +1,6 @@

 # Skeleton openssl.cnf for testing with FIPS

-nodejs_conf = openssl_conf_section

+openssl_conf = openssl_conf_section

 authorityKeyIdentifier=keyid:always,issuer:always

 [openssl_conf_section]

diff --git a/test/fixtures/openssl_fips_enabled.cnf b/test/fixtures/openssl_fips_enabled.cnf

index 79733c657a..9c1a90f508 100644

--- a/test/fixtures/openssl_fips_enabled.cnf

+++ b/test/fixtures/openssl_fips_enabled.cnf

@@ -1,6 +1,6 @@

 # Skeleton openssl.cnf for testing with FIPS

-nodejs_conf = openssl_conf_section

+openssl_conf = openssl_conf_section

 authorityKeyIdentifier=keyid:always,issuer:always

 [openssl_conf_section]

diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/known_issues/test-tls-cli-max-version-1.3.js

similarity index 100%

rename from test/parallel/test-tls-cli-max-version-1.3.js

rename to test/known_issues/test-tls-cli-max-version-1.3.js

diff --git a/test/parallel/test-tls-cli-min-max-conflict.js b/test/known_issues/test-tls-cli-min-max-conflict.js

similarity index 100%

rename from test/parallel/test-tls-cli-min-max-conflict.js

rename to test/known_issues/test-tls-cli-min-max-conflict.js

diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/known_issues/test-tls-cli-min-version-1.3.js

similarity index 100%

rename from test/parallel/test-tls-cli-min-version-1.3.js

rename to test/known_issues/test-tls-cli-min-version-1.3.js

diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js

index bf8b3c157d..a1ed645184 100644

--- a/test/parallel/test-crypto-fips.js

+++ b/test/parallel/test-crypto-fips.js

@@ -64,7 +64,7 @@ testHelper(

   [],

   FIPS_DISABLED,

   'require("crypto").getFips()',

-  { ...process.env, 'OPENSSL_CONF': ' ' });

+  { ...process.env, 'OPENSSL_CONF': '' });

 // --enable-fips should turn FIPS mode on

 testHelper(

-- 

2.36.1