tls: disallow conflicting TLS protocol options

Do not allow the minimum protocol level to be set higher than the max
protocol level.

See: https://github.com/nodejs/node/pull/26951, 109c097797b

PR-URL: https://github.com/nodejs/node/pull/27521
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>

2 files changed, 19 insertions, 0 deletions

diff --git a/src/node_options.cc b/src/node_options.cc
index 552997e58c..b2f14d2056 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -148,6 +148,11 @@ void EnvironmentOptions::CheckOptions(std::vector<std::string>* errors) {
     errors->push_back("invalid value for --unhandled-rejections");
   }
 
+  if (tls_min_v1_3 && tls_max_v1_2) {
+    errors->push_back("either --tls-min-v1.3 or --tls-max-v1.2 can be "
+                      "used, not both");
+  }
+
 #if HAVE_INSPECTOR
   if (!cpu_prof) {
     if (!cpu_prof_name.empty()) {
diff --git a/test/parallel/test-tls-cli-min-max-conflict.js b/test/parallel/test-tls-cli-min-max-conflict.js
new file mode 100644
index 0000000000..68aae4c635
--- /dev/null
+++ b/test/parallel/test-tls-cli-min-max-conflict.js
@@ -0,0 +1,14 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that conflicting TLS protocol versions are not allowed
+
+const assert = require('assert');
+const child_process = require('child_process');
+
+const args = ['--tls-min-v1.3', '--tls-max-v1.2', '-p', 'process.version'];
+child_process.execFile(process.argv[0], args, (err) => {
+  assert(err);
+  assert(/not both/.test(err.message));
+});