MLE-16819 : Support TLSv1.3 via Node Client

Author: anu3990

etc/test-config.js

@@ -148,5 +148,14 @@ module.exports = {
         host:     testHost,
         port:     restPort,
         authType: 'oauth'
+    },
+    restConnectionForTls: {
+        host:     testHost,
+        port:     restPort,
+        user:     restWriterUser,
+        password: restWriterPassword,
+        authType: restAuthType,
+        ssl: true,
+        rejectUnauthorized: false
     }
 };

lib/marklogic.js

@@ -732,7 +732,7 @@ function initClient(client, inputParams) {
   'enableGzippedResponses', 'oauthToken'];
   if(isSSL) {
     keys.push('ca', 'cert', 'ciphers', 'clientCertEngine', 'crl', 'dhparam', 'ecdhCurve', 'honorCipherOrder', 'key', 'passphrase',
-        'pfx', 'rejectUnauthorized', 'secureOptions', 'secureProtocol', 'servername', 'sessionIdContext', 'highWaterMark');
+        'pfx', 'rejectUnauthorized', 'secureOptions', 'secureProtocol', 'servername', 'sessionIdContext', 'highWaterMark', 'agent');
   }
   for (var i=0; i < keys.length; i++) {
     var key = keys[i];

test-basic/ssl-min-allow-tls-test.js

@@ -0,0 +1,189 @@
+/*
+ * Copyright (c) 2025 MarkLogic Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+let testconfig = require('../etc/test-config.js');
+let should = require('should');
+let marklogic = require('../');
+const { exec } = require('child_process');
+const testlib = require("../etc/test-lib");
+let db = marklogic.createDatabaseClient(testconfig.restConnectionForTls);
+let serverConfiguration = {};
+describe('ssl-min-allow-tls-test', function() {
+    this.timeout(10000);
+    before(function (done) {
+        testlib.findServerConfiguration(serverConfiguration);
+        setTimeout(() => {
+            done();
+        }, 2000);
+    });
+    describe('document write and read using min tls', function () {
+
+        before(function (done) {
+                if (serverConfiguration.serverVersion < 12) {
+                    this.skip();
+                }
+                createAndSetupTemplate("test-template", done);
+        });
+
+        after(function (done) {
+            sslReset().then(() => {
+                testconfig.restConnectionForTls.ssl = false;
+                testconfig.restConnectionForTls.agent = null;
+                db = marklogic.createDatabaseClient(testconfig.restConnectionForTls);
+                db.documents.remove('/test/write_tlsV1.3.json', '/test/write_tlsV1.2.json')
+                    .result(() => done())
+                    .catch(error => done(error));
+            });
+        });
+
+        it('should write document with minimum TLS versions 1.3', function (done) {
+            updateTlsVersion('TLSv1.3').then((result) => {
+                db.documents.write({
+                    uri: '/test/write_tlsV1.3.json',
+                    contentType: 'application/json',
+                    content: '{"key1":"With TLS 1.3"}'
+                }).result(function (response) {
+                    db.documents.read('/test/write_tlsV1.3.json')
+                        .result(function (documents) {
+                            documents[0].content.should.have.property('key1');
+                            documents[0].content.key1.should.equal('With TLS 1.3');
+
+                        }).then(() => done())
+                        .catch(error => done(error));
+                })
+            })
+        });
+
+        it('should write document with minimum TLS versions 1.2', function (done) {
+            updateTlsVersion('TLSv1.2').then((result) => {
+                db.documents.write({
+                    uri: '/test/write_tlsV1.2.json',
+                    contentType: 'application/json',
+                    content: '{"key1":"With TLS 1.2"}'
+                }).result(function (response) {
+                    db.documents.read('/test/write_tlsV1.2.json')
+                        .result(function (documents) {
+                            documents[0].content.should.have.property('key1');
+                            documents[0].content.key1.should.equal('With TLS 1.2');
+
+                        }).then(() => done())
+                        .catch(error => done(error));
+                })
+            })
+        });
+
+        it('should throw error when user sets 1.2 and server needs 1.3', function (done) {
+            const https = require('https');
+            const tlsAgent = new https.Agent({
+                keepAlive: true,
+                minVersion: 'TLSv1.2',
+                maxVersion: 'TLSv1.2'
+            });
+            testconfig.restConnectionForTls.agent = tlsAgent;
+            db = marklogic.createDatabaseClient(testconfig.restConnectionForTls);
+            updateTlsVersion('TLSv1.3').then(() => {
+                db.documents.write({
+                    uri: '/test/write_tlsV1.2.json',
+                    contentType: 'application/json',
+                    content: '{"key1":"With TLS 1.2"}'
+                }).result(() => done()).catch(error => {
+                    // TLS handshake error.
+                    error.message.should.containEql("error:0A00042E:SSL routines")
+                    done();
+                })
+            })
+        });
+    })
+
+    function updateTlsVersion(tlsVersion) {
+        return new Promise((resolve, reject) => {
+            const curlCommand = `
+                curl --anyauth --user admin:admin -X PUT -H "Content-Type: application/json" \
+    -d '{"ssl-min-allow-tls": "${tlsVersion}"}' \
+    'http://localhost:8002/manage/v2/servers/unittest-nodeapi/properties?group-id=Default'
+        `;
+            exec(curlCommand, (error, stdout, stderr) => {
+                if (error) {
+                    throw new Error(`Error executing curl: ${stderr}`);
+                }
+                resolve();
+            });
+        });
+    }
+
+    function createAndSetupTemplate(templateName, done) {
+        return new Promise((resolve, reject) => {
+            const curlCommand = `
+                curl -X POST  --anyauth -u admin:admin --header "Content-Type:application/json" \\
+                  -d '{
+                  "template-name": "${templateName}",
+                  "template-description": "My Template",
+                  "key-type": "rsa",
+                  "key-options": {
+                    "key-length": "2048"
+                  },
+                  "req": {
+                  "version": "0",
+                    "subject": {
+                      "organizationName": "MarkLogic"
+                    }
+                  }
+                }' http://localhost:8002/manage/v2/certificate-templates
+        `;
+            exec(curlCommand, (error, stdout, stderr) => {
+                if (error) {
+                    throw new Error(`Error executing curl: ${stderr}`);
+                }
+                return new Promise((resolve, reject) => {
+                    const command = `curl --anyauth --user admin:admin -X PUT -H "Content-Type: application/json" \\
+                    -d '{
+                        "ssl-certificate-template": "${templateName}",
+                        "ssl-require-client-certificate":false
+                    }' \\
+                    'http://localhost:8002/manage/v2/servers/unittest-nodeapi/properties?group-id=Default'`;
+
+                    exec(command, (error, stdout, stderr) => {
+                        if (error) {
+                            throw new Error(`Error executing curl: ${stderr}`);
+                        }
+                        done();
+                    })
+
+                });
+            });
+        })
+    }
+
+    function sslReset() {
+        return new Promise((resolve, reject) => {
+            const command = `curl --anyauth --user admin:admin -X PUT -H "Content-Type: application/json" \\
+            -d '{
+                "ssl-certificate-template": null,
+                "ssl-require-client-certificate":true,
+                "ssl-min-allow-tls": "TLSv1.2"
+            }' \\
+            'http://localhost:8002/manage/v2/servers/unittest-nodeapi/properties?group-id=Default'`;
+
+            exec(command, (error, stdout, stderr) => {
+                if (error) {
+                    throw new Error(`Error executing curl: ${stderr}`);
+                }
+                resolve();
+            })
+
+        });
+    }
+});