From 4ba04fcbfd74f9b214c6dd25d82dad5a87cf8465 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Wed, 13 Jul 2022 14:30:43 +0200
Subject: [PATCH] Disable unsupported OpenSSL features
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Disable no-certificate PSK authentication

  There is no obvious way to reimplement it using only OpenSSL 1.0 public APIs.

- Disable queries for standard cipher name

  OpenSSL 1.0 does not record said names.

- Remove ClientHello getters

  The disabled functions internally use
  `SSL_client_hello_get0_ext`/`SSL_client_hello_get0_ciphers`,
  which are not available on legacy OpenSSL.
  There may be another way to get to the same data,
  but nothing jumps out in the OpenSSL 1.0.2 documentation.

- Remove TLSv1.3 CLI options

- Remove usage of OPENSSL_secure_{malloc,clear_free}

  Unsupported in OpenSSL 1.0.

  The expected semantics is the same as using the regular versions,
  so the possibility of using the secure heap was simply removed.

- Revert "src,deps,build,test: add OpenSSL config appname"

  This reverts commit 8e8aef836cb9807c9fe5ca350f1e7febdb40c3a7.

Signed-off-by: Jan Staněk <jstanek@redhat.com>
---
 BUILDING.md                                   | 14 ------
 configure.py                                  |  8 ----
 doc/api/cli.md                                | 18 --------
 doc/api/tls.md                                | 15 +++----
 src/env.h                                     | 11 ++++-
 src/node.cc                                   | 43 -------------------
 src/node_crypto.cc                            |  8 +++-
 src/node_crypto_common.cc                     | 12 ++++++
 src/node_crypto_common.h                      |  6 +++
 src/node_options.cc                           | 10 ++++-
 test/fixtures/openssl_fips_disabled.cnf       |  2 +-
 test/fixtures/openssl_fips_enabled.cnf        |  2 +-
 .../test-tls-cli-max-version-1.3.js           |  0
 .../test-tls-cli-min-max-conflict.js          |  0
 .../test-tls-cli-min-version-1.3.js           |  0
 test/parallel/test-crypto-fips.js             |  2 +-
 16 files changed, 53 insertions(+), 98 deletions(-)
 rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)
 rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)
 rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)

diff --git a/BUILDING.md b/BUILDING.md
index 0ae3c09d99..5d2459eb76 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -52,7 +52,6 @@ file a new issue.
   * [Build with a specific ICU](#build-with-a-specific-icu)
     * [Unix/macOS](#unixmacos-3)
     * [Windows](#windows-4)
-* [Configuring OpenSSL config appname](#configure-openssl-appname)
 * [Building Node.js with FIPS-compliant OpenSSL](#building-nodejs-with-fips-compliant-openssl)
 * [Building Node.js with external core modules](#building-nodejs-with-external-core-modules)
   * [Unix/macOS](#unixmacos-4)
@@ -767,19 +766,6 @@ as `deps/icu` (You'll have: `deps/icu/source/...`)
 > .\vcbuild full-icu
 ```
 
-### Configure OpenSSL appname
-
-Node.js can use an OpenSSL configuration file by specifying the environment
-variable `OPENSSL_CONF`, or using the command line option `--openssl-conf`, and
-if none of those are specified will default to reading the default OpenSSL
-configuration file `openssl.cnf`. Node.js will only read a section that is by
-default named `nodejs_conf`, but this name can be overridden using the following
-configure option:
-
-```console
-$ ./configure --openssl-conf-name=<some_conf_name>
-```
-
 ## Building Node.js with FIPS-compliant OpenSSL
 
 The current version of Node.js does not support FIPS.
diff --git a/configure.py b/configure.py
index 892e1d4202..2ea4eb69f5 100755
--- a/configure.py
+++ b/configure.py
@@ -176,12 +176,6 @@ parser.add_option("--link-module",
          "e.g. /root/x/y.js will be referenced via require('root/x/y'). "
          "Can be used multiple times")
 
-parser.add_option("--openssl-conf-name",
-    action="store",
-    dest="openssl_conf_name",
-    default='nodejs_conf',
-    help="The OpenSSL config appname (config section name) used by Node.js")
-
 parser.add_option('--openssl-default-cipher-list',
     action='store',
     dest='openssl_default_cipher_list',
@@ -1343,8 +1337,6 @@ def configure_openssl(o):
   if options.openssl_no_asm:
     variables['openssl_no_asm'] = 1
 
-  o['defines'] += ['NODE_OPENSSL_CONF_NAME=' + options.openssl_conf_name]
-
   if options.without_ssl:
     def without_ssl_error(option):
       error('--without-ssl is incompatible with %s' % option)
diff --git a/doc/api/cli.md b/doc/api/cli.md
index ff5dff244e..61bac086bf 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -902,14 +902,6 @@ added:
 Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
 TLSv1.3.
 
-### `--tls-max-v1.3`
-<!-- YAML
-added: v12.0.0
--->
-
-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
-for TLSv1.3.
-
 ### `--tls-min-v1.0`
 <!-- YAML
 added:
@@ -941,14 +933,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
 12.x and later, but the option is supported for compatibility with older Node.js
 versions.
 
-### `--tls-min-v1.3`
-<!-- YAML
-added: v12.0.0
--->
-
-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
-for TLSv1.2, which is not as secure as TLSv1.3.
-
 ### `--trace-atomics-wait`
 <!-- YAML
 added: v14.3.0
@@ -1391,11 +1375,9 @@ Node.js options that are allowed are:
 * `--tls-cipher-list`
 * `--tls-keylog`
 * `--tls-max-v1.2`
-* `--tls-max-v1.3`
 * `--tls-min-v1.0`
 * `--tls-min-v1.1`
 * `--tls-min-v1.2`
-* `--tls-min-v1.3`
 * `--trace-atomics-wait`
 * `--trace-deprecation`
 * `--trace-event-categories`
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 271dd095fb..0e8125fffd 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1988,10 +1988,10 @@ added: v11.4.0
 
 * {string} The default value of the `maxVersion` option of
   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
-  **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
-  `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets
-  the default to `'TLSv1.3'`. If multiple of the options are provided, the
+  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+  **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+  `--tls-max-v1.2` sets the default to `'TLSv1.2'`.
+  If multiple of the options are provided, the
   highest maximum is used.
 
 ## `tls.DEFAULT_MIN_VERSION`
@@ -2001,12 +2001,11 @@ added: v11.4.0
 
 * {string} The default value of the `minVersion` option of
   [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
-  protocol versions, `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+  protocol versions, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
   **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
   `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
-  the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
-  `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
-  used.
+  the default to `'TLSv1.1'`. If multiple of the options are provided,
+  the lowest minimum is used.
 
 [CVE-2021-44531]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
 [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
diff --git a/src/env.h b/src/env.h
index 824202ef52..90b04e2b1f 100644
--- a/src/env.h
+++ b/src/env.h
@@ -50,6 +50,8 @@
 #include <unordered_set>
 #include <vector>
 
+#include <node-ssl-shim/ssl-shim.h>
+
 namespace node {
 
 namespace contextify {
@@ -141,6 +143,13 @@ constexpr size_t kFsStatsBufferLength =
 // Make sure that any macro V defined for use with the PER_ISOLATE_* macros is
 // undefined again after use.
 
+// Some symbols/strings are not defined when using legacy OpenSSL
+#if OPENSSL_IS_LEGACY
+#   define NODE_ENV_STANDARD_NAME_STRING
+#else // OPENSSL_IS_LEGACY
+#   define NODE_ENV_STANDARD_NAME_STRING V(standard_name_string, "standardName")
+#endif // OPENSSL_IS_LEGACY
+
 // Private symbols are per-isolate primitives but Environment proxies them
 // for the sake of convenience.  Strings should be ASCII-only and have a
 // "node:" prefix to avoid name clashes with third-party code.
@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =
   V(sni_context_string, "sni_context")                                         \
   V(source_string, "source")                                                   \
   V(stack_string, "stack")                                                     \
-  V(standard_name_string, "standardName")                                      \
+  NODE_ENV_STANDARD_NAME_STRING                                                \
   V(start_time_string, "startTime")                                            \
   V(status_string, "status")                                                   \
   V(stdio_string, "stdio")                                                     \
diff --git a/src/node.cc b/src/node.cc
index d3b884aa66..683e36c1a5 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -44,7 +44,6 @@
 #if HAVE_OPENSSL
 #include "allocated_buffer-inl.h"  // Inlined functions needed by node_crypto.h
 #include "node_crypto.h"
-#include <openssl/conf.h>
 #endif
 
 #if defined(NODE_HAVE_I18N_SUPPORT)
@@ -155,9 +154,6 @@ uint64_t node_start_time;
 struct V8Platform v8_platform;
 }  // namespace per_process
 
-// The section in the OpenSSL configuration file to be loaded.
-const char* conf_section_name = STRINGIFY(NODE_OPENSSL_CONF_NAME);
-
 #ifdef __POSIX__
 void SignalExit(int signo, siginfo_t* info, void* ucontext) {
   ResetStdio();
@@ -979,7 +975,6 @@ void Init(int* argc,
     argv[i] = strdup(argv_[i].c_str());
 }
 
-
 InitializationResult InitializeOncePerProcess(int argc, char** argv) {
   // Initialized the enabled list for Debug() calls with system
   // environment variables.
@@ -1045,44 +1040,6 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
       crypto::UseExtraCaCerts(extra_ca_certs);
   }
-
-  // Passing NULL as the config file will allow the default openssl.cnf file
-  // to be loaded, but the default section in that file will not be used,
-  // instead only the section that matches the value of conf_section_name
-  // will be read from the default configuration file.
-  const char* conf_file = nullptr;
-  // Use OPENSSL_CONF environment variable is set.
-  std::string env_openssl_conf;
-  credentials::SafeGetenv("OPENSSL_CONF", &env_openssl_conf);
-  if (!env_openssl_conf.empty()) {
-    conf_file = env_openssl_conf.c_str();
-  }
-  // Use --openssl-conf command line option if specified.
-  if (!per_process::cli_options->openssl_config.empty()) {
-    conf_file = per_process::cli_options->openssl_config.c_str();
-  }
-
-  OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
-  OPENSSL_INIT_set_config_filename(settings, conf_file);
-  OPENSSL_INIT_set_config_appname(settings, conf_section_name);
-  OPENSSL_INIT_set_config_file_flags(settings,
-                                     CONF_MFLAGS_IGNORE_MISSING_FILE);
-
-  OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, settings);
-  OPENSSL_INIT_free(settings);
-
-  if (ERR_peek_error() != 0) {
-    int ossl_error_code = ERR_GET_REASON(ERR_peek_error());
-    if (ossl_error_code != EVP_R_FIPS_MODE_NOT_SUPPORTED) {
-      result.exit_code = ossl_error_code;
-      result.early_return = true;
-      fprintf(stderr, "%s", "OpenSSL configuration error:\n");
-      ERR_print_errors_fp(stderr);
-      return result;
-    }
-  }
-
-
   // In the case of FIPS builds we should make sure
   // the random source is properly initialized first.
   if (FIPS_mode()) {
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 975a148fc8..8bb34ab620 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -7124,11 +7124,15 @@ namespace {
 // make use of secure heap, this has the same semantics as
 // using OPENSSL_malloc. However, if the secure heap is
 // initialized, SecureBuffer will automatically use it.
+//
+// RHEL 7 Note: secure_{malloc,clear_free} is not available in OpenSSL 1.0
+// As in this case the expected behaviour is to fall back to their
+// "regular" counterparts, the "secure" calls were replaced with them.
 void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
   CHECK(args[0]->IsUint32());
   Environment* env = Environment::GetCurrent(args);
   uint32_t len = args[0].As<Uint32>()->Value();
-  char* data = static_cast<char*>(OPENSSL_secure_malloc(len));
+  char* data = static_cast<char*>(OPENSSL_malloc(len));
   if (data == nullptr) {
     // There's no memory available for the allocation.
     // Return nothing.
@@ -7140,7 +7144,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
           data,
           len,
           [](void* data, size_t len, void* deleter_data) {
-            OPENSSL_secure_clear_free(data, len);
+            OPENSSL_clear_free(data, len);
           },
           data);
   Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
index 7d313dd3df..a7bde45094 100644
--- a/src/node_crypto_common.cc
+++ b/src/node_crypto_common.cc
@@ -143,6 +143,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
   if (X509* peer_cert = SSL_get_peer_certificate(ssl.get())) {
     X509_free(peer_cert);
     err = SSL_get_verify_result(ssl.get());
+#if !OPENSSL_IS_LEGACY
   } else {
     const SSL_CIPHER* curr_cipher = SSL_get_current_cipher(ssl.get());
     const SSL_SESSION* sess = SSL_get_session(ssl.get());
@@ -154,6 +155,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
          SSL_session_reused(ssl.get()))) {
       return X509_V_OK;
     }
+#endif // !OPENSSL_IS_LEGACY
   }
   return err;
 }
@@ -171,6 +173,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
   return err;
 }
 
+#if !OPENSSL_IS_LEGACY
 const char* GetClientHelloALPN(const SSLPointer& ssl) {
   const unsigned char* buf;
   size_t len;
@@ -217,6 +220,7 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
     return nullptr;
   return reinterpret_cast<const char*>(buf + 5);
 }
+#endif // !OPENSSL_IS_LEGACY
 
 const char* GetServerName(SSL* ssl) {
   return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
@@ -330,11 +334,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
 }
 
+#if !OPENSSL_IS_LEGACY
 MaybeLocal<Value> GetCipherStandardName(
     Environment* env,
     const SSL_CIPHER* cipher) {
   return GetCipherValue(env, cipher, SSL_CIPHER_standard_name);
 }
+#endif // !OPENSSL_IS_LEGACY
 
 MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
 #if OPENSSL_IS_LEGACY
@@ -1088,16 +1094,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
   return GetCipherName(env, SSL_get_current_cipher(ssl.get()));
 }
 
+#if !OPENSSL_IS_LEGACY
 MaybeLocal<Value> GetCipherStandardName(
     Environment* env,
     const SSLPointer& ssl) {
   return GetCipherStandardName(env, SSL_get_current_cipher(ssl.get()));
 }
+#endif // !OPENSSL_IS_LEGACY
 
 MaybeLocal<Value> GetCipherVersion(Environment* env, const SSLPointer& ssl) {
   return GetCipherVersion(env, SSL_get_current_cipher(ssl.get()));
 }
 
+#if !OPENSSL_IS_LEGACY
 MaybeLocal<Array> GetClientHelloCiphers(
     Environment* env,
     const SSLPointer& ssl) {
@@ -1130,6 +1139,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
   Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
   return scope.Escape(ret);
 }
+#endif // !OPENSSL_IS_LEGACY
 
 
 MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
@@ -1140,10 +1150,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
                   info,
                   env->name_string(),
                   GetCipherName(env, ssl)) ||
+#if !OPENSSL_IS_LEGACY
       !Set<Value>(env->context(),
                   info,
                   env->standard_name_string(),
                   GetCipherStandardName(env, ssl)) ||
+#endif // !OPENSSL_IS_LEGACY
       !Set<Value>(env->context(),
                   info,
                   env->version_string(),
diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
index bf58df18f6..8e1ac58cd7 100644
--- a/src/node_crypto_common.h
+++ b/src/node_crypto_common.h
@@ -67,15 +67,19 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
 
 int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
 
+#if !OPENSSL_IS_LEGACY
 const char* GetClientHelloALPN(const SSLPointer& ssl);
 
 const char* GetClientHelloServerName(const SSLPointer& ssl);
+#endif // !OPENSSL_IS_LEGACY
 
 const char* GetServerName(SSL* ssl);
 
+#if !OPENSSL_IS_LEGACY
 v8::MaybeLocal<v8::Array> GetClientHelloCiphers(
     Environment* env,
     const SSLPointer& ssl);
+#endif // !OPENSSL_IS_LEGACY
 
 bool SetGroups(SecureContext* sc, const char* groups);
 
@@ -91,9 +95,11 @@ v8::MaybeLocal<v8::Value> GetCipherName(
     Environment* env,
     const SSLPointer& ssl);
 
+#if !OPENSSL_IS_LEGACY
 v8::MaybeLocal<v8::Value> GetCipherStandardName(
     Environment* env,
     const SSLPointer& ssl);
+#endif // !OPENSSL_IS_LEGACY
 
 v8::MaybeLocal<v8::Value> GetCipherVersion(
     Environment* env,
diff --git a/src/node_options.cc b/src/node_options.cc
index 06847ce332..66b9e4e917 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -9,6 +9,8 @@
 #include <sstream>
 #include <cstdlib>  // strtoul, errno
 
+#include <node-ssl-shim/features.h>
+
 using v8::Boolean;
 using v8::Context;
 using v8::FunctionCallbackInfo;
@@ -113,10 +115,12 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
     errors->push_back("invalid value for --unhandled-rejections");
   }
 
+#if !OPENSSL_IS_LEGACY
   if (tls_min_v1_3 && tls_max_v1_2) {
     errors->push_back("either --tls-min-v1.3 or --tls-max-v1.2 can be "
                       "used, not both");
   }
+#endif // !OPENSSL_IS_LEGACY
 
   if (heap_snapshot_near_heap_limit < 0) {
     errors->push_back("--heap-snapshot-near-heap-limit must not be negative");
@@ -563,14 +567,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
             &EnvironmentOptions::tls_min_v1_2,
             kAllowedInEnvironment);
+#if !OPENSSL_IS_LEGACY
   AddOption("--tls-min-v1.3",
             "set default TLS minimum to TLSv1.3 (default: TLSv1.2)",
             &EnvironmentOptions::tls_min_v1_3,
             kAllowedInEnvironment);
+#endif // !OPENSSL_IS_LEGACY
   AddOption("--tls-max-v1.2",
-            "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
+            "set default TLS maximum to TLSv1.2 (default: TLSv1.2)",
             &EnvironmentOptions::tls_max_v1_2,
             kAllowedInEnvironment);
+#if !OPENSSL_IS_LEGACY
   // Current plan is:
   // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
   // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
@@ -579,6 +586,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
             &EnvironmentOptions::tls_max_v1_3,
             kAllowedInEnvironment);
+#endif // !OPENSSL_IS_LEGACY
 }
 
 PerIsolateOptionsParser::PerIsolateOptionsParser(
diff --git a/test/fixtures/openssl_fips_disabled.cnf b/test/fixtures/openssl_fips_disabled.cnf
index 253c6906e3..8668370fac 100644
--- a/test/fixtures/openssl_fips_disabled.cnf
+++ b/test/fixtures/openssl_fips_disabled.cnf
@@ -1,6 +1,6 @@
 # Skeleton openssl.cnf for testing with FIPS
 
-nodejs_conf = openssl_conf_section
+openssl_conf = openssl_conf_section
 authorityKeyIdentifier=keyid:always,issuer:always
 
 [openssl_conf_section]
diff --git a/test/fixtures/openssl_fips_enabled.cnf b/test/fixtures/openssl_fips_enabled.cnf
index 79733c657a..9c1a90f508 100644
--- a/test/fixtures/openssl_fips_enabled.cnf
+++ b/test/fixtures/openssl_fips_enabled.cnf
@@ -1,6 +1,6 @@
 # Skeleton openssl.cnf for testing with FIPS
 
-nodejs_conf = openssl_conf_section
+openssl_conf = openssl_conf_section
 authorityKeyIdentifier=keyid:always,issuer:always
 
 [openssl_conf_section]
diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/known_issues/test-tls-cli-max-version-1.3.js
similarity index 100%
rename from test/parallel/test-tls-cli-max-version-1.3.js
rename to test/known_issues/test-tls-cli-max-version-1.3.js
diff --git a/test/parallel/test-tls-cli-min-max-conflict.js b/test/known_issues/test-tls-cli-min-max-conflict.js
similarity index 100%
rename from test/parallel/test-tls-cli-min-max-conflict.js
rename to test/known_issues/test-tls-cli-min-max-conflict.js
diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/known_issues/test-tls-cli-min-version-1.3.js
similarity index 100%
rename from test/parallel/test-tls-cli-min-version-1.3.js
rename to test/known_issues/test-tls-cli-min-version-1.3.js
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
index bf8b3c157d..a1ed645184 100644
--- a/test/parallel/test-crypto-fips.js
+++ b/test/parallel/test-crypto-fips.js
@@ -64,7 +64,7 @@ testHelper(
   [],
   FIPS_DISABLED,
   'require("crypto").getFips()',
-  { ...process.env, 'OPENSSL_CONF': ' ' });
+  { ...process.env, 'OPENSSL_CONF': '' });
 
 // --enable-fips should turn FIPS mode on
 testHelper(
-- 
2.36.1