test: skip deprecated secp256k1 on OpenSSL 4.0

panva · panva · commit e70c6b3c530a · 2026-04-18T13:15:48.000+02:00
diff --git a/test/parallel/test-tls-ecdh-multiple.js b/test/parallel/test-tls-ecdh-multiple.js
@@ -8,7 +8,7 @@ if (!common.hasCrypto) {
   common.skip('missing crypto');
 }
 
-const { opensslCli } = require('../common/crypto');
+const { opensslCli, hasOpenSSL } = require('../common/crypto');
 const crypto = require('crypto');
 
 if (!opensslCli) {
@@ -24,11 +24,17 @@ function loadPEM(n) {
   return fixtures.readKey(`${n}.pem`);
 }
 
+// OpenSSL 4.0 disables support for deprecated elliptic curves from RFC 8422
+// (including secp256k1) by default.
+const ecdhCurve = hasOpenSSL(4, 0) ?
+  'prime256v1:secp521r1' :
+  'secp256k1:prime256v1:secp521r1';
+
 const options = {
   key: loadPEM('agent2-key'),
   cert: loadPEM('agent2-cert'),
   ciphers: '-ALL:ECDHE-RSA-AES128-SHA256',
-  ecdhCurve: 'secp256k1:prime256v1:secp521r1',
+  ecdhCurve,
   maxVersion: 'TLSv1.2',
 };
 
@@ -60,6 +66,11 @@ const server = tls.createServer(options, (conn) => {
     unsupportedCurves.push('brainpoolP256r1');
   }
 
+  // Deprecated RFC 8422 curves are disabled by default in OpenSSL 4.0.
+  if (hasOpenSSL(4, 0)) {
+    unsupportedCurves.push('secp256k1');
+  }
+
   unsupportedCurves.forEach((ecdhCurve) => {
     assert.throws(() => tls.createServer({ ecdhCurve }),
                   /Error: Failed to set ECDH curve/);
