From 38ed745edf7725660c59c9db63ad722aee126487 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Wed, 13 Jul 2022 14:30:43 +0200
Subject: [PATCH] Disable unsupported OpenSSL features
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- Disable no-certificate PSK authentication
There is no obvious way to reimplement it using only OpenSSL 1.0 public APIs.
- Disable queries for standard cipher name
OpenSSL 1.0 does not record said names.
- Remove ClientHello getters
The disabled functions internally use
`SSL_client_hello_get0_ext`/`SSL_client_hello_get0_ciphers`,
which are not available on legacy OpenSSL.
There may be another way to get to the same data,
but nothing jumps out in the OpenSSL 1.0.2 documentation.
- Remove TLSv1.3 CLI options
- Remove usage of OPENSSL_secure_{malloc,clear_free}
Unsupported in OpenSSL 1.0.
The expected semantics is the same as using the regular versions,
so the possibility of using the secure heap was simply removed.
- Revert "src,deps,build,test: add OpenSSL config appname"
This reverts commit 8e8aef836cb9807c9fe5ca350f1e7febdb40c3a7.
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Signed-off-by: rpm-build <rpm-build>
---
BUILDING.md | 14 ------
configure.py | 8 ----
doc/api/cli.md | 18 -------
doc/api/tls.md | 15 +++---
src/env.h | 11 ++++-
src/node.cc | 48 -------------------
src/node_crypto.cc | 8 +++-
src/node_crypto_common.cc | 12 +++++
src/node_crypto_common.h | 6 +++
src/node_options.cc | 10 +++-
test/fixtures/openssl_fips_disabled.cnf | 2 +-
test/fixtures/openssl_fips_enabled.cnf | 2 +-
.../test-tls-cli-max-version-1.3.js | 0
.../test-tls-cli-min-max-conflict.js | 0
.../test-tls-cli-min-version-1.3.js | 0
test/parallel/test-crypto-fips.js | 2 +-
16 files changed, 53 insertions(+), 103 deletions(-)
rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)
rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)
rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
diff --git a/BUILDING.md b/BUILDING.md
index 0ae3c09..5d2459e 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -52,7 +52,6 @@ file a new issue.
* [Build with a specific ICU](#build-with-a-specific-icu)
* [Unix/macOS](#unixmacos-3)
* [Windows](#windows-4)
-* [Configuring OpenSSL config appname](#configure-openssl-appname)
* [Building Node.js with FIPS-compliant OpenSSL](#building-nodejs-with-fips-compliant-openssl)
* [Building Node.js with external core modules](#building-nodejs-with-external-core-modules)
* [Unix/macOS](#unixmacos-4)
@@ -767,19 +766,6 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
> .\vcbuild full-icu
```
-### Configure OpenSSL appname
-
-Node.js can use an OpenSSL configuration file by specifying the environment
-variable `OPENSSL_CONF`, or using the command line option `--openssl-conf`, and
-if none of those are specified will default to reading the default OpenSSL
-configuration file `openssl.cnf`. Node.js will only read a section that is by
-default named `nodejs_conf`, but this name can be overridden using the following
-configure option:
-
-```console
-$ ./configure --openssl-conf-name=<some_conf_name>
-```
-
## Building Node.js with FIPS-compliant OpenSSL
The current version of Node.js does not support FIPS.
diff --git a/configure.py b/configure.py
index 892e1d4..2ea4eb6 100755
--- a/configure.py
+++ b/configure.py
@@ -176,12 +176,6 @@ parser.add_option("--link-module",
"e.g. /root/x/y.js will be referenced via require('root/x/y'). "
"Can be used multiple times")
-parser.add_option("--openssl-conf-name",
- action="store",
- dest="openssl_conf_name",
- default='nodejs_conf',
- help="The OpenSSL config appname (config section name) used by Node.js")
-
parser.add_option('--openssl-default-cipher-list',
action='store',
dest='openssl_default_cipher_list',
@@ -1343,8 +1337,6 @@ def configure_openssl(o):
if options.openssl_no_asm:
variables['openssl_no_asm'] = 1
- o['defines'] += ['NODE_OPENSSL_CONF_NAME=' + options.openssl_conf_name]
-
if options.without_ssl:
def without_ssl_error(option):
error('--without-ssl is incompatible with %s' % option)
diff --git a/doc/api/cli.md b/doc/api/cli.md
index 92cf190..a6a77ea 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -917,14 +917,6 @@ added:
Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
TLSv1.3.
-### `--tls-max-v1.3`
-<!-- YAML
-added: v12.0.0
--->
-
-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
-for TLSv1.3.
-
### `--tls-min-v1.0`
<!-- YAML
added:
@@ -956,14 +948,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
12.x and later, but the option is supported for compatibility with older Node.js
versions.
-### `--tls-min-v1.3`
-<!-- YAML
-added: v12.0.0
--->
-
-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
-for TLSv1.2, which is not as secure as TLSv1.3.
-
### `--trace-atomics-wait`
<!-- YAML
added: v14.3.0
@@ -1407,11 +1391,9 @@ Node.js options that are allowed are:
* `--tls-cipher-list`
* `--tls-keylog`
* `--tls-max-v1.2`
-* `--tls-max-v1.3`
* `--tls-min-v1.0`
* `--tls-min-v1.1`
* `--tls-min-v1.2`
-* `--tls-min-v1.3`
* `--trace-atomics-wait`
* `--trace-deprecation`
* `--trace-event-categories`
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 271dd09..0e8125f 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1988,10 +1988,10 @@ added: v11.4.0
* {string} The default value of the `maxVersion` option of
[`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
- protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
- **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
- `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets
- the default to `'TLSv1.3'`. If multiple of the options are provided, the
+ protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+ **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+ `--tls-max-v1.2` sets the default to `'TLSv1.2'`.
+ If multiple of the options are provided, the
highest maximum is used.
## `tls.DEFAULT_MIN_VERSION`
@@ -2001,12 +2001,11 @@ added: v11.4.0
* {string} The default value of the `minVersion` option of
[`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
- protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+ protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
**Default:** `'TLSv1.2'`, unless changed using CLI options. Using
`--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
- the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
- `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
- used.
+ the default to `'TLSv1.1'`. If multiple of the options are provided,
+ the lowest minimum is used.
[CVE-2021-44531]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
[Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
diff --git a/src/env.h b/src/env.h
index 824202e..90b04e2 100644
--- a/src/env.h
+++ b/src/env.h
@@ -50,6 +50,8 @@
#include <unordered_set>
#include <vector>
+#include <node-ssl-shim/ssl-shim.h>
+
namespace node {
namespace contextify {
@@ -141,6 +143,13 @@ constexpr size_t kFsStatsBufferLength =
// Make sure that any macro V defined for use with the PER_ISOLATE_* macros is
// undefined again after use.
+// Some symbols/strings are not defined when using legacy OpenSSL
+#if OPENSSL_IS_LEGACY
+# define NODE_ENV_STANDARD_NAME_STRING
+#else // OPENSSL_IS_LEGACY
+# define NODE_ENV_STANDARD_NAME_STRING V(standard_name_string, "standardName")
+#endif // OPENSSL_IS_LEGACY
+
// Private symbols are per-isolate primitives but Environment proxies them
// for the sake of convenience. Strings should be ASCII-only and have a
// "node:" prefix to avoid name clashes with third-party code.
@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =
V(sni_context_string, "sni_context") \
V(source_string, "source") \
V(stack_string, "stack") \
- V(standard_name_string, "standardName") \
+ NODE_ENV_STANDARD_NAME_STRING \
V(start_time_string, "startTime") \
V(status_string, "status") \
V(stdio_string, "stdio") \
diff --git a/src/node.cc b/src/node.cc
index 9e7bf07..8a29f76 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -44,7 +44,6 @@
#if HAVE_OPENSSL
#include "allocated_buffer-inl.h" // Inlined functions needed by node_crypto.h
#include "node_crypto.h"
-#include <openssl/conf.h>
#endif
#if defined(NODE_HAVE_I18N_SUPPORT)
@@ -155,9 +154,6 @@ uint64_t node_start_time;
struct V8Platform v8_platform;
} // namespace per_process
-// The section in the OpenSSL configuration file to be loaded.
-const char* conf_section_name = STRINGIFY(NODE_OPENSSL_CONF_NAME);
-
#ifdef __POSIX__
void SignalExit(int signo, siginfo_t* info, void* ucontext) {
ResetStdio();
@@ -979,7 +975,6 @@ void Init(int* argc,
argv[i] = strdup(argv_[i].c_str());
}
-
InitializationResult InitializeOncePerProcess(int argc, char** argv) {
// Initialized the enabled list for Debug() calls with system
// environment variables.
@@ -1046,49 +1041,6 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
crypto::UseExtraCaCerts(extra_ca_certs);
}
- // Passing NULL as the config file will allow the default openssl.cnf file
- // to be loaded, but the default section in that file will not be used,
- // instead only the section that matches the value of conf_section_name
- // will be read from the default configuration file.
- const char* conf_file = nullptr;
- // Use OPENSSL_CONF environment variable is set.
- std::string env_openssl_conf;
- // To allow for using the previous default where the 'openssl_conf' appname
- // was used, the command line option 'openssl-shared-config' can be used to
- // force the old behavior.
- if (per_process::cli_options->openssl_shared_config) {
- conf_section_name = "openssl_conf";
- }
- credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);
- if (!env_openssl_conf.empty()) {
- conf_file = env_openssl_conf.c_str();
- }
- // Use --openssl-conf command line option if specified.
- if (!per_process::cli_options->openssl_config.empty()) {
- conf_file = per_process::cli_options->openssl_config.c_str();
- }
-
- OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
- OPENSSL_INIT_set_config_filename(settings, conf_file);
- OPENSSL_INIT_set_config_appname(settings, conf_section_name);
- OPENSSL_INIT_set_config_file_flags(settings,
- CONF_MFLAGS_IGNORE_MISSING_FILE);
-
- OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, settings);
- OPENSSL_INIT_free(settings);
-
- if (ERR_peek_error() != 0) {
- int ossl_error_code = ERR_GET_REASON(ERR_peek_error());
- if (ossl_error_code != EVP_R_FIPS_MODE_NOT_SUPPORTED) {
- result.exit_code = ossl_error_code;
- result.early_return = true;
- fprintf(stderr, "%s", "OpenSSL configuration error:\n");
- ERR_print_errors_fp(stderr);
- return result;
- }
- }
-
-
// In the case of FIPS builds we should make sure
// the random source is properly initialized first.
if (FIPS_mode()) {
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 975a148..8bb34ab 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -7124,11 +7124,15 @@ namespace {
// make use of secure heap, this has the same semantics as
// using OPENSSL_malloc. However, if the secure heap is
// initialized, SecureBuffer will automatically use it.
+//
+// RHEL 7 Note: secure_{malloc,clear_free} is not available in OpenSSL 1.0
+// As in this case the expected behaviour is to fall back to their
+// "regular" counterparts, the "secure" calls were replaced with them.
void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
CHECK(args[0]->IsUint32());
Environment* env = Environment::GetCurrent(args);
uint32_t len = args[0].As<Uint32>()->Value();
- char* data = static_cast<char*>(OPENSSL_secure_malloc(len));
+ char* data = static_cast<char*>(OPENSSL_malloc(len));
if (data == nullptr) {
// There's no memory available for the allocation.
// Return nothing.
@@ -7140,7 +7144,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
data,
len,
[](void* data, size_t len, void* deleter_data) {
- OPENSSL_secure_clear_free(data, len);
+ OPENSSL_clear_free(data, len);
},
data);
Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
index 7d313dd..a7bde45 100644
--- a/src/node_crypto_common.cc
+++ b/src/node_crypto_common.cc
@@ -143,6 +143,7 @@ long VerifyPeerCertificate( // NOLINT(runtime/int)
if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {
X509_free(peer_cert);
err = SSL_get_verify_result(ssl.get());
+#if !OPENSSL_IS_LEGACY
} else {
const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());
const SSL_SESSION* sess = SSL_get_session(ssl.get());
@@ -154,6 +155,7 @@ long VerifyPeerCertificate( // NOLINT(runtime/int)
SSL_session_reused(ssl.get()))) {
return X509_V_OK;
}
+#endif // !OPENSSL_IS_LEGACY
}
return err;
}
@@ -171,6 +173,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
return err;
}
+#if !OPENSSL_IS_LEGACY
const char* GetClientHelloALPN(const SSLPointer& ssl) {
const unsigned char* buf;
size_t len;
@@ -217,6 +220,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
return nullptr;
return reinterpret_cast<const char*>(buf + 5);
}
+#endif // !OPENSSL_IS_LEGACY
const char* GetServerName(SSL* ssl) {
return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
@@ -330,11 +334,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
}
+#if !OPENSSL_IS_LEGACY
MaybeLocal<Value> GetCipherStandardName(
Environment* env,
const SSL_CIPHER* cipher) {
return GetCipherValue(env, cipher, SSL_CIPHER_standard_name);
}
+#endif // !OPENSSL_IS_LEGACY
MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
#if OPENSSL_IS_LEGACY
@@ -1088,16 +1094,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
return GetCipherName(env, SSL_get_current_cipher(ssl.get()));
}
+#if !OPENSSL_IS_LEGACY
MaybeLocal<Value> GetCipherStandardName(
Environment* env,
const SSLPointer& ssl) {
return GetCipherStandardName(env, SSL_get_current_cipher(ssl.get()));
}
+#endif // !OPENSSL_IS_LEGACY
MaybeLocal<Value> GetCipherVersion(Environment* env, const SSLPointer& ssl) {
return GetCipherVersion(env, SSL_get_current_cipher(ssl.get()));
}
+#if !OPENSSL_IS_LEGACY
MaybeLocal<Array> GetClientHelloCiphers(
Environment* env,
const SSLPointer& ssl) {
@@ -1130,6 +1139,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
return scope.Escape(ret);
}
+#endif // !OPENSSL_IS_LEGACY
MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
@@ -1140,10 +1150,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
info,
env->name_string(),
GetCipherName(env, ssl)) ||
+#if !OPENSSL_IS_LEGACY
!Set<Value>(env->context(),
info,
env->standard_name_string(),
GetCipherStandardName(env, ssl)) ||
+#endif // !OPENSSL_IS_LEGACY
!Set<Value>(env->context(),
info,
env->version_string(),
diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
index bf58df1..8e1ac58 100644
--- a/src/node_crypto_common.h
+++ b/src/node_crypto_common.h
@@ -67,15 +67,19 @@ long VerifyPeerCertificate( // NOLINT(runtime/int)
int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
+#if !OPENSSL_IS_LEGACY
const char* GetClientHelloALPN(const SSLPointer& ssl);
const char* GetClientHelloServerName(const SSLPointer& ssl);
+#endif // !OPENSSL_IS_LEGACY
const char* GetServerName(SSL* ssl);
+#if !OPENSSL_IS_LEGACY
v8::MaybeLocal<v8::Array> GetClientHelloCiphers(
Environment* env,
const SSLPointer& ssl);
+#endif // !OPENSSL_IS_LEGACY
bool SetGroups(SecureContext* sc, const char* groups);
@@ -91,9 +95,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(
Environment* env,
const SSLPointer& ssl);
+#if !OPENSSL_IS_LEGACY
v8::MaybeLocal<v8::Value> GetCipherStandardName(
Environment* env,
const SSLPointer& ssl);
+#endif // !OPENSSL_IS_LEGACY
v8::MaybeLocal<v8::Value> GetCipherVersion(
Environment* env,
diff --git a/src/node_options.cc b/src/node_options.cc
index 35d518b..26a891a 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -9,6 +9,8 @@
#include <sstream>
#include <cstdlib> // strtoul, errno
+#include <node-ssl-shim/features.h>
+
using v8::Boolean;
using v8::Context;
using v8::FunctionCallbackInfo;
@@ -113,10 +115,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
errors->push_back("invalid value for --unhandled-rejections");
}
+#if !OPENSSL_IS_LEGACY
if (tls_min_v1_3 && tls_max_v1_2) {
errors->push_back("either --tls-min-v1.3 or --tls-max-v1.2 can be "
"used, not both");
}
+#endif // !OPENSSL_IS_LEGACY
if (heap_snapshot_near_heap_limit < 0) {
errors->push_back("--heap-snapshot-near-heap-limit must not be negative");
@@ -563,14 +567,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
"set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
&EnvironmentOptions::tls_min_v1_2,
kAllowedInEnvironment);
+#if !OPENSSL_IS_LEGACY
AddOption("--tls-min-v1.3",
"set default TLS minimum to TLSv1.3 (default: TLSv1.2)",
&EnvironmentOptions::tls_min_v1_3,
kAllowedInEnvironment);
+#endif // !OPENSSL_IS_LEGACY
AddOption("--tls-max-v1.2",
- "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
+ "set default TLS maximum to TLSv1.2 (default: TLSv1.2)",
&EnvironmentOptions::tls_max_v1_2,
kAllowedInEnvironment);
+#if !OPENSSL_IS_LEGACY
// Current plan is:
// - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
// - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
@@ -579,6 +586,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
"set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
&EnvironmentOptions::tls_max_v1_3,
kAllowedInEnvironment);
+#endif // !OPENSSL_IS_LEGACY
}
PerIsolateOptionsParser::PerIsolateOptionsParser(
diff --git a/test/fixtures/openssl_fips_disabled.cnf b/test/fixtures/openssl_fips_disabled.cnf
index 253c690..8668370 100644
--- a/test/fixtures/openssl_fips_disabled.cnf
+++ b/test/fixtures/openssl_fips_disabled.cnf
@@ -1,6 +1,6 @@
# Skeleton openssl.cnf for testing with FIPS
-nodejs_conf = openssl_conf_section
+openssl_conf = openssl_conf_section
authorityKeyIdentifier=keyid:always,issuer:always
[openssl_conf_section]
diff --git a/test/fixtures/openssl_fips_enabled.cnf b/test/fixtures/openssl_fips_enabled.cnf
index 79733c6..9c1a90f 100644
--- a/test/fixtures/openssl_fips_enabled.cnf
+++ b/test/fixtures/openssl_fips_enabled.cnf
@@ -1,6 +1,6 @@
# Skeleton openssl.cnf for testing with FIPS
-nodejs_conf = openssl_conf_section
+openssl_conf = openssl_conf_section
authorityKeyIdentifier=keyid:always,issuer:always
[openssl_conf_section]
diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/known_issues/test-tls-cli-max-version-1.3.js
similarity index 100%
rename from test/parallel/test-tls-cli-max-version-1.3.js
rename to test/known_issues/test-tls-cli-max-version-1.3.js
diff --git a/test/parallel/test-tls-cli-min-max-conflict.js b/test/known_issues/test-tls-cli-min-max-conflict.js
similarity index 100%
rename from test/parallel/test-tls-cli-min-max-conflict.js
rename to test/known_issues/test-tls-cli-min-max-conflict.js
diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/known_issues/test-tls-cli-min-version-1.3.js
similarity index 100%
rename from test/parallel/test-tls-cli-min-version-1.3.js
rename to test/known_issues/test-tls-cli-min-version-1.3.js
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
index bf8b3c1..a1ed645 100644
--- a/test/parallel/test-crypto-fips.js
+++ b/test/parallel/test-crypto-fips.js
@@ -64,7 +64,7 @@ testHelper(
[],
FIPS_DISABLED,
'require("crypto").getFips()',
- { ...process.env, 'OPENSSL_CONF': ' ' });
+ { ...process.env, 'OPENSSL_CONF': '' });
// --enable-fips should turn FIPS mode on
testHelper(
--
2.38.1