From 00688b60426f4ad1e520a0789e32794f4417331d Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Tue, 20 Nov 2018 15:30:34 -0800
Subject: [PATCH 01/15] tls: add code for ERR_TLS_INVALID_PROTOCOL_METHOD

Add an error code property to invalid `secureProtocol` method
exceptions.

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/24729
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 doc/api/errors.md  |  6 ++++++
 src/node_crypto.cc | 23 ++++++++++++++++-------
 src/node_errors.h  |  1 +
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/doc/api/errors.md b/doc/api/errors.md
index 4115d70115b60f..977c83c0d0eeac 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -1714,6 +1714,12 @@ recommended to use 2048 bits or larger for stronger security.
 A TLS/SSL handshake timed out. In this case, the server must also abort the
 connection.
 
+<a id="ERR_TLS_INVALID_PROTOCOL_METHOD"></a>
+### ERR_TLS_INVALID_PROTOCOL_METHOD
+
+The specified  `secureProtocol` method is invalid. It is  either unknown, or
+disabled because it is insecure.
+
 <a id="ERR_TLS_INVALID_PROTOCOL_VERSION"></a>
 ### ERR_TLS_INVALID_PROTOCOL_VERSION
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index cf7e5557102f1d..cd354c73d5cf25 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -65,6 +65,8 @@ static const int X509_NAME_FLAGS = ASN1_STRFLGS_ESC_CTRL
 namespace node {
 namespace crypto {
 
+using node::THROW_ERR_TLS_INVALID_PROTOCOL_METHOD;
+
 using v8::Array;
 using v8::ArrayBufferView;
 using v8::Boolean;
@@ -424,17 +426,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
     // protocols are supported unless explicitly disabled (which we do below
     // for SSLv2 and SSLv3.)
     if (strcmp(*sslmethod, "SSLv2_method") == 0) {
-      return env->ThrowError("SSLv2 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv2_server_method") == 0) {
-      return env->ThrowError("SSLv2 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv2_client_method") == 0) {
-      return env->ThrowError("SSLv2 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv3_method") == 0) {
-      return env->ThrowError("SSLv3 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv3_server_method") == 0) {
-      return env->ThrowError("SSLv3 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) {
-      return env->ThrowError("SSLv3 methods disabled");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
+      return;
     } else if (strcmp(*sslmethod, "SSLv23_method") == 0) {
       // noop
     } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) {
@@ -478,7 +486,8 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
       max_version = TLS1_2_VERSION;
       method = TLS_client_method();
     } else {
-      return env->ThrowError("Unknown method");
+      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "Unknown method");
+      return;
     }
   }
 
diff --git a/src/node_errors.h b/src/node_errors.h
index 2e9fd761a8319d..835794b17820cc 100644
--- a/src/node_errors.h
+++ b/src/node_errors.h
@@ -55,6 +55,7 @@ void FatalException(v8::Isolate* isolate,
   V(ERR_SCRIPT_EXECUTION_INTERRUPTED, Error)                                 \
   V(ERR_SCRIPT_EXECUTION_TIMEOUT, Error)                                     \
   V(ERR_STRING_TOO_LONG, Error)                                              \
+  V(ERR_TLS_INVALID_PROTOCOL_METHOD, TypeError)                              \
   V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER, TypeError)              \
 
 #define V(code, type)                                                         \

From 8e14859459c14b36383c6666c4ce8c1ef5c1041b Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Wed, 27 Mar 2019 18:26:34 -0700
Subject: [PATCH 02/15] tls: revert change to invalid protocol error type

In https://github.com/nodejs/node/pull/24729, the error was changed to
be a TypeError, which is the standard type for this kind of error.
However, it was Error in 11.x and earlier, so revert that single aspect,
so the backport can be semver-minor.

PR-URL: https://github.com/nodejs/node/pull/26951
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 src/node_errors.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/node_errors.h b/src/node_errors.h
index 835794b17820cc..60abddf9f279a2 100644
--- a/src/node_errors.h
+++ b/src/node_errors.h
@@ -55,7 +55,7 @@ void FatalException(v8::Isolate* isolate,
   V(ERR_SCRIPT_EXECUTION_INTERRUPTED, Error)                                 \
   V(ERR_SCRIPT_EXECUTION_TIMEOUT, Error)                                     \
   V(ERR_STRING_TOO_LONG, Error)                                              \
-  V(ERR_TLS_INVALID_PROTOCOL_METHOD, TypeError)                              \
+  V(ERR_TLS_INVALID_PROTOCOL_METHOD, Error)                                  \
   V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER, TypeError)              \
 
 #define V(code, type)                                                         \

From 8b5d350a35524f77b24974c92e7e4139f27794b5 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Wed, 27 Mar 2019 18:42:57 -0700
Subject: [PATCH 03/15] src: add .code and SSL specific error properties

SSL errors have a long structured message, but lacked the standard .code
property which can be used for stable comparisons. Add a `code`
property, as well as the 3 string components of an SSL error: `reason`,
`library`, and `function`.

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/25093
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
---
 src/env.h                                |  2 ++
 src/tls_wrap.cc                          | 37 +++++++++++++++++++++++-
 test/parallel/test-tls-alert-handling.js | 14 +++++++--
 3 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/src/env.h b/src/env.h
index 0516c49f36ddcd..e75e336f9d935b 100644
--- a/src/env.h
+++ b/src/env.h
@@ -185,6 +185,7 @@ constexpr size_t kFsStatsBufferLength = kFsStatsFieldsNumber * 2;
   V(fingerprint_string, "fingerprint")                                         \
   V(flags_string, "flags")                                                     \
   V(fragment_string, "fragment")                                               \
+  V(function_string, "function")                                               \
   V(get_data_clone_error_string, "_getDataCloneError")                         \
   V(get_shared_array_buffer_id_string, "_getSharedArrayBufferId")              \
   V(gid_string, "gid")                                                         \
@@ -208,6 +209,7 @@ constexpr size_t kFsStatsBufferLength = kFsStatsFieldsNumber * 2;
   V(issuercert_string, "issuerCertificate")                                    \
   V(kill_signal_string, "killSignal")                                          \
   V(kind_string, "kind")                                                       \
+  V(library_string, "library")                                                 \
   V(mac_string, "mac")                                                         \
   V(main_string, "main")                                                       \
   V(max_buffer_string, "maxBuffer")                                            \
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index 412d9e8e86eac6..cf579af85ec124 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -40,6 +40,7 @@ using v8::Exception;
 using v8::Function;
 using v8::FunctionCallbackInfo;
 using v8::FunctionTemplate;
+using v8::Isolate;
 using v8::Local;
 using v8::Object;
 using v8::ReadOnly;
@@ -367,9 +368,43 @@ Local<Value> TLSWrap::GetSSLError(int status, int* err, std::string* msg) {
         BUF_MEM* mem;
         BIO_get_mem_ptr(bio, &mem);
 
+        Isolate* isolate = env()->isolate();
+        Local<Context> context = isolate->GetCurrentContext();
+
         Local<String> message =
-            OneByteString(env()->isolate(), mem->data, mem->length);
+            OneByteString(isolate, mem->data, mem->length);
         Local<Value> exception = Exception::Error(message);
+        Local<Object> obj = exception->ToObject(context).ToLocalChecked();
+
+        const char* ls = ERR_lib_error_string(ssl_err);
+        const char* fs = ERR_func_error_string(ssl_err);
+        const char* rs = ERR_reason_error_string(ssl_err);
+
+        if (ls != nullptr)
+          obj->Set(context, env()->library_string(),
+                   OneByteString(isolate, ls)).FromJust();
+        if (fs != nullptr)
+          obj->Set(context, env()->function_string(),
+                   OneByteString(isolate, fs)).FromJust();
+        if (rs != nullptr) {
+          obj->Set(context, env()->reason_string(),
+                   OneByteString(isolate, rs)).FromJust();
+
+          // SSL has no API to recover the error name from the number, so we
+          // transform reason strings like "this error" to "ERR_SSL_THIS_ERROR",
+          // which ends up being close to the original error macro name.
+          std::string code(rs);
+
+          for (auto& c : code) {
+            if (c == ' ')
+              c = '_';
+            else
+              c = ::toupper(c);
+          }
+          obj->Set(context, env()->code_string(),
+                   OneByteString(isolate, ("ERR_SSL_" + code).c_str()))
+                     .FromJust();
+        }
 
         if (msg != nullptr)
           msg->assign(mem->data, mem->data + mem->length);
diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
index e88453b115e0ea..63b845122fc1f0 100644
--- a/test/parallel/test-tls-alert-handling.js
+++ b/test/parallel/test-tls-alert-handling.js
@@ -7,6 +7,7 @@ if (!common.hasCrypto)
 if (!common.opensslCli)
   common.skip('node compiled without OpenSSL CLI');
 
+const assert = require('assert');
 const net = require('net');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
@@ -29,7 +30,11 @@ const opts = {
 const max_iter = 20;
 let iter = 0;
 
-const errorHandler = common.mustCall(() => {
+const errorHandler = common.mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_SSL_WRONG_VERSION_NUMBER');
+  assert.strictEqual(err.library, 'SSL routines');
+  assert.strictEqual(err.function, 'ssl3_get_record');
+  assert.strictEqual(err.reason, 'wrong version number');
   errorReceived = true;
   if (canCloseServer())
     server.close();
@@ -81,5 +86,10 @@ function sendBADTLSRecord() {
       socket.end(BAD_RECORD);
     });
   }));
-  client.on('error', common.mustCall());
+  client.on('error', common.mustCall((err) => {
+    assert.strictEqual(err.code, 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION');
+    assert.strictEqual(err.library, 'SSL routines');
+    assert.strictEqual(err.function, 'ssl3_read_bytes');
+    assert.strictEqual(err.reason, 'tlsv1 alert protocol version');
+  }));
 }

From d8cc478ae9bbba763420f238855ca22750371a93 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Tue, 26 Feb 2019 11:30:23 -0800
Subject: [PATCH 04/15] deps: upgrade openssl sources to 1.1.1b

This updates all sources in deps/openssl/openssl with openssl-1.1.1b.

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 deps/openssl/openssl/crypto/include/internal/bn_conf.h  | 1 -
 deps/openssl/openssl/crypto/include/internal/dso_conf.h | 1 -
 deps/openssl/openssl/include/openssl/opensslconf.h      | 1 -
 3 files changed, 3 deletions(-)
 delete mode 100644 deps/openssl/openssl/crypto/include/internal/bn_conf.h
 delete mode 100644 deps/openssl/openssl/crypto/include/internal/dso_conf.h
 delete mode 100644 deps/openssl/openssl/include/openssl/opensslconf.h

diff --git a/deps/openssl/openssl/crypto/include/internal/bn_conf.h b/deps/openssl/openssl/crypto/include/internal/bn_conf.h
deleted file mode 100644
index 79400c6472a49c..00000000000000
--- a/deps/openssl/openssl/crypto/include/internal/bn_conf.h
+++ /dev/null
@@ -1 +0,0 @@
-#include "../../../config/bn_conf.h"
diff --git a/deps/openssl/openssl/crypto/include/internal/dso_conf.h b/deps/openssl/openssl/crypto/include/internal/dso_conf.h
deleted file mode 100644
index e7f2afa9872320..00000000000000
--- a/deps/openssl/openssl/crypto/include/internal/dso_conf.h
+++ /dev/null
@@ -1 +0,0 @@
-#include "../../../config/dso_conf.h"
diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h
deleted file mode 100644
index 76c99d433ab886..00000000000000
--- a/deps/openssl/openssl/include/openssl/opensslconf.h
+++ /dev/null
@@ -1 +0,0 @@
-#include "../../config/opensslconf.h"

From 1c98b720b12e4f3ec6449e94ce83c7ad68344ebc Mon Sep 17 00:00:00 2001
From: Shigeki Ohtsu <ohtsu@ohtsu.org>
Date: Wed, 7 Mar 2018 23:52:52 +0900
Subject: [PATCH 05/15] deps: add s390 asm rules for OpenSSL-1.1.1

This is a floating patch against OpenSSL-1.1.1 to generate asm files
with Makefile rules.

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

Original:

Fixes: https://github.com/nodejs/node/issues/4270
PR-URL: https://github.com/nodejs/node/pull/19794
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
---
 deps/openssl/openssl/crypto/chacha/build.info   | 2 ++
 deps/openssl/openssl/crypto/poly1305/build.info | 2 ++
 deps/openssl/openssl/crypto/rc4/build.info      | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/deps/openssl/openssl/crypto/chacha/build.info b/deps/openssl/openssl/crypto/chacha/build.info
index 02f8e518aeca90..e75ca72b67d4fb 100644
--- a/deps/openssl/openssl/crypto/chacha/build.info
+++ b/deps/openssl/openssl/crypto/chacha/build.info
@@ -9,6 +9,8 @@ GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl $(PERLASM_SCHEME)
 INCLUDE[chacha-armv4.o]=..
 GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME)
 INCLUDE[chacha-armv8.o]=..
+GENERATE[chacha-s390x.S]=asm/chacha-s390x.pl $(PERLASM_SCHEME)
+INCLUDE[chacha-s390x.o]=..
 
 BEGINRAW[Makefile(unix)]
 ##### CHACHA assembler implementations
diff --git a/deps/openssl/openssl/crypto/poly1305/build.info b/deps/openssl/openssl/crypto/poly1305/build.info
index 631b32b8e099ac..b730524afb1393 100644
--- a/deps/openssl/openssl/crypto/poly1305/build.info
+++ b/deps/openssl/openssl/crypto/poly1305/build.info
@@ -17,6 +17,8 @@ GENERATE[poly1305-armv8.S]=asm/poly1305-armv8.pl $(PERLASM_SCHEME)
 INCLUDE[poly1305-armv8.o]=..
 GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
 INCLUDE[poly1305-mips.o]=..
+GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME)
+INCLUDE[poly1305-s390x.o]=..
 
 BEGINRAW[Makefile(unix)]
 {- $builddir -}/poly1305-%.S:	{- $sourcedir -}/asm/poly1305-%.pl
diff --git a/deps/openssl/openssl/crypto/rc4/build.info b/deps/openssl/openssl/crypto/rc4/build.info
index 46ee66b61c68a2..913942b5e98003 100644
--- a/deps/openssl/openssl/crypto/rc4/build.info
+++ b/deps/openssl/openssl/crypto/rc4/build.info
@@ -11,6 +11,8 @@ GENERATE[rc4-md5-x86_64.s]=asm/rc4-md5-x86_64.pl $(PERLASM_SCHEME)
 
 GENERATE[rc4-parisc.s]=asm/rc4-parisc.pl $(PERLASM_SCHEME)
 
+GENERATE[rc4-s390x.s]=asm/rc4-s390x.pl $(PERLASM_SCHEME)
+
 BEGINRAW[Makefile]
 # GNU make "catch all"
 {- $builddir -}/rc4-%.s:	{- $sourcedir -}/asm/rc4-%.pl

From 8db791d0fe13ac92191d9483c8864ba4ef5b0014 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Tue, 26 Feb 2019 12:25:11 -0800
Subject: [PATCH 06/15] deps: update archs files for OpenSSL-1.1.1b

`cd deps/openssl/config; make` updates all archs dependant files.

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26327
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 deps/openssl/openssl/crypto/include/internal/bn_conf.h  | 1 +
 deps/openssl/openssl/crypto/include/internal/dso_conf.h | 1 +
 deps/openssl/openssl/include/openssl/opensslconf.h      | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 deps/openssl/openssl/crypto/include/internal/bn_conf.h
 create mode 100644 deps/openssl/openssl/crypto/include/internal/dso_conf.h
 create mode 100644 deps/openssl/openssl/include/openssl/opensslconf.h

diff --git a/deps/openssl/openssl/crypto/include/internal/bn_conf.h b/deps/openssl/openssl/crypto/include/internal/bn_conf.h
new file mode 100644
index 00000000000000..79400c6472a49c
--- /dev/null
+++ b/deps/openssl/openssl/crypto/include/internal/bn_conf.h
@@ -0,0 +1 @@
+#include "../../../config/bn_conf.h"
diff --git a/deps/openssl/openssl/crypto/include/internal/dso_conf.h b/deps/openssl/openssl/crypto/include/internal/dso_conf.h
new file mode 100644
index 00000000000000..e7f2afa9872320
--- /dev/null
+++ b/deps/openssl/openssl/crypto/include/internal/dso_conf.h
@@ -0,0 +1 @@
+#include "../../../config/dso_conf.h"
diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h
new file mode 100644
index 00000000000000..76c99d433ab886
--- /dev/null
+++ b/deps/openssl/openssl/include/openssl/opensslconf.h
@@ -0,0 +1 @@
+#include "../../config/opensslconf.h"

From 7393e37af1c1d71ee894709d9378aea9b5d43e7c Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Wed, 28 Nov 2018 17:58:08 -0800
Subject: [PATCH 07/15] tls: support TLSv1.3

This introduces TLS1.3 support and makes it the default max protocol,
but also supports CLI/NODE_OPTIONS switches to disable it if necessary.

TLS1.3 is a major update to the TLS protocol, with many security
enhancements. It should be preferred over TLS1.2 whenever possible.

TLS1.3 is different enough that even though the OpenSSL APIs are
technically API/ABI compatible, that when TLS1.3 is negotiated, the
timing of protocol records and of callbacks broke assumptions hard-coded
into the 'tls' module.

This change introduces no API incompatibilities when TLS1.2 is
negotiated. It is the intention that it be backported to current and LTS
release lines with the default maximum TLS protocol reset to 'TLSv1.2'.
This will allow users of those lines to explicitly enable TLS1.3 if they
want.

API incompatibilities between TLS1.2 and TLS1.3 are:

- Renegotiation is not supported by TLS1.3 protocol, attempts to call
`.renegotiate()` will always fail.

- Compiling against a system OpenSSL lower than 1.1.1 is no longer
supported (OpenSSL-1.1.0 used to be supported with configure flags).

- Variations of `conn.write('data'); conn.destroy()` have undefined
behaviour according to the streams API. They may or may not send the
'data', and may or may not cause a ERR_STREAM_DESTROYED error to be
emitted. This has always been true, but conditions under which the write
suceeds is slightly but observably different when TLS1.3 is negotiated
vs when TLS1.2 or below is negotiated.

- If TLS1.3 is negotiated, and a server calls `conn.end()` in its
'secureConnection' listener without any data being written, the client
will not receive session tickets (no 'session' events will be emitted,
and `conn.getSession()` will never return a resumable session).

- The return value of `conn.getSession()` API may not return a resumable
session if called right after the handshake. The effect will be that
clients using the legacy `getSession()` API will resume sessions if
TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is
negotiated.  See https://github.com/nodejs/node/pull/25831 for more
information.

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26209
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
---
 doc/api/cli.md                                |  40 ++++
 doc/api/tls.md                                | 119 +++++++++---
 doc/node.1                                    |  18 ++
 lib/_tls_common.js                            |  36 +++-
 lib/_tls_wrap.js                              |  93 +++++++--
 lib/internal/stream_base_commons.js           |   4 +
 lib/tls.js                                    |  20 +-
 src/node_constants.cc                         |   1 +
 src/node_constants.h                          |   8 +-
 src/node_crypto.cc                            | 178 ++++++++++++++----
 src/node_crypto.h                             |   5 +
 src/node_crypto_clienthello.cc                |   2 +
 src/node_crypto_clienthello.h                 |   6 +
 src/node_options.cc                           |  25 +++
 src/node_options.h                            |   6 +
 src/tls_wrap.cc                               |  36 +++-
 src/tls_wrap.h                                |   1 +
 test/async-hooks/test-graph.tls-write-12.js   |  11 ++
 test/async-hooks/test-graph.tls-write.js      |  11 +-
 test/async-hooks/test-tlswrap.js              |   7 +-
 test/parallel/test-crypto.js                  |   1 +
 .../test-https-agent-additional-options.js    |   3 +-
 .../test-https-agent-session-eviction.js      |   1 +
 .../test-https-client-renegotiation-limit.js  |   3 +
 test/parallel/test-https-client-resume.js     |   3 +-
 .../test-process-env-allowed-flags.js         |   2 +-
 test/parallel/test-tls-alert-handling.js      |   2 +-
 .../test-tls-async-cb-after-socket-end.js     |   5 +-
 test/parallel/test-tls-basic-validations.js   |   6 +-
 test/parallel/test-tls-cli-max-version-1.2.js |  15 ++
 test/parallel/test-tls-cli-max-version-1.3.js |  15 ++
 test/parallel/test-tls-cli-min-version-1.0.js |  15 ++
 test/parallel/test-tls-cli-min-version-1.1.js |  15 ++
 test/parallel/test-tls-cli-min-version-1.3.js |  15 ++
 test/parallel/test-tls-client-auth.js         |  37 +++-
 .../test-tls-client-getephemeralkeyinfo.js    |   3 +
 test/parallel/test-tls-client-reject-12.js    |  13 ++
 test/parallel/test-tls-client-reject.js       |  10 +-
 .../test-tls-client-renegotiation-13.js       |  37 ++++
 .../test-tls-client-renegotiation-limit.js    |   3 +
 test/parallel/test-tls-client-resume-12.js    |  13 ++
 test/parallel/test-tls-client-resume.js       |  43 ++++-
 test/parallel/test-tls-destroy-stream-12.js   |  13 ++
 test/parallel/test-tls-destroy-stream.js      |  20 +-
 .../test-tls-disable-renegotiation.js         |   7 +
 test/parallel/test-tls-getcipher.js           |  23 ++-
 test/parallel/test-tls-getprotocol.js         |   1 +
 test/parallel/test-tls-min-max-version.js     |  75 +++++---
 .../test-tls-net-socket-keepalive-12.js       |  13 ++
 .../parallel/test-tls-net-socket-keepalive.js |   6 +-
 test/parallel/test-tls-server-verify.js       |   2 +
 test/parallel/test-tls-session-cache.js       |   3 +-
 test/parallel/test-tls-set-ciphers-error.js   |   3 +
 test/parallel/test-tls-set-ciphers.js         | 134 ++++++++-----
 test/parallel/test-tls-ticket-12.js           |  12 ++
 test/parallel/test-tls-ticket-cluster.js      |  16 +-
 test/parallel/test-tls-ticket.js              |  42 ++++-
 57 files changed, 1051 insertions(+), 206 deletions(-)
 create mode 100644 test/async-hooks/test-graph.tls-write-12.js
 create mode 100644 test/parallel/test-tls-cli-max-version-1.2.js
 create mode 100644 test/parallel/test-tls-cli-max-version-1.3.js
 create mode 100644 test/parallel/test-tls-cli-min-version-1.0.js
 create mode 100644 test/parallel/test-tls-cli-min-version-1.1.js
 create mode 100644 test/parallel/test-tls-cli-min-version-1.3.js
 create mode 100644 test/parallel/test-tls-client-reject-12.js
 create mode 100644 test/parallel/test-tls-client-renegotiation-13.js
 create mode 100644 test/parallel/test-tls-client-resume-12.js
 create mode 100644 test/parallel/test-tls-destroy-stream-12.js
 create mode 100644 test/parallel/test-tls-net-socket-keepalive-12.js
 create mode 100644 test/parallel/test-tls-ticket-12.js

diff --git a/doc/api/cli.md b/doc/api/cli.md
index 59554b1c679327..266aeffbb8d9d2 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -443,6 +443,44 @@ added: v4.0.0
 Specify an alternative default TLS cipher list. Requires Node.js to be built
 with crypto support (default).
 
+### `--tls-max-v1.2`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`maxVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1.3.
+
+### `--tls-max-v1.3`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`maxVersion`][] to `'TLSv1.3'`. Use to enable support for TLSv1.3.
+
+### `--tls-min-v1.0`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`minVersion`][] to `'TLSv1'`. Use for compatibility with old TLS
+clients or servers.
+
+### `--tls-min-v1.1`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`minVersion`][] to `'TLSv1.1'`. Use for compatibility with old TLS
+clients or servers.
+
+### `--tls-min-v1.3`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`minVersion`][] to `'TLSv1.3'`. Use to disable support for TLSv1.2
+in favour of TLSv1.3, which is more secure.
+
 ### `--trace-deprecation`
 <!-- YAML
 added: v0.8.0
@@ -880,6 +918,8 @@ greater than `4` (its current default value). For more information, see the
 [`--openssl-config`]: #cli_openssl_config_file
 [`Buffer`]: buffer.html#buffer_class_buffer
 [`SlowBuffer`]: buffer.html#buffer_class_slowbuffer
+[`maxVersion`]: tls.html#tls_tls_createsecurecontext_options
+[`minVersion`]: tls.html#tls_tls_createsecurecontext_options
 [`process.setUncaughtExceptionCaptureCallback()`]: process.html#process_process_setuncaughtexceptioncapturecallback_fn
 [Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
 [REPL]: repl.html
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 96590d1850d4ba..17972574e3e8ad 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -104,6 +104,9 @@ not required and a default ECDHE curve will be used. The `ecdhCurve` property
 can be used when creating a TLS Server to specify the list of names of supported
 curves to use, see [`tls.createServer()`] for more info.
 
+Perfect Forward Secrecy was optional up to TLSv1.2, but it is not optional for
+TLSv1.3, because all TLSv1.3 cipher suites use ECDHE.
+
 ### ALPN and SNI
 
 <!-- type=misc -->
@@ -136,6 +139,8 @@ threshold is exceeded. The limits are configurable:
 The default renegotiation limits should not be modified without a full
 understanding of the implications and risks.
 
+TLSv1.3 does not support renegotiation.
+
 ### Session Resumption
 
 Establishing a TLS session can be relatively slow. The process can be sped
@@ -176,6 +181,10 @@ as for resumption with session tickets. For debugging, if
 [`tls.TLSSocket.getTLSTicket()`][] returns a value, the session data contains a
 ticket, otherwise it contains client-side session state.
 
+With TLSv1.3, be aware that multiple tickets may be sent by the server,
+resulting in multiple `'session'` events, see [`'session'`][] for more
+information.
+
 Single process servers need no specific implementation to use session tickets.
 To use session tickets across server restarts or load balancers, servers must
 all have the same ticket keys. There are three 16-byte keys internally, but the
@@ -230,6 +239,9 @@ Node.js is built with a default suite of enabled and disabled TLS ciphers.
 Currently, the default cipher suite is:
 
 ```txt
+TLS_AES_256_GCM_SHA384:
+TLS_CHACHA20_POLY1305_SHA256:
+TLS_AES_128_GCM_SHA256:
 ECDHE-RSA-AES128-GCM-SHA256:
 ECDHE-ECDSA-AES128-GCM-SHA256:
 ECDHE-RSA-AES256-GCM-SHA384:
@@ -270,7 +282,19 @@ The default can also be replaced on a per client or server basis using the
 in [`tls.createServer()`], [`tls.connect()`], and when creating new
 [`tls.TLSSocket`]s.
 
-Consult [OpenSSL cipher list format documentation][] for details on the format.
+The ciphers list can contain a mixture of TLSv1.3 cipher suite names, the ones
+that start with `'TLS_'`, and specifications for TLSv1.2 and below cipher
+suites.  The TLSv1.2 ciphers support a legacy specification format, consult
+the OpenSSL [cipher list format][] documentation for details, but those
+specifications do *not* apply to TLSv1.3 ciphers.  The TLSv1.3 suites can only
+be enabled by including their full name in the cipher list. They cannot, for
+example, be enabled or disabled by using the legacy TLSv1.2 `'EECDH'` or
+`'!EECDH'` specification.
+
+Despite the relative order of TLSv1.3 and TLSv1.2 cipher suites, the TLSv1.3
+protocol is significantly more secure than TLSv1.2, and will always be chosen
+over TLSv1.2 if the handshake indicates it is supported, and if any TLSv1.3
+cipher suites are enabled.
 
 The default cipher suite included within Node.js has been carefully
 selected to reflect current security best practices and risk mitigation.
@@ -289,7 +313,18 @@ Old clients that rely on insecure and deprecated RC4 or DES-based ciphers
 (like Internet Explorer 6) cannot complete the handshaking process with
 the default configuration. If these clients _must_ be supported, the
 [TLS recommendations] may offer a compatible cipher suite. For more details
-on the format, see the [OpenSSL cipher list format documentation].
+on the format, see the OpenSSL [cipher list format][] documentation.
+
+There are only 5 TLSv1.3 cipher suites:
+- `'TLS_AES_256_GCM_SHA384'`
+- `'TLS_CHACHA20_POLY1305_SHA256'`
+- `'TLS_AES_128_GCM_SHA256'`
+- `'TLS_AES_128_CCM_SHA256'`
+- `'TLS_AES_128_CCM_8_SHA256'`
+
+The first 3 are enabled by default. The last 2 `CCM`-based suites are supported
+by TLSv1.3 because they may be more performant on constrained systems, but they
+are not enabled by default since they offer less security.
 
 ## Class: tls.Server
 <!-- YAML
@@ -634,11 +669,11 @@ On the client, the `session` can be provided to the `session` option of
 
 See [Session Resumption][] for more information.
 
-Note: For TLS1.2 and below, [`tls.TLSSocket.getSession()`][] can be called once
-the handshake is complete.  For TLS1.3, only ticket based resumption is allowed
+Note: For TLSv1.2 and below, [`tls.TLSSocket.getSession()`][] can be called once
+the handshake is complete.  For TLSv1.3, only ticket based resumption is allowed
 by the protocol, multiple tickets are sent, and the tickets aren't sent until
 later, after the handshake completes, so it is necessary to wait for the
-`'session'` event to get a resumable session.  Future-proof applications are
+`'session'` event to get a resumable session.  Applications are
 recommended to use the `'session'` event instead of `getSession()` to ensure
 they will work for all TLS protocol versions.  Applications that only expect to
 get or use 1 session should listen for this event only once:
@@ -724,7 +759,7 @@ added: v0.11.4
 Returns an object representing the cipher name. The `version` key is a legacy
 field which always contains the value `'TLSv1/SSLv3'`.
 
-For example: `{ name: 'AES256-SHA', version: 'TLSv1/SSLv3' }`.
+For example: `{ name: 'AES256-SHA', version: 'TLSv1.2' }`.
 
 See `SSL_CIPHER_get_name()` in
 <https://www.openssl.org/docs/man1.1.0/ssl/SSL_CIPHER_get_name.html> for more
@@ -897,12 +932,13 @@ be returned for server sockets or disconnected client sockets.
 
 Protocol versions are:
 
+* `'SSLv3'`
 * `'TLSv1'`
 * `'TLSv1.1'`
 * `'TLSv1.2'`
-* `'SSLv3'`
+* `'TLSv1.3'`
 
-See <https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_version.html> for more
+See <https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html> for more
 information.
 
 ### tlsSocket.getSession()
@@ -919,8 +955,8 @@ for debugging.
 
 See [Session Resumption][] for more information.
 
-Note: `getSession()` works only for TLS1.2 and below. Future-proof applications
-should use the [`'session'`][] event.
+Note: `getSession()` works only for TLSv1.2 and below. For TLSv1.3, applications
+must use the [`'session'`][] event (it also works for TLSv1.2 and below).
 
 ### tlsSocket.getTLSTicket()
 <!-- YAML
@@ -1002,8 +1038,12 @@ added: v0.11.8
     verification fails; `err.code` contains the OpenSSL error code. **Default:**
     `true`.
   * `requestCert`
-* `callback` {Function} A function that will be called when the renegotiation
-  request has been completed.
+* `callback` {Function} If `renegotiate()` returned `true`, callback is
+   attached once to the `'secure'` event. If it returned `false`, it will be
+   called in the next tick with `ERR_TLS_RENEGOTIATE`, unless the `tlsSocket`
+   has been destroyed, in which case it will not be called at all.
+
+* Returns: {boolean} `true` if renegotiation was initiated, `false` otherwise.
 
 The `tlsSocket.renegotiate()` method initiates a TLS renegotiation process.
 Upon completion, the `callback` function will be passed a single argument
@@ -1015,6 +1055,9 @@ connection has been established.
 When running as the server, the socket will be destroyed with an error after
 `handshakeTimeout` timeout.
 
+For TLSv1.3, renegotiation cannot be initiated, it is not supported by the
+protocol.
+
 ### tlsSocket.setMaxSendFragment(size)
 <!-- YAML
 added: v0.11.11
@@ -1213,6 +1256,9 @@ argument.
 <!-- YAML
 added: v0.11.13
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/26209
+    description: TLSv1.3 support added.
   - version: v11.5.0
     pr-url: https://github.com/nodejs/node/pull/24733
     description: The `ca:` option now supports `BEGIN TRUSTED CERTIFICATE`.
@@ -1303,13 +1349,22 @@ changes:
     `object.passphrase` is optional. Encrypted keys will be decrypted with
     `object.passphrase` if provided, or `options.passphrase` if it is not.
   * `maxVersion` {string} Optionally set the maximum TLS version to allow. One
-    of `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
-    `secureProtocol` option, use one or the other.  **Default:** `'TLSv1.2'`.
+    of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
+    along with the `secureProtocol` option, use one or the other.
+    **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
+    `--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3`
+    sets the default to `'TLSv1.3'`. If multiple of the options are provided,
+    the highest maximum is used.
   * `minVersion` {string} Optionally set the minimum TLS version to allow. One
-    of `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
-    `secureProtocol` option, use one or the other. It is not recommended to use
-    less than TLSv1.2, but it may be required for interoperability.
-    **Default:** `'TLSv1'`.
+    of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
+    along with the `secureProtocol` option, use one or the other. It is not
+    recommended to use less than TLSv1.2, but it may be required for
+    interoperability.
+    **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+    `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
+    the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
+    `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
+    used.
   * `passphrase` {string} Shared passphrase used for a single private key and/or
     a PFX.
   * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded
@@ -1325,12 +1380,15 @@ changes:
     which is not usually necessary. This should be used carefully if at all!
     Value is a numeric bitmask of the `SSL_OP_*` options from
     [OpenSSL Options][].
-  * `secureProtocol` {string} The TLS protocol version to use. The possible
-    values are listed as [SSL_METHODS][], use the function names as strings. For
-    example, use `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'`
-    to allow any TLS protocol version. It is not recommended to use TLS versions
-    less than 1.2, but it may be required for interoperability.  **Default:**
-    none, see `minVersion`.
+  * `secureProtocol` {string} Legacy mechanism to select the TLS protocol
+    version to use, it does not support independent control of the minimum and
+    maximum version, and does not support limiting the protocol to TLSv1.3.  Use
+    `minVersion` and `maxVersion` instead.  The possible values are listed as
+    [SSL_METHODS][], use the function names as strings.  For example, use
+    `'TLSv1_1_method'` to force TLS version 1.1, or `'TLS_method'` to allow any
+    TLS protocol version up to TLSv1.3.  It is not recommended to use TLS
+    versions less than 1.2, but it may be required for interoperability.
+    **Default:** none, see `minVersion`.
   * `sessionIdContext` {string} Opaque identifier used by servers to ensure
     session state is not shared between applications. Unused by clients.
 
@@ -1450,10 +1508,15 @@ added: v0.10.2
 
 * Returns: {string[]}
 
-Returns an array with the names of the supported SSL ciphers.
+Returns an array with the names of the supported TLS ciphers. The names are
+lower-case for historical reasons, but must be uppercased to be used in
+the `ciphers` option of [`tls.createSecureContext()`][].
+
+Cipher names that start with `'tls_'` are for TLSv1.3, all the others are for
+TLSv1.2 and below.
 
 ```js
-console.log(tls.getCiphers()); // ['AES128-SHA', 'AES256-SHA', ...]
+console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...]
 ```
 
 ## tls.DEFAULT_ECDH_CURVE
@@ -1613,16 +1676,16 @@ where `secureSocket` has the same API as `pair.cleartext`.
 [Forward secrecy]: https://en.wikipedia.org/wiki/Perfect_forward_secrecy
 [OCSP request]: https://en.wikipedia.org/wiki/OCSP_stapling
 [OpenSSL Options]: crypto.html#crypto_openssl_options
-[OpenSSL cipher list format documentation]: https://www.openssl.org/docs/man1.1.0/apps/ciphers.html#CIPHER-LIST-FORMAT
 [Perfect Forward Secrecy]: #tls_perfect_forward_secrecy
 [RFC 2246]: https://www.ietf.org/rfc/rfc2246.txt
 [RFC 5077]: https://tools.ietf.org/html/rfc5077
 [RFC 5929]: https://tools.ietf.org/html/rfc5929
-[SSL_METHODS]: https://www.openssl.org/docs/man1.1.0/ssl/ssl.html#Dealing-with-Protocol-Methods
+[SSL_METHODS]: https://www.openssl.org/docs/man1.1.1/man7/ssl.html#Dealing-with-Protocol-Methods
 [Session Resumption]: #tls_session_resumption
 [Stream]: stream.html#stream_stream
 [TLS recommendations]: https://wiki.mozilla.org/Security/Server_Side_TLS
 [asn1.js]: https://www.npmjs.com/package/asn1.js
 [certificate object]: #tls_certificate_object
+[cipher list format]: https://www.openssl.org/docs/man1.1.1/man1/ciphers.html#CIPHER-LIST-FORMAT
 [modifying the default cipher suite]: #tls_modifying_the_default_tls_cipher_suite
 [specific attacks affecting larger AES key sizes]: https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
diff --git a/doc/node.1 b/doc/node.1
index 603d72d566c99c..7bcb1edc59ab5d 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -236,6 +236,24 @@ Specify process.title on startup.
 Specify an alternative default TLS cipher list.
 Requires Node.js to be built with crypto support. (Default)
 .
+.It Fl -tls-max-v1.2
+Set default  maxVersion to 'TLSv1.2'. Use to disable support for TLSv1.3.
+.
+.It Fl -tls-max-v1.3
+Set default  maxVersion to 'TLSv1.3'. Use to enable support for TLSv1.3.
+.
+.It Fl -tls-min-v1.0
+Set default minVersion to 'TLSv1'. Use for compatibility with old TLS clients
+or servers.
+.
+.It Fl -tls-min-v1.1
+Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
+or servers.
+.
+.It Fl -tls-min-v1.3
+Set default minVersion to 'TLSv1.3'. Use to disable support for TLSv1.2 in
+favour of TLSv1.3, which is more secure.
+.
 .It Fl -trace-deprecation
 Print stack traces for deprecations.
 .
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index 78e67af23d46f0..618f40e7562b05 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -27,6 +27,7 @@ const tls = require('tls');
 const {
   ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED,
   ERR_INVALID_ARG_TYPE,
+  ERR_INVALID_OPT_VALUE,
   ERR_TLS_INVALID_PROTOCOL_VERSION,
   ERR_TLS_PROTOCOL_VERSION_CONFLICT,
 } = require('internal/errors').codes;
@@ -35,6 +36,7 @@ const {
   TLS1_VERSION,
   TLS1_1_VERSION,
   TLS1_2_VERSION,
+  TLS1_3_VERSION,
 } = internalBinding('constants').crypto;
 
 // Lazily loaded from internal/crypto/util.
@@ -45,6 +47,7 @@ function toV(which, v, def) {
   if (v === 'TLSv1') return TLS1_VERSION;
   if (v === 'TLSv1.1') return TLS1_1_VERSION;
   if (v === 'TLSv1.2') return TLS1_2_VERSION;
+  if (v === 'TLSv1.3') return TLS1_3_VERSION;
   throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);
 }
 
@@ -156,10 +159,35 @@ exports.createSecureContext = function createSecureContext(options, context) {
     }
   }
 
-  if (options.ciphers)
-    c.context.setCiphers(options.ciphers);
-  else
-    c.context.setCiphers(tls.DEFAULT_CIPHERS);
+  if (options.ciphers && typeof options.ciphers !== 'string') {
+    throw new ERR_INVALID_ARG_TYPE(
+      'options.ciphers', 'string', options.ciphers);
+  }
+
+  // Work around an OpenSSL API quirk. cipherList is for TLSv1.2 and below,
+  // cipherSuites is for TLSv1.3 (and presumably any later versions). TLSv1.3
+  // cipher suites all have a standard name format beginning with TLS_, so split
+  // the ciphers and pass them to the appropriate API.
+  const ciphers = (options.ciphers || tls.DEFAULT_CIPHERS).split(':');
+  const cipherList = ciphers.filter((_) => !_.match(/^TLS_/)).join(':');
+  const cipherSuites = ciphers.filter((_) => _.match(/^TLS_/)).join(':');
+
+  if (cipherSuites === '' && cipherList === '') {
+    // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its
+    // not possible to handshake with no suites.
+    throw ERR_INVALID_OPT_VALUE('ciphers', ciphers);
+  }
+
+  c.context.setCipherSuites(cipherSuites);
+  c.context.setCiphers(cipherList);
+
+  if (cipherSuites === '' && c.context.getMaxProto() > TLS1_2_VERSION &&
+      c.context.getMinProto() < TLS1_3_VERSION)
+    c.context.setMaxProto(TLS1_2_VERSION);
+
+  if (cipherList === '' && c.context.getMinProto() < TLS1_3_VERSION &&
+      c.context.getMaxProto() > TLS1_2_VERSION)
+    c.context.setMinProto(TLS1_3_VERSION);
 
   if (options.ecdhCurve === undefined)
     c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 98f9fc98fbaa02..047d8391804ea0 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -39,6 +39,7 @@ const { owner_symbol } = require('internal/async_hooks').symbols;
 const { SecureContext: NativeSecureContext } = internalBinding('crypto');
 const {
   ERR_INVALID_ARG_TYPE,
+  ERR_INVALID_CALLBACK,
   ERR_MULTIPLE_CALLBACK,
   ERR_SOCKET_CLOSED,
   ERR_TLS_DH_PARAM_SIZE,
@@ -62,7 +63,7 @@ const noop = () => {};
 // Server side times how long a handshake is taking to protect against slow
 // handshakes being used for DoS.
 function onhandshakestart(now) {
-  debug('onhandshakestart');
+  debug('server onhandshakestart');
 
   const { lastHandshakeTime } = this;
   assert(now >= lastHandshakeTime,
@@ -80,6 +81,9 @@ function onhandshakestart(now) {
     this.handshakes++;
 
   const owner = this[owner_symbol];
+
+  assert(owner._tlsOptions.isServer);
+
   if (this.handshakes > tls.CLIENT_RENEG_LIMIT) {
     owner._emitTLSError(new ERR_TLS_SESSION_ATTACK());
     return;
@@ -90,9 +94,10 @@ function onhandshakestart(now) {
 }
 
 function onhandshakedone() {
-  debug('onhandshakedone');
+  debug('server onhandshakedone');
 
   const owner = this[owner_symbol];
+  assert(owner._tlsOptions.isServer);
 
   // `newSession` callback wasn't called yet
   if (owner._newSessionPending) {
@@ -105,10 +110,15 @@ function onhandshakedone() {
 
 
 function loadSession(hello) {
+  debug('server onclienthello',
+        'sessionid.len', hello.sessionId.length,
+        'ticket?', hello.tlsTicket
+  );
   const owner = this[owner_symbol];
 
   var once = false;
   function onSession(err, session) {
+    debug('server resumeSession callback(err %j, sess? %s)', err, !!session);
     if (once)
       return owner.destroy(new ERR_MULTIPLE_CALLBACK());
     once = true;
@@ -190,6 +200,8 @@ function requestOCSP(socket, info) {
 
   let once = false;
   const onOCSP = (err, response) => {
+    debug('server OCSPRequest done', 'handle?', !!socket._handle, 'once?', once,
+          'response?', !!response, 'err?', err);
     if (once)
       return socket.destroy(new ERR_MULTIPLE_CALLBACK());
     once = true;
@@ -205,6 +217,7 @@ function requestOCSP(socket, info) {
     requestOCSPDone(socket);
   };
 
+  debug('server oncertcb emit OCSPRequest');
   socket.server.emit('OCSPRequest',
                      ctx.getCertificate(),
                      ctx.getIssuer(),
@@ -212,16 +225,17 @@ function requestOCSP(socket, info) {
 }
 
 function requestOCSPDone(socket) {
+  debug('server certcb done');
   try {
     socket._handle.certCbDone();
   } catch (e) {
+    debug('server certcb done errored', e);
     socket.destroy(e);
   }
 }
 
-
 function onnewsessionclient(sessionId, session) {
-  debug('client onnewsessionclient', sessionId, session);
+  debug('client emit session');
   const owner = this[owner_symbol];
   owner.emit('session', session);
 }
@@ -230,8 +244,9 @@ function onnewsession(sessionId, session) {
   debug('onnewsession');
   const owner = this[owner_symbol];
 
-  // XXX(sam) no server to emit the event on, but handshake won't continue
-  // unless newSessionDone() is called, should it be?
+  // TODO(@sam-github) no server to emit the event on, but handshake won't
+  // continue unless newSessionDone() is called, should it be, or is that
+  // situation unreachable, or only occurring during shutdown?
   if (!owner.server)
     return;
 
@@ -260,11 +275,15 @@ function onnewsession(sessionId, session) {
 
 
 function onocspresponse(resp) {
+  debug('client onocspresponse');
   this[owner_symbol].emit('OCSPResponse', resp);
 }
 
 function onerror(err) {
   const owner = this[owner_symbol];
+  debug('%s onerror %s had? %j',
+        owner._tlsOptions.isServer ? 'server' : 'client', err,
+        owner._hadError);
 
   if (owner._hadError)
     return;
@@ -282,7 +301,7 @@ function onerror(err) {
     // Ignore server's authorization errors
     owner.destroy();
   } else {
-    // Throw error
+    // Emit error
     owner._emitTLSError(err);
   }
 }
@@ -290,6 +309,11 @@ function onerror(err) {
 // Used by both client and server TLSSockets to start data flowing from _handle,
 // read(0) causes a StreamBase::ReadStart, via Socket._read.
 function initRead(tlsSocket, socket) {
+  debug('%s initRead',
+        tlsSocket._tlsOptions.isServer ? 'server' : 'client',
+        'handle?', !!tlsSocket._handle,
+        'buffered?', !!socket && socket.readableLength
+  );
   // If we were destroyed already don't bother reading
   if (!tlsSocket._handle)
     return;
@@ -490,11 +514,17 @@ TLSSocket.prototype._destroySSL = function _destroySSL() {
   this.ssl = null;
 };
 
+// Constructor guts, arbitrarily factored out.
 TLSSocket.prototype._init = function(socket, wrap) {
   const options = this._tlsOptions;
   const ssl = this._handle;
   this.server = options.server;
 
+  debug('%s _init',
+        options.isServer ? 'server' : 'client',
+        'handle?', !!ssl
+  );
+
   // Clients (!isServer) always request a cert, servers request a client cert
   // only on explicit configuration.
   const requestCert = !!options.requestCert || !options.isServer;
@@ -525,7 +555,10 @@ TLSSocket.prototype._init = function(socket, wrap) {
     }
   } else {
     ssl.onhandshakestart = noop;
-    ssl.onhandshakedone = this._finishInit.bind(this);
+    ssl.onhandshakedone = () => {
+      debug('client onhandshakedone');
+      this._finishInit();
+    };
     ssl.onocspresponse = onocspresponse;
 
     if (options.session)
@@ -591,6 +624,16 @@ TLSSocket.prototype._init = function(socket, wrap) {
 };
 
 TLSSocket.prototype.renegotiate = function(options, callback) {
+  if (options === null || typeof options !== 'object')
+    throw new ERR_INVALID_ARG_TYPE('options', 'Object', options);
+  if (callback !== undefined && typeof callback !== 'function')
+    throw new ERR_INVALID_CALLBACK();
+
+  debug('%s renegotiate()',
+        this._tlsOptions.isServer ? 'server' : 'client',
+        'destroyed?', this.destroyed
+  );
+
   if (this.destroyed)
     return;
 
@@ -658,9 +701,25 @@ TLSSocket.prototype._releaseControl = function() {
 };
 
 TLSSocket.prototype._finishInit = function() {
-  debug('secure established');
+  // Guard against getting onhandshakedone() after .destroy().
+  // * 1.2: If destroy() during onocspresponse(), then write of next handshake
+  // record fails, the handshake done info callbacks does not occur, and the
+  // socket closes.
+  // * 1.3: The OCSP response comes in the same record that finishes handshake,
+  // so even after .destroy(), the handshake done info callback occurs
+  // immediately after onocspresponse(). Ignore it.
+  if (!this._handle)
+    return;
+
   this.alpnProtocol = this._handle.getALPNNegotiatedProtocol();
   this.servername = this._handle.getServername();
+
+  debug('%s _finishInit',
+        this._tlsOptions.isServer ? 'server' : 'client',
+        'handle?', !!this._handle,
+        'alpn', this.alpnProtocol,
+        'servername', this.servername);
+
   this._secureEstablished = true;
   if (this._tlsOptions.handshakeTimeout > 0)
     this.setTimeout(0, this._handleTimeout);
@@ -668,6 +727,12 @@ TLSSocket.prototype._finishInit = function() {
 };
 
 TLSSocket.prototype._start = function() {
+  debug('%s _start',
+        this._tlsOptions.isServer ? 'server' : 'client',
+        'handle?', !!this._handle,
+        'connecting?', this.connecting,
+        'requestOCSP?', !!this._tlsOptions.requestOCSP,
+  );
   if (this.connecting) {
     this.once('connect', this._start);
     return;
@@ -677,7 +742,6 @@ TLSSocket.prototype._start = function() {
   if (!this._handle)
     return;
 
-  debug('start');
   if (this._tlsOptions.requestOCSP)
     this._handle.requestOCSP();
   this._handle.start();
@@ -756,13 +820,16 @@ function onServerSocketSecure() {
     }
   }
 
-  if (!this.destroyed && this._releaseControl())
+  if (!this.destroyed && this._releaseControl()) {
+    debug('server emit secureConnection');
     this._tlsOptions.server.emit('secureConnection', this);
+  }
 }
 
 function onSocketTLSError(err) {
   if (!this._controlReleased && !this[kErrorEmitted]) {
     this[kErrorEmitted] = true;
+    debug('server emit tlsClientError:', err);
     this._tlsOptions.server.emit('tlsClientError', err, this);
   }
 }
@@ -783,6 +850,7 @@ function onSocketClose(err) {
 }
 
 function tlsConnectionListener(rawSocket) {
+  debug('net.Server.on(connection): new TLSSocket');
   const socket = new TLSSocket(rawSocket, {
     secureContext: this._sharedCreds,
     isServer: true,
@@ -1168,6 +1236,7 @@ function onConnectSecure() {
   const ekeyinfo = this.getEphemeralKeyInfo();
   if (ekeyinfo.type === 'DH' && ekeyinfo.size < options.minDHSize) {
     const err = new ERR_TLS_DH_PARAM_SIZE(ekeyinfo.size);
+    debug('client emit:', err);
     this.emit('error', err);
     this.destroy();
     return;
@@ -1194,10 +1263,12 @@ function onConnectSecure() {
       this.destroy(verifyError);
       return;
     } else {
+      debug('client emit secureConnect');
       this.emit('secureConnect');
     }
   } else {
     this.authorized = true;
+    debug('client emit secureConnect');
     this.emit('secureConnect');
   }
 
diff --git a/lib/internal/stream_base_commons.js b/lib/internal/stream_base_commons.js
index a6805e39be8390..8f58ff56bb8a73 100644
--- a/lib/internal/stream_base_commons.js
+++ b/lib/internal/stream_base_commons.js
@@ -19,6 +19,8 @@ const kUpdateTimer = Symbol('kUpdateTimer');
 const kAfterAsyncWrite = Symbol('kAfterAsyncWrite');
 const kHandle = Symbol('kHandle');
 
+const debug = require('util').debuglog('stream');
+
 function handleWriteReq(req, data, encoding) {
   const { handle } = req;
 
@@ -55,6 +57,8 @@ function handleWriteReq(req, data, encoding) {
 }
 
 function onWriteComplete(status) {
+  debug('onWriteComplete', status, this.error);
+
   const stream = this.handle[owner_symbol];
 
   if (stream.destroyed) {
diff --git a/lib/tls.js b/lib/tls.js
index 2be6a15bc5c5e6..f920e4d8c625bd 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -31,6 +31,7 @@ internalUtil.assertCrypto();
 const { isArrayBufferView } = require('internal/util/types');
 
 const net = require('net');
+const { getOptionValue } = require('internal/options');
 const url = require('url');
 const binding = internalBinding('crypto');
 const { Buffer } = require('buffer');
@@ -53,9 +54,24 @@ exports.DEFAULT_CIPHERS =
 
 exports.DEFAULT_ECDH_CURVE = 'auto';
 
-exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
+exports.DEFAULT_MAX_VERSION = 'TLSv1.3';
+
+if (getOptionValue('--tls-min-v1.0'))
+  exports.DEFAULT_MIN_VERSION = 'TLSv1';
+else if (getOptionValue('--tls-min-v1.1'))
+  exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
+else if (getOptionValue('--tls-min-v1.3'))
+  exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
+else
+  exports.DEFAULT_MIN_VERSION = 'TLSv1';
+
+if (getOptionValue('--tls-max-v1.3'))
+  exports.DEFAULT_MAX_VERSION = 'TLSv1.3';
+else if (getOptionValue('--tls-max-v1.2'))
+  exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
+else
+  exports.DEFAULT_MAX_VERSION = 'TLSv1.3'; // Will depend on node version.
 
-exports.DEFAULT_MIN_VERSION = 'TLSv1';
 
 exports.getCiphers = internalUtil.cachedResult(
   () => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true)
diff --git a/src/node_constants.cc b/src/node_constants.cc
index be27de4ed64430..f08bcbcb25b6d8 100644
--- a/src/node_constants.cc
+++ b/src/node_constants.cc
@@ -1245,6 +1245,7 @@ void DefineCryptoConstants(Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, TLS1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_2_VERSION);
+  NODE_DEFINE_CONSTANT(target, TLS1_3_VERSION);
 #endif
   NODE_DEFINE_CONSTANT(target, INT_MAX);
 }
diff --git a/src/node_constants.h b/src/node_constants.h
index 6f73fb4d7d9bfc..af5aa002eb5795 100644
--- a/src/node_constants.h
+++ b/src/node_constants.h
@@ -41,7 +41,13 @@
 #define RSA_PSS_SALTLEN_AUTO -2
 #endif
 
-#define DEFAULT_CIPHER_LIST_CORE "ECDHE-RSA-AES128-GCM-SHA256:"     \
+// TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see:
+//   https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
+#define DEFAULT_CIPHER_LIST_CORE \
+                                 "TLS_AES_256_GCM_SHA384:"          \
+                                 "TLS_CHACHA20_POLY1305_SHA256:"    \
+                                 "TLS_AES_128_GCM_SHA256:"          \
+                                 "ECDHE-RSA-AES128-GCM-SHA256:"     \
                                  "ECDHE-ECDSA-AES128-GCM-SHA256:"   \
                                  "ECDHE-RSA-AES256-GCM-SHA384:"     \
                                  "ECDHE-ECDSA-AES256-GCM-SHA384:"   \
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index cd354c73d5cf25..568b44cf26c25a 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -351,9 +351,14 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
   env->SetProtoMethod(t, "addCACert", AddCACert);
   env->SetProtoMethod(t, "addCRL", AddCRL);
   env->SetProtoMethod(t, "addRootCerts", AddRootCerts);
+  env->SetProtoMethod(t, "setCipherSuites", SetCipherSuites);
   env->SetProtoMethod(t, "setCiphers", SetCiphers);
   env->SetProtoMethod(t, "setECDHCurve", SetECDHCurve);
   env->SetProtoMethod(t, "setDHParam", SetDHParam);
+  env->SetProtoMethod(t, "setMaxProto", SetMaxProto);
+  env->SetProtoMethod(t, "setMinProto", SetMinProto);
+  env->SetProtoMethod(t, "getMaxProto", GetMaxProto);
+  env->SetProtoMethod(t, "getMinProto", GetMinProto);
   env->SetProtoMethod(t, "setOptions", SetOptions);
   env->SetProtoMethod(t, "setSessionIdContext", SetSessionIdContext);
   env->SetProtoMethod(t, "setSessionTimeout", SetSessionTimeout);
@@ -404,6 +409,9 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
   new SecureContext(env, args.This());
 }
 
+// A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
+// Node.js doesn't, so pin the max to what we do support.
+const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
 
 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   SecureContext* sc;
@@ -418,13 +426,16 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   int max_version = args[2].As<Int32>()->Value();
   const SSL_METHOD* method = TLS_method();
 
+  if (max_version == 0)
+    max_version = MAX_SUPPORTED_VERSION;
+
   if (args[0]->IsString()) {
     const node::Utf8Value sslmethod(env->isolate(), args[0]);
 
     // Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends
     // are still accepted.  They are OpenSSL's way of saying that all known
-    // protocols are supported unless explicitly disabled (which we do below
-    // for SSLv2 and SSLv3.)
+    // protocols below TLS 1.3 are supported unless explicitly disabled (which
+    // we do below for SSLv2 and SSLv3.)
     if (strcmp(*sslmethod, "SSLv2_method") == 0) {
       THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled");
       return;
@@ -444,14 +455,24 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
       THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled");
       return;
     } else if (strcmp(*sslmethod, "SSLv23_method") == 0) {
-      // noop
+      max_version = TLS1_2_VERSION;
     } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) {
+      max_version = TLS1_2_VERSION;
       method = TLS_server_method();
     } else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) {
+      max_version = TLS1_2_VERSION;
       method = TLS_client_method();
     } else if (strcmp(*sslmethod, "TLS_method") == 0) {
       min_version = 0;
-      max_version = 0;
+      max_version = MAX_SUPPORTED_VERSION;
+    } else if (strcmp(*sslmethod, "TLS_server_method") == 0) {
+      min_version = 0;
+      max_version = MAX_SUPPORTED_VERSION;
+      method = TLS_server_method();
+    } else if (strcmp(*sslmethod, "TLS_client_method") == 0) {
+      min_version = 0;
+      max_version = MAX_SUPPORTED_VERSION;
+      method = TLS_client_method();
     } else if (strcmp(*sslmethod, "TLSv1_method") == 0) {
       min_version = TLS1_VERSION;
       max_version = TLS1_VERSION;
@@ -514,12 +535,6 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
                                  SSL_SESS_CACHE_NO_AUTO_CLEAR);
 
   SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);
-
-  if (max_version == 0) {
-    // Selecting some secureProtocol methods allows the TLS version to be "any
-    // supported", but we don't support TLSv1.3, even if OpenSSL does.
-    max_version = TLS1_2_VERSION;
-  }
   SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
   // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
   // exposed in the public API. To retain compatibility, install a callback
@@ -930,42 +945,54 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
 }
 
 
-void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
+void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
+  // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
+#ifndef OPENSSL_IS_BORINGSSL
   SecureContext* sc;
   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
   Environment* env = sc->env();
   ClearErrorOnReturn clear_error_on_return;
 
-  if (args.Length() != 1) {
-    return THROW_ERR_MISSING_ARGS(env, "Ciphers argument is mandatory");
+  CHECK_EQ(args.Length(), 1);
+  CHECK(args[0]->IsString());
+
+  const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
+  if (!SSL_CTX_set_ciphersuites(sc->ctx_.get(), *ciphers)) {
+    unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
+    if (!err) {
+      // This would be an OpenSSL bug if it happened.
+      return env->ThrowError("Failed to set ciphers");
+    }
+    return ThrowCryptoError(env, err);
   }
+#endif
+}
 
-  THROW_AND_RETURN_IF_NOT_STRING(env, args[0], "Ciphers");
 
-  // Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl
-  // 1.1.1, set_cipher_list() is for TLSv1.2 and earlier.
-  //
-  // In openssl 1.1.0, set_cipher_list() would error if it resulted in no
-  // TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support.
-  //
-  // In openssl 1.1.1, set_cipher_list() will not error if it results in no
-  // TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there
-  // are by default. There will be an error later, during the handshake, but
-  // that results in an async error event, rather than a sync error thrown,
-  // which is a semver-major change for the tls API.
-  //
-  // Since we don't currently support TLSv1.3, work around this by removing the
-  // TLSv1.3 cipher suites, so we get backwards compatible synchronous errors.
+void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* sc;
+  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+  Environment* env = sc->env();
+  ClearErrorOnReturn clear_error_on_return;
+
+  CHECK_EQ(args.Length(), 1);
+  CHECK(args[0]->IsString());
+
   const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
-  if (
-#if defined(TLS1_3_VERSION) && !defined(OPENSSL_IS_BORINGSSL)
-      !SSL_CTX_set_ciphersuites(sc->ctx_.get(), "") ||
-#endif
-      !SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
+  if (!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
     unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
     if (!err) {
+      // This would be an OpenSSL bug if it happened.
       return env->ThrowError("Failed to set ciphers");
     }
+
+    if (strlen(*ciphers) == 0 && ERR_GET_REASON(err) == SSL_R_NO_CIPHER_MATCH) {
+      // TLS1.2 ciphers were deliberately cleared, so don't consider
+      // SSL_R_NO_CIPHER_MATCH to be an error (this is how _set_cipher_suites()
+      // works). If the user actually sets a value (like "no-such-cipher"), then
+      // that's actually an error.
+      return;
+    }
     return ThrowCryptoError(env, err);
   }
 }
@@ -1034,6 +1061,56 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
 }
 
 
+void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* sc;
+  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+
+  CHECK_EQ(args.Length(), 1);
+  CHECK(args[0]->IsInt32());
+
+  int version = args[0].As<Int32>()->Value();
+
+  CHECK(SSL_CTX_set_min_proto_version(sc->ctx_.get(), version));
+}
+
+
+void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* sc;
+  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+
+  CHECK_EQ(args.Length(), 1);
+  CHECK(args[0]->IsInt32());
+
+  int version = args[0].As<Int32>()->Value();
+
+  CHECK(SSL_CTX_set_max_proto_version(sc->ctx_.get(), version));
+}
+
+
+void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* sc;
+  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+
+  CHECK_EQ(args.Length(), 0);
+
+  long version =  // NOLINT(runtime/int)
+    SSL_CTX_get_min_proto_version(sc->ctx_.get());
+  args.GetReturnValue().Set(static_cast<uint32_t>(version));
+}
+
+
+void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* sc;
+  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
+
+  CHECK_EQ(args.Length(), 0);
+
+  long version =  // NOLINT(runtime/int)
+    SSL_CTX_get_max_proto_version(sc->ctx_.get());
+  args.GetReturnValue().Set(static_cast<uint32_t>(version));
+}
+
+
 void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
   SecureContext* sc;
   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
@@ -1253,6 +1330,7 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
   ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
   Environment* env = wrap->env();
 
+  // TODO(@sam-github) Move type and len check to js, and CHECK() in C++.
   if (args.Length() < 1) {
     return THROW_ERR_MISSING_ARGS(env, "Ticket keys argument is mandatory");
   }
@@ -2112,6 +2190,7 @@ void SSLWrap<Base>::LoadSession(const FunctionCallbackInfo<Value>& args) {
   Base* w;
   ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
 
+  // TODO(@sam-github) check arg length and types in js, and CHECK in c++
   if (args.Length() >= 1 && Buffer::HasInstance(args[0])) {
     ArrayBufferViewContents<unsigned char> sbuf(args[0]);
 
@@ -2148,7 +2227,7 @@ void SSLWrap<Base>::Renegotiate(const FunctionCallbackInfo<Value>& args) {
 
   ClearErrorOnReturn clear_error_on_return;
 
-  // XXX(sam) Return/throw an error, don't discard the SSL error reason.
+  // TODO(@sam-github) Return/throw an error, don't discard the SSL error info.
   bool yes = SSL_renegotiate(w->ssl_.get()) == 1;
   args.GetReturnValue().Set(yes);
 }
@@ -2263,8 +2342,12 @@ void SSLWrap<Base>::GetEphemeralKeyInfo(
                                  EVP_PKEY_bits(key.get()))).FromJust();
         }
         break;
+      default:
+        break;
     }
   }
+  // TODO(@sam-github) semver-major: else return ThrowCryptoError(env,
+  // ERR_get_error())
 
   return args.GetReturnValue().Set(info);
 }
@@ -2486,7 +2569,10 @@ int SSLWrap<Base>::TLSExtStatusCallback(SSL* s, void* arg) {
 
     w->MakeCallback(env->onocspresponse_string(), 1, &arg);
 
-    // Somehow, client is expecting different return value here
+    // No async acceptance is possible, so always return 1 to accept the
+    // response.  The listener for 'OCSPResponse' event has no control over
+    // return value, but it can .destroy() the connection if the response is not
+    // acceptable.
     return 1;
   } else {
     // Outgoing response
@@ -2528,6 +2614,8 @@ int SSLWrap<Base>::SSLCertCallback(SSL* s, void* arg) {
     return 1;
 
   if (w->cert_cb_running_)
+    // Not an error. Suspend handshake with SSL_ERROR_WANT_X509_LOOKUP, and
+    // handshake will continue after certcb is done.
     return -1;
 
   Environment* env = w->env();
@@ -2603,6 +2691,8 @@ void SSLWrap<Base>::CertCbDone(const FunctionCallbackInfo<Value>& args) {
     if (rv)
       rv = w->SetCACerts(sc);
     if (!rv) {
+      // Not clear why sometimes we throw error, and sometimes we call
+      // onerror(). Both cause .destroy(), but onerror does a bit more.
       unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
       if (!err)
         return env->ThrowError("CertCbDone");
@@ -5932,6 +6022,24 @@ void GetSSLCiphers(const FunctionCallbackInfo<Value>& args) {
                            SSL_CIPHER_get_name(cipher))).FromJust();
   }
 
+  // TLSv1.3 ciphers aren't listed by EVP. There are only 5, we could just
+  // document them, but since there are only 5, easier to just add them manually
+  // and not have to explain their absence in the API docs. They are lower-cased
+  // because the docs say they will be.
+  static const char* TLS13_CIPHERS[] = {
+    "tls_aes_256_gcm_sha384",
+    "tls_chacha20_poly1305_sha256",
+    "tls_aes_128_gcm_sha256",
+    "tls_aes_128_ccm_8_sha256",
+    "tls_aes_128_ccm_sha256"
+  };
+
+  for (unsigned i = 0; i < arraysize(TLS13_CIPHERS); ++i) {
+    const char* name = TLS13_CIPHERS[i];
+    arr->Set(env->context(),
+             arr->Length(), OneByteString(args.GetIsolate(), name)).FromJust();
+  }
+
   args.GetReturnValue().Set(arr);
 }
 
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 45e6271816fc61..7bf8bdf6f4f0fd 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -130,6 +130,7 @@ class SecureContext : public BaseObject {
   static void AddCACert(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void AddCRL(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void AddRootCerts(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void SetCipherSuites(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetCiphers(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetECDHCurve(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetDHParam(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -138,6 +139,10 @@ class SecureContext : public BaseObject {
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetSessionTimeout(
       const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void SetMinProto(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void SetMaxProto(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetMinProto(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void GetMaxProto(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Close(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void LoadPKCS12(const v8::FunctionCallbackInfo<v8::Value>& args);
 #ifndef OPENSSL_NO_ENGINE
diff --git a/src/node_crypto_clienthello.cc b/src/node_crypto_clienthello.cc
index 268d4773570f8b..8c1be7871acfa1 100644
--- a/src/node_crypto_clienthello.cc
+++ b/src/node_crypto_clienthello.cc
@@ -86,6 +86,8 @@ void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
   // (3,2) TLS v1.1
   // (3,3) TLS v1.2
   //
+  // Note that TLS v1.3 uses a TLS v1.2 handshake so requires no specific
+  // support here.
   if (data[body_offset_ + 4] != 0x03 ||
       data[body_offset_ + 5] < 0x01 ||
       data[body_offset_ + 5] > 0x03) {
diff --git a/src/node_crypto_clienthello.h b/src/node_crypto_clienthello.h
index d1661735f5dc4b..725be889e26d64 100644
--- a/src/node_crypto_clienthello.h
+++ b/src/node_crypto_clienthello.h
@@ -33,6 +33,12 @@ namespace crypto {
 // Parse the client hello so we can do async session resumption. OpenSSL's
 // session resumption uses synchronous callbacks, see SSL_CTX_sess_set_get_cb
 // and get_session_cb.
+//
+// TLS1.3 handshakes masquerade as TLS1.2 session resumption, and to do this,
+// they always include a session_id in the ClientHello, making up a bogus value
+// if necessary. The parser can't know if its a bogus id, and will cause a
+// 'newSession' event to be emitted. This should do no harm, the id won't be
+// found, and the handshake will continue.
 class ClientHelloParser {
  public:
   inline ClientHelloParser();
diff --git a/src/node_options.cc b/src/node_options.cc
index 16880ecda95eeb..0febe4b4d742e3 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -327,6 +327,31 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
   AddAlias("-i", "--interactive");
 
   AddOption("--napi-modules", "", NoOp{}, kAllowedInEnvironment);
+
+  AddOption("--tls-min-v1.0",
+            "set default TLS minimum to TLSv1.0 (default: TLSv1)",
+            &EnvironmentOptions::tls_min_v1_0,
+            kAllowedInEnvironment);
+  AddOption("--tls-min-v1.1",
+            "set default TLS minimum to TLSv1.1 (default: TLSv1)",
+            &EnvironmentOptions::tls_min_v1_1,
+            kAllowedInEnvironment);
+  AddOption("--tls-min-v1.3",
+            "set default TLS minimum to TLSv1.3 (default: TLSv1)",
+            &EnvironmentOptions::tls_min_v1_3,
+            kAllowedInEnvironment);
+  AddOption("--tls-max-v1.2",
+            "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
+            &EnvironmentOptions::tls_max_v1_2,
+            kAllowedInEnvironment);
+  // Current plan is:
+  // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
+  // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
+  // In either case, support both options they are uniformly available.
+  AddOption("--tls-max-v1.3",
+            "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
+            &EnvironmentOptions::tls_max_v1_3,
+            kAllowedInEnvironment);
 }
 
 PerIsolateOptionsParser::PerIsolateOptionsParser(
diff --git a/src/node_options.h b/src/node_options.h
index 441b8a43c645df..7c9da1c69b278a 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -136,6 +136,12 @@ class EnvironmentOptions : public Options {
   bool print_eval = false;
   bool force_repl = false;
 
+  bool tls_min_v1_0 = false;
+  bool tls_min_v1_1 = false;
+  bool tls_min_v1_3 = false;
+  bool tls_max_v1_2 = false;
+  bool tls_max_v1_3 = false;
+
   std::vector<std::string> preload_modules;
 
   std::vector<std::string> user_argv;
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index cf579af85ec124..dbd1f59579f175 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -113,6 +113,12 @@ void TLSWrap::InitSSL() {
   SSL_set_mode(ssl_.get(), SSL_MODE_RELEASE_BUFFERS);
 #endif  // SSL_MODE_RELEASE_BUFFERS
 
+  // This is default in 1.1.1, but set it anyway, Cycle() doesn't currently
+  // re-call ClearIn() if SSL_read() returns SSL_ERROR_WANT_READ, so data can be
+  // left sitting in the incoming enc_in_ and never get processed.
+  // - https://wiki.openssl.org/index.php/TLS1.3#Non-application_data_records
+  SSL_set_mode(ssl_.get(), SSL_MODE_AUTO_RETRY);
+
   SSL_set_app_data(ssl_.get(), this);
   // Using InfoCallback isn't how we are supposed to check handshake progress:
   //   https://github.com/openssl/openssl/issues/7199#issuecomment-420915993
@@ -224,6 +230,8 @@ void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) {
   Local<Object> object = c->object();
 
   if (where & SSL_CB_HANDSHAKE_START) {
+    // Start is tracked to limit number and frequency of renegotiation attempts,
+    // since excessive renegotiation may be an attack.
     Local<Value> callback;
 
     if (object->Get(env->context(), env->onhandshakestart_string())
@@ -237,6 +245,7 @@ void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) {
   // sending HelloRequest in OpenSSL-1.1.1.
   // We need to check whether this is in a renegotiation state or not.
   if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) {
+    CHECK(!SSL_renegotiate_pending(ssl));
     Local<Value> callback;
 
     c->established_ = true;
@@ -271,8 +280,23 @@ void TLSWrap::EncOut() {
 
   // No encrypted output ready to write to the underlying stream.
   if (BIO_pending(enc_out_) == 0) {
-    if (pending_cleartext_input_.empty())
-      InvokeQueued(0);
+    if (pending_cleartext_input_.empty()) {
+      if (!in_dowrite_) {
+        InvokeQueued(0);
+      } else {
+        // TODO(@sam-github, @addaleax) If in_dowrite_ is true, appdata was
+        // passed to SSL_write().  If we are here, the data was not encrypted to
+        // enc_out_ yet.  Calling Done() "works", but since the write is not
+        // flushed, its too soon.  Just returning and letting the next EncOut()
+        // call Done() passes the test suite, but without more careful analysis,
+        // its not clear if it is always correct. Not calling Done() could block
+        // data flow, so for now continue to call Done(), just do it in the next
+        // tick.
+        env()->SetImmediate([](Environment* env, void* data) {
+            static_cast<TLSWrap*>(data)->InvokeQueued(0);
+        }, this, object());
+      }
+    }
     return;
   }
 
@@ -534,8 +558,8 @@ void TLSWrap::ClearIn() {
   Local<Value> arg = GetSSLError(written, &err, &error_str);
   if (!arg.IsEmpty()) {
     write_callback_scheduled_ = true;
-    // XXX(sam) Should forward an error object with .code/.function/.etc, if
-    // possible.
+    // TODO(@sam-github) Should forward an error object with
+    // .code/.function/.etc, if possible.
     InvokeQueued(UV_EPROTO, error_str.c_str());
   } else {
     // Push back the not-yet-written pending buffers into their queue.
@@ -603,6 +627,7 @@ void TLSWrap::ClearError() {
 
 
 // Called by StreamBase::Write() to request async write of clear text into SSL.
+// TODO(@sam-github) Should there be a TLSWrap::DoTryWrite()?
 int TLSWrap::DoWrite(WriteWrap* w,
                      uv_buf_t* bufs,
                      size_t count,
@@ -688,7 +713,10 @@ int TLSWrap::DoWrite(WriteWrap* w,
   }
 
   // Write any encrypted/handshake output that may be ready.
+  // Guard against sync call of current_write_->Done(), its unsupported.
+  in_dowrite_ = true;
   EncOut();
+  in_dowrite_ = false;
 
   return 0;
 }
diff --git a/src/tls_wrap.h b/src/tls_wrap.h
index 1ab19d3ee02bb9..84abd55c164b8d 100644
--- a/src/tls_wrap.h
+++ b/src/tls_wrap.h
@@ -172,6 +172,7 @@ class TLSWrap : public AsyncWrap,
   std::vector<uv_buf_t> pending_cleartext_input_;
   size_t write_size_ = 0;
   WriteWrap* current_write_ = nullptr;
+  bool in_dowrite_ = false;
   WriteWrap* current_empty_write_ = nullptr;
   bool write_callback_scheduled_ = false;
   bool started_ = false;
diff --git a/test/async-hooks/test-graph.tls-write-12.js b/test/async-hooks/test-graph.tls-write-12.js
new file mode 100644
index 00000000000000..748234402c0e92
--- /dev/null
+++ b/test/async-hooks/test-graph.tls-write-12.js
@@ -0,0 +1,11 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
+require('./test-graph.tls-write.js');
diff --git a/test/async-hooks/test-graph.tls-write.js b/test/async-hooks/test-graph.tls-write.js
index 2ea03283e4c861..580264316dea90 100644
--- a/test/async-hooks/test-graph.tls-write.js
+++ b/test/async-hooks/test-graph.tls-write.js
@@ -39,8 +39,10 @@ function onlistening() {
 function onsecureConnection() {}
 
 function onsecureConnect() {
-  // Destroying client socket
-  this.destroy();
+  // end() client socket, which causes slightly different hook events than
+  // destroy(), but with TLS1.3 destroy() rips the connection down before the
+  // server completes the handshake.
+  this.end();
 
   // Closing server
   server.close(common.mustCall(onserverClosed));
@@ -68,7 +70,8 @@ function onexit() {
       { type: 'WRITEWRAP', id: 'write:2', triggerAsyncId: null },
       { type: 'WRITEWRAP', id: 'write:3', triggerAsyncId: null },
       { type: 'WRITEWRAP', id: 'write:4', triggerAsyncId: null },
-      { type: 'Immediate', id: 'immediate:1', triggerAsyncId: 'tcp:1' },
-      { type: 'Immediate', id: 'immediate:2', triggerAsyncId: 'tcp:2' } ]
+      { type: 'Immediate', id: 'immediate:1', triggerAsyncId: 'tcp:2' },
+      { type: 'Immediate', id: 'immediate:2', triggerAsyncId: 'tcp:1' },
+    ]
   );
 }
diff --git a/test/async-hooks/test-tlswrap.js b/test/async-hooks/test-tlswrap.js
index 354cd7ad0cd91d..d6dcd204703d9d 100644
--- a/test/async-hooks/test-tlswrap.js
+++ b/test/async-hooks/test-tlswrap.js
@@ -15,6 +15,10 @@ const { checkInvocations } = require('./hook-checks');
 const hooks = initHooks();
 hooks.enable();
 
+// TODO(@sam-github) assumes server handshake completes before client, true for
+// 1.2, not for 1.3. Might need a rewrite for TLS1.3.
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
 //
 // Creating server and listening on port
 //
@@ -52,6 +56,7 @@ function onsecureConnection() {
   //
   const as = hooks.activitiesOfTypes('TLSWRAP');
   assert.strictEqual(as.length, 2);
+  // TODO(@sam-github) This happens after onsecureConnect, with TLS1.3.
   client = as[1];
   assert.strictEqual(client.type, 'TLSWRAP');
   assert.strictEqual(typeof client.uid, 'number');
@@ -78,7 +83,7 @@ function onsecureConnect() {
   //
   // Destroying client socket
   //
-  this.destroy();
+  this.destroy();  // This destroys client before server handshakes, with TLS1.3
   checkInvocations(svr, { init: 1, before: 2, after: 1 },
                    'server: when destroying client');
   checkInvocations(client, { init: 1, before: 2, after: 2 },
diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
index 10a8f529ddfd58..680a6eae6975ea 100644
--- a/test/parallel/test-crypto.js
+++ b/test/parallel/test-crypto.js
@@ -130,6 +130,7 @@ validateList(cryptoCiphers);
 // Assume that we have at least AES256-SHA.
 const tlsCiphers = tls.getCiphers();
 assert(tls.getCiphers().includes('aes256-sha'));
+assert(tls.getCiphers().includes('tls_aes_128_ccm_8_sha256'));
 // There should be no capital letters in any element.
 const noCapitals = /^[^A-Z]+$/;
 assert(tlsCiphers.every((value) => noCapitals.test(value)));
diff --git a/test/parallel/test-https-agent-additional-options.js b/test/parallel/test-https-agent-additional-options.js
index eaa6ea710e4d9f..a04ef7461d033f 100644
--- a/test/parallel/test-https-agent-additional-options.js
+++ b/test/parallel/test-https-agent-additional-options.js
@@ -1,3 +1,4 @@
+// Flags: --tls-min-v1.1
 'use strict';
 const common = require('../common');
 if (!common.hasCrypto)
@@ -34,7 +35,7 @@ const updatedValues = new Map([
   ['ecdhCurve', 'secp384r1'],
   ['honorCipherOrder', true],
   ['secureOptions', crypto.constants.SSL_OP_CIPHER_SERVER_PREFERENCE],
-  ['secureProtocol', 'TLSv1_method'],
+  ['secureProtocol', 'TLSv1_1_method'],
   ['sessionIdContext', 'sessionIdContext'],
 ]);
 
diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
index cf6a1341c1e03f..8e13b150bb1362 100644
--- a/test/parallel/test-https-agent-session-eviction.js
+++ b/test/parallel/test-https-agent-session-eviction.js
@@ -1,3 +1,4 @@
+// Flags: --tls-min-v1.0
 'use strict';
 
 const common = require('../common');
diff --git a/test/parallel/test-https-client-renegotiation-limit.js b/test/parallel/test-https-client-renegotiation-limit.js
index 1fccc7bb5d1629..3527c48f4b9580 100644
--- a/test/parallel/test-https-client-renegotiation-limit.js
+++ b/test/parallel/test-https-client-renegotiation-limit.js
@@ -32,6 +32,9 @@ const tls = require('tls');
 const https = require('https');
 const fixtures = require('../common/fixtures');
 
+// Renegotiation as a protocol feature was dropped after TLS1.2.
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
 // renegotiation limits to test
 const LIMITS = [0, 1, 2, 3, 5, 10, 16];
 
diff --git a/test/parallel/test-https-client-resume.js b/test/parallel/test-https-client-resume.js
index cf1bbdf2626823..8904e24180b329 100644
--- a/test/parallel/test-https-client-resume.js
+++ b/test/parallel/test-https-client-resume.js
@@ -55,7 +55,8 @@ server.listen(0, common.mustCall(function() {
                   '\r\n');
   }));
 
-  client1.on('session', common.mustCall((session) => {
+  // TLS1.2 servers issue 1 ticket, TLS1.3 issues more, but only use the first.
+  client1.once('session', common.mustCall((session) => {
     console.log('session');
 
     const opts = {
diff --git a/test/parallel/test-process-env-allowed-flags.js b/test/parallel/test-process-env-allowed-flags.js
index 8b6adfb2224ad5..17d58e139a04fd 100644
--- a/test/parallel/test-process-env-allowed-flags.js
+++ b/test/parallel/test-process-env-allowed-flags.js
@@ -51,7 +51,7 @@ require('../common');
 // Assert all "canonical" flags begin with dash(es)
 {
   process.allowedNodeEnvironmentFlags.forEach((flag) => {
-    assert(/^--?[a-z8_-]+$/.test(flag), `Unexpected format for flag ${flag}`);
+    assert(/^--?[a-z0-9._-]+$/.test(flag), `Unexpected format for flag ${flag}`);
   });
 }
 
diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
index 63b845122fc1f0..f9f42e2d51c04d 100644
--- a/test/parallel/test-tls-alert-handling.js
+++ b/test/parallel/test-tls-alert-handling.js
@@ -64,7 +64,7 @@ function sendClient() {
     }
     client.end();
   }, max_iter));
-  client.write('a');
+  client.write('a', common.mustCall());
   client.on('error', common.mustNotCall());
   client.on('close', common.mustCall(function() {
     clientClosed = true;
diff --git a/test/parallel/test-tls-async-cb-after-socket-end.js b/test/parallel/test-tls-async-cb-after-socket-end.js
index 5c812c8f0432ea..49ca0cebc9b524 100644
--- a/test/parallel/test-tls-async-cb-after-socket-end.js
+++ b/test/parallel/test-tls-async-cb-after-socket-end.js
@@ -14,7 +14,6 @@ const tls = require('tls');
 // new and resume session events will never be emitted on the server.
 
 const options = {
-  maxVersion: 'TLSv1.2',
   secureOptions: SSL_OP_NO_TICKET,
   key: fixtures.readSync('test_key.pem'),
   cert: fixtures.readSync('test_cert.pem')
@@ -38,6 +37,10 @@ server.on('resumeSession', common.mustCall((id, cb) => {
 
 server.listen(0, common.mustCall(() => {
   const clientOpts = {
+    // Don't send a TLS1.3/1.2 ClientHello, they contain a fake session_id,
+    // which triggers a 'resumeSession' event for client1. TLS1.2 ClientHello
+    // won't have a session_id until client2, which will have a valid session.
+    maxVersion: 'TLSv1.2',
     port: server.address().port,
     rejectUnauthorized: false,
     session: false
diff --git a/test/parallel/test-tls-basic-validations.js b/test/parallel/test-tls-basic-validations.js
index 8d39b8d45c9c65..9bcc63c45455c7 100644
--- a/test/parallel/test-tls-basic-validations.js
+++ b/test/parallel/test-tls-basic-validations.js
@@ -12,7 +12,8 @@ common.expectsError(
   {
     code: 'ERR_INVALID_ARG_TYPE',
     type: TypeError,
-    message: 'Ciphers must be a string'
+    message: 'The "options.ciphers" property must be of type string.' +
+      ' Received type number'
   });
 
 common.expectsError(
@@ -20,7 +21,8 @@ common.expectsError(
   {
     code: 'ERR_INVALID_ARG_TYPE',
     type: TypeError,
-    message: 'Ciphers must be a string'
+    message: 'The "options.ciphers" property must be of type string.' +
+      ' Received type number'
   });
 
 common.expectsError(
diff --git a/test/parallel/test-tls-cli-max-version-1.2.js b/test/parallel/test-tls-cli-max-version-1.2.js
new file mode 100644
index 00000000000000..8ef4eaf79a4600
--- /dev/null
+++ b/test/parallel/test-tls-cli-max-version-1.2.js
@@ -0,0 +1,15 @@
+// Flags: --tls-max-v1.2
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that node `--tls-max-v1.2` is supported.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');
diff --git a/test/parallel/test-tls-cli-max-version-1.3.js b/test/parallel/test-tls-cli-max-version-1.3.js
new file mode 100644
index 00000000000000..aada5b553a7554
--- /dev/null
+++ b/test/parallel/test-tls-cli-max-version-1.3.js
@@ -0,0 +1,15 @@
+// Flags: --tls-max-v1.3
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that node `--tls-max-v1.3` is supported.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');
diff --git a/test/parallel/test-tls-cli-min-version-1.0.js b/test/parallel/test-tls-cli-min-version-1.0.js
new file mode 100644
index 00000000000000..577562782eceee
--- /dev/null
+++ b/test/parallel/test-tls-cli-min-version-1.0.js
@@ -0,0 +1,15 @@
+// Flags: --tls-min-v1.0 --tls-min-v1.1
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that `node --tls-v1.0` is supported, and overrides --tls-v1.1.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');
diff --git a/test/parallel/test-tls-cli-min-version-1.1.js b/test/parallel/test-tls-cli-min-version-1.1.js
new file mode 100644
index 00000000000000..3af2b39546c42a
--- /dev/null
+++ b/test/parallel/test-tls-cli-min-version-1.1.js
@@ -0,0 +1,15 @@
+// Flags: --tls-min-v1.1
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that node `--tls-v1.1` is supported.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.1');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');
diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/parallel/test-tls-cli-min-version-1.3.js
new file mode 100644
index 00000000000000..1bccc2f6cd331a
--- /dev/null
+++ b/test/parallel/test-tls-cli-min-version-1.3.js
@@ -0,0 +1,15 @@
+// Flags: --tls-min-v1.3
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that node `--tls-min-v1.3` is supported.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.3');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');
diff --git a/test/parallel/test-tls-client-auth.js b/test/parallel/test-tls-client-auth.js
index 1f8c7e6096ff11..476238961986cd 100644
--- a/test/parallel/test-tls-client-auth.js
+++ b/test/parallel/test-tls-client-auth.js
@@ -1,10 +1,10 @@
 'use strict';
 
-require('../common');
+const common = require('../common');
 const fixtures = require('../common/fixtures');
 
 const {
-  assert, connect, keys
+  assert, connect, keys, tls
 } = require(fixtures.path('tls-connect'));
 
 // Use ec10 and agent10, they are the only identities with intermediate CAs.
@@ -63,9 +63,10 @@ connect({
   return cleanup();
 });
 
-// Request cert from client that doesn't have one.
+// Request cert from TLS1.2 client that doesn't have one.
 connect({
   client: {
+    maxVersion: 'TLSv1.2',
     ca: server.ca,
     checkServerIdentity,
   },
@@ -76,10 +77,38 @@ connect({
     requestCert: true,
   },
 }, function(err, pair, cleanup) {
-  assert.strictEqual(err.code, 'ECONNRESET');
+  assert.strictEqual(pair.server.err.code,
+                     'ERR_SSL_PEER_DID_NOT_RETURN_A_CERTIFICATE');
+  assert.strictEqual(pair.client.err.code, 'ECONNRESET');
   return cleanup();
 });
 
+// Request cert from TLS1.3 client that doesn't have one.
+if (tls.DEFAULT_MAX_VERSION === 'TLSv1.3') connect({
+  client: {
+    ca: server.ca,
+    checkServerIdentity,
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+    ca: client.ca,
+    requestCert: true,
+  },
+}, function(err, pair, cleanup) {
+  assert.strictEqual(pair.server.err.code,
+                     'ERR_SSL_PEER_DID_NOT_RETURN_A_CERTIFICATE');
+
+  // TLS1.3 client completes handshake before server, and its only after the
+  // server handshakes, requests certs, gets back a zero-length list of certs,
+  // and sends a fatal Alert to the client that the client discovers there has
+  // been a fatal error.
+  pair.client.conn.once('error', common.mustCall((err) => {
+    assert.strictEqual(err.code, 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED');
+    cleanup();
+  }));
+});
+
 // Typical configuration error, incomplete cert chains sent, we have to know the
 // peer's subordinate CAs in order to verify the peer.
 connect({
diff --git a/test/parallel/test-tls-client-getephemeralkeyinfo.js b/test/parallel/test-tls-client-getephemeralkeyinfo.js
index 8a9cc65a1cac25..113b452db60583 100644
--- a/test/parallel/test-tls-client-getephemeralkeyinfo.js
+++ b/test/parallel/test-tls-client-getephemeralkeyinfo.js
@@ -10,6 +10,9 @@ const tls = require('tls');
 const key = fixtures.readKey('agent2-key.pem');
 const cert = fixtures.readKey('agent2-cert.pem');
 
+// TODO(@sam-github) test works with TLS1.3, rework test to add
+//   'ECDH' with 'TLS_AES_128_GCM_SHA256',
+
 function loadDHParam(n) {
   return fixtures.readKey(`dh${n}.pem`);
 }
diff --git a/test/parallel/test-tls-client-reject-12.js b/test/parallel/test-tls-client-reject-12.js
new file mode 100644
index 00000000000000..f77d463f44dc71
--- /dev/null
+++ b/test/parallel/test-tls-client-reject-12.js
@@ -0,0 +1,13 @@
+'use strict';
+
+// test-tls-client-reject specifically for TLS1.2.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
+require('./test-tls-client-reject.js');
diff --git a/test/parallel/test-tls-client-reject.js b/test/parallel/test-tls-client-reject.js
index 9eff6cb9cead01..329b78c271baaa 100644
--- a/test/parallel/test-tls-client-reject.js
+++ b/test/parallel/test-tls-client-reject.js
@@ -35,6 +35,7 @@ const options = {
 
 const server = tls.createServer(options, function(socket) {
   socket.pipe(socket);
+  // Pipe already ends... but leaving this here tests .end() after .end().
   socket.on('end', () => socket.end());
 }).listen(0, common.mustCall(function() {
   unauthorized();
@@ -47,13 +48,19 @@ function unauthorized() {
     servername: 'localhost',
     rejectUnauthorized: false
   }, common.mustCall(function() {
-    console.log('... unauthorized');
+    let _data;
     assert(!socket.authorized);
     socket.on('data', common.mustCall((data) => {
       assert.strictEqual(data.toString(), 'ok');
+      _data = data;
+    }));
+    socket.on('end', common.mustCall(() => {
+      assert(_data, 'data failed to echo!');
     }));
     socket.on('end', () => rejectUnauthorized());
   }));
+  socket.once('session', common.mustCall(() => {
+  }));
   socket.on('error', common.mustNotCall());
   socket.end('ok');
 }
@@ -65,7 +72,6 @@ function rejectUnauthorized() {
   }, common.mustNotCall());
   socket.on('data', common.mustNotCall());
   socket.on('error', common.mustCall(function(err) {
-    console.log('... rejected:', err);
     authorized();
   }));
   socket.end('ng');
diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js
new file mode 100644
index 00000000000000..8af63c4f791ddc
--- /dev/null
+++ b/test/parallel/test-tls-client-renegotiation-13.js
@@ -0,0 +1,37 @@
+'use strict';
+
+const common = require('../common');
+const fixtures = require('../common/fixtures');
+
+// Confirm that for TLSv1.3, renegotiate() is disallowed.
+
+const {
+  assert, connect, keys
+} = require(fixtures.path('tls-connect'));
+
+const server = keys.agent10;
+
+connect({
+  client: {
+    ca: server.ca,
+    checkServerIdentity: common.mustCall(),
+  },
+  server: {
+    key: server.key,
+    cert: server.cert,
+  },
+}, function(err, pair, cleanup) {
+  assert.ifError(err);
+
+  const client = pair.client.conn;
+
+  assert.strictEqual(client.getProtocol(), 'TLSv1.3');
+
+  const ok = client.renegotiate({}, common.mustCall((err) => {
+    assert(err.code, 'ERR_TLS_RENEGOTIATE');
+    assert(err.message, 'Attempt to renegotiate TLS session failed');
+    cleanup();
+  }));
+
+  assert.strictEqual(ok, false);
+});
diff --git a/test/parallel/test-tls-client-renegotiation-limit.js b/test/parallel/test-tls-client-renegotiation-limit.js
index daae92eeb46d67..010fd8596aa0c8 100644
--- a/test/parallel/test-tls-client-renegotiation-limit.js
+++ b/test/parallel/test-tls-client-renegotiation-limit.js
@@ -31,6 +31,9 @@ const assert = require('assert');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
 
+// Renegotiation as a protocol feature was dropped after TLS1.2.
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
 // renegotiation limits to test
 const LIMITS = [0, 1, 2, 3, 5, 10, 16];
 
diff --git a/test/parallel/test-tls-client-resume-12.js b/test/parallel/test-tls-client-resume-12.js
new file mode 100644
index 00000000000000..7767d3dd2a5cc9
--- /dev/null
+++ b/test/parallel/test-tls-client-resume-12.js
@@ -0,0 +1,13 @@
+'use strict';
+
+// test-tls-client-resume specifically for TLS1.2.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
+require('./test-tls-client-resume.js');
diff --git a/test/parallel/test-tls-client-resume.js b/test/parallel/test-tls-client-resume.js
index 9f868fdcdc0a49..0f5c9caa7c3f8f 100644
--- a/test/parallel/test-tls-client-resume.js
+++ b/test/parallel/test-tls-client-resume.js
@@ -44,32 +44,59 @@ const server = tls.Server(options, common.mustCall((socket) => {
 
 // start listening
 server.listen(0, common.mustCall(function() {
-
-  let sessionx = null;
-  let session1 = null;
+  let sessionx = null; // From right after connect, invalid for TLS1.3
+  let session1 = null; // Delivered by the session event, always valid.
+  let sessions = 0;
+  let tls13;
   const client1 = tls.connect({
     port: this.address().port,
     rejectUnauthorized: false
   }, common.mustCall(() => {
-    console.log('connect1');
+    tls13 = client1.getProtocol() === 'TLSv1.3';
     assert.strictEqual(client1.isSessionReused(), false);
     sessionx = client1.getSession();
+    assert(sessionx);
+
+    if (session1)
+      reconnect();
+  }));
+
+  client1.on('data', common.mustCall((d) => {
   }));
 
   client1.once('session', common.mustCall((session) => {
     console.log('session1');
     session1 = session;
+    assert(session1);
+    if (sessionx)
+      reconnect();
   }));
 
-  client1.on('close', common.mustCall(() => {
+  client1.on('session', () => {
+    console.log('client1 session#', ++sessions);
+  });
+
+  client1.on('close', () => {
+    console.log('client1 close');
+    assert.strictEqual(sessions, tls13 ? 2 : 1);
+  });
+
+  function reconnect() {
     assert(sessionx);
     assert(session1);
-    assert.strictEqual(sessionx.compare(session1), 0);
+    if (tls13)
+      // For TLS1.3, the session immediately after handshake is a dummy,
+      // unresumable session. The one delivered later in session event is
+      // resumable.
+      assert.notStrictEqual(sessionx.compare(session1), 0);
+    else
+      // For TLS1.2, they are identical.
+      assert.strictEqual(sessionx.compare(session1), 0);
 
     const opts = {
       port: server.address().port,
       rejectUnauthorized: false,
-      session: session1
+      session: session1,
     };
 
     const client2 = tls.connect(opts, common.mustCall(() => {
@@ -83,7 +110,7 @@ server.listen(0, common.mustCall(function() {
     }));
 
     client2.resume();
-  }));
+  }
 
   client1.resume();
 }));
diff --git a/test/parallel/test-tls-destroy-stream-12.js b/test/parallel/test-tls-destroy-stream-12.js
new file mode 100644
index 00000000000000..69861868cf23b6
--- /dev/null
+++ b/test/parallel/test-tls-destroy-stream-12.js
@@ -0,0 +1,13 @@
+'use strict';
+
+// test-tls-destroy-stream specifically for TLS1.2.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
+require('./test-tls-destroy-stream.js');
diff --git a/test/parallel/test-tls-destroy-stream.js b/test/parallel/test-tls-destroy-stream.js
index eb7a2ca338bd40..237f472f0281f9 100644
--- a/test/parallel/test-tls-destroy-stream.js
+++ b/test/parallel/test-tls-destroy-stream.js
@@ -21,10 +21,17 @@ const tlsServer = tls.createServer(
     ca: [fixtures.readSync('test_ca.pem')],
   },
   (socket) => {
-    socket.on('error', common.mustNotCall());
     socket.on('close', common.mustCall());
     socket.write(CONTENT);
     socket.destroy();
+
+    socket.on('error', (err) => {
+      // destroy() is sync, write() is async, whether write completes depends
+      // on the protocol, it is not guaranteed by stream API.
+      if (err.code === 'ERR_STREAM_DESTROYED')
+        return;
+      assert.ifError(err);
+    });
   },
 );
 
@@ -57,13 +64,12 @@ const server = net.createServer((conn) => {
 server.listen(0, () => {
   const port = server.address().port;
   const conn = tls.connect({ port, rejectUnauthorized: false }, () => {
-    conn.on('data', common.mustCall((data) => {
+    // Whether the server's write() completed before its destroy() is
+    // indeterminate, but if data was written, we should receive it correctly.
+    conn.on('data', (data) => {
       assert.strictEqual(data.toString('utf8'), CONTENT);
-    }));
+    });
     conn.on('error', common.mustNotCall());
-    conn.on(
-      'close',
-      common.mustCall(() => server.close()),
-    );
+    conn.on('close', common.mustCall(() => server.close()));
   });
 });
diff --git a/test/parallel/test-tls-disable-renegotiation.js b/test/parallel/test-tls-disable-renegotiation.js
index 0fc98641a69800..8db20331d1a616 100644
--- a/test/parallel/test-tls-disable-renegotiation.js
+++ b/test/parallel/test-tls-disable-renegotiation.js
@@ -10,6 +10,9 @@ if (!common.hasCrypto)
 
 const tls = require('tls');
 
+// Renegotiation as a protocol feature was dropped after TLS1.2.
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
 const options = {
   key: fixtures.readKey('agent1-key.pem'),
   cert: fixtures.readKey('agent1-cert.pem'),
@@ -64,5 +67,9 @@ server.listen(0, common.mustCall(() => {
       }));
     }));
     assert.strictEqual(ok, true);
+    client.on('secureConnect', common.mustCall(() => {
+    }));
+    client.on('secure', common.mustCall(() => {
+    }));
   }));
 }));
diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
index 37677ada7f411c..03c32da03c945b 100644
--- a/test/parallel/test-tls-getcipher.js
+++ b/test/parallel/test-tls-getcipher.js
@@ -45,7 +45,7 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   const client = tls.connect({
     host: '127.0.0.1',
     port: this.address().port,
-    ciphers: cipher_list.join(':'),
+    ciphers: 'AES128-SHA256',
     rejectUnauthorized: false
   }, common.mustCall(function() {
     const cipher = client.getCipher();
@@ -55,3 +55,24 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
     server.close();
   }));
 }));
+
+tls.createServer({
+  key: fixtures.readKey('agent2-key.pem'),
+  cert: fixtures.readKey('agent2-cert.pem'),
+  ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256',
+  maxVersion: 'TLSv1.3',
+}, common.mustCall(function() {
+  this.close();
+})).listen(0, common.mustCall(function() {
+  const client = tls.connect({
+    port: this.address().port,
+    ciphers: 'TLS_AES_128_CCM_8_SHA256',
+    maxVersion: 'TLSv1.3',
+    rejectUnauthorized: false
+  }, common.mustCall(() => {
+    const cipher = client.getCipher();
+    assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256');
+    assert.strictEqual(cipher.version, 'TLSv1/SSLv3');
+    client.end();
+  }));
+}));
diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js
index bf75eb8a398647..20018241e33572 100644
--- a/test/parallel/test-tls-getprotocol.js
+++ b/test/parallel/test-tls-getprotocol.js
@@ -17,6 +17,7 @@ const clientConfigs = [
 ];
 
 const serverConfig = {
+  secureProtocol: 'TLS_method',
   key: fixtures.readSync('/keys/agent2-key.pem'),
   cert: fixtures.readSync('/keys/agent2-cert.pem')
 };
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index 521bc5ce9f193e..e2f35a5803ab24 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -10,11 +10,12 @@ const {
 const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
 const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;
 
-// For v11.x, the default is fixed and cannot be changed via CLI.
-assert.strictEqual(DEFAULT_MIN_VERSION, 'TLSv1');
-
 function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
   assert(proto || cerr || serr, 'test missing any expectations');
+  // Report where test was called from. Strip leading garbage from
+  //     at Object.<anonymous> (file:line)
+  // from the stack location, we only want the file:line part.
+  const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
   connect({
     client: {
       checkServerIdentity: (servername, cert) => { },
@@ -34,26 +35,10 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
     function u(_) { return _ === undefined ? 'U' : _; }
     console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot),
                 'expect', u(proto), u(cerr), u(serr));
+    console.log('  ', where);
     if (!proto) {
       console.log('client', pair.client.err ? pair.client.err.code : undefined);
       console.log('server', pair.server.err ? pair.server.err.code : undefined);
-      // 11.x doesn't have https://github.com/nodejs/node/pull/24729
-      if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
-          pair.client.err &&
-          pair.client.err.message.includes('methods disabled'))
-        pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
-      if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
-          pair.server.err &&
-          pair.server.err.message.includes('methods disabled'))
-        pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
-      if (cerr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
-          pair.client.err &&
-          pair.client.err.message.includes('Unknown method'))
-        pair.client.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
-      if (serr === 'ERR_TLS_INVALID_PROTOCOL_METHOD' &&
-          pair.server.err &&
-          pair.server.err.message.includes('Unknown method'))
-        pair.server.err.code = 'ERR_TLS_INVALID_PROTOCOL_METHOD';
       if (cerr) {
         assert(pair.client.err);
         // Accept these codes as aliases, the one reported depends on the
@@ -83,8 +68,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
 
 const U = undefined;
 
-// Default protocol is TLSv1.2.
-test(U, U, U, U, U, U, 'TLSv1.2');
+// Default protocol is the max version.
+test(U, U, U, U, U, U, DEFAULT_MAX_VERSION);
 
 // Insecure or invalid protocols cannot be enabled.
 test(U, U, U, U, U, 'SSLv2_method',
@@ -120,7 +105,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1');
 
 // SSLv23 also means "any supported protocol" greater than the default
 // minimum (which is configurable via command line).
-test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2');
+if (DEFAULT_MIN_VERSION === 'TLSv1.3') {
+  test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method',
+       U, 'ECONNRESET', 'ERR_SSL_INTERNAL_ERROR');
+} else {
+  test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2');
+}
+
+if (DEFAULT_MIN_VERSION === 'TLSv1.3') {
+  test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method',
+       U, 'ECONNRESET', 'ERR_SSL_INTERNAL_ERROR');
+  test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
+       U, 'ECONNRESET', 'ERR_SSL_INTERNAL_ERROR');
+  test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method',
+       U, 'ERR_SSL_NO_PROTOCOLS_AVAILABLE', 'ERR_SSL_UNEXPECTED_MESSAGE');
+  test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
+       U, 'ERR_SSL_NO_PROTOCOLS_AVAILABLE', 'ERR_SSL_UNEXPECTED_MESSAGE');
+}
 
 if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
   test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method',
@@ -168,7 +169,11 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
     test(U, U, U, U, U, 'TLSv1_method',
          U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
   } else {
-    assert(false, 'unreachable');
+    // TLS1.3 client hellos are are not understood by TLS1.1 or below.
+    test(U, U, U, U, U, 'TLSv1_1_method',
+         U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
+    test(U, U, U, U, U, 'TLSv1_method',
+         U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
   }
 }
 
@@ -183,7 +188,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
     test(U, U, U, U, U, 'TLSv1_method',
          U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
   } else {
-    assert(false, 'unreachable');
+    // TLS1.3 client hellos are are not understood by TLS1.1 or below.
+    test(U, U, U, U, U, 'TLSv1_method',
+         U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
   }
 }
 
@@ -199,14 +206,32 @@ if (DEFAULT_MIN_VERSION === 'TLSv1') {
 test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_method', 'TLSv1');
 test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_1_method', 'TLSv1.1');
 test('TLSv1', 'TLSv1.2', U, U, U, 'TLSv1_2_method', 'TLSv1.2');
+test('TLSv1', 'TLSv1.2', U, U, U, 'TLS_method', 'TLSv1.2');
 
 test(U, U, 'TLSv1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1');
 test(U, U, 'TLSv1_1_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
 test(U, U, 'TLSv1_2_method', 'TLSv1', 'TLSv1.2', U, 'TLSv1.2');
 
+test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.1');
 test('TLSv1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
 test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1');
+test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1.1');
 test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.1', U, 'TLSv1');
 test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
+test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
 test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.2', U, 'TLSv1.1');
 test('TLSv1', 'TLSv1.2', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1');
+test('TLSv1', 'TLSv1.2', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.2');
+
+// v-any client can connect to v-specific server
+test('TLSv1', 'TLSv1.3', U, 'TLSv1.3', 'TLSv1.3', U, 'TLSv1.3');
+test('TLSv1', 'TLSv1.3', U, 'TLSv1.2', 'TLSv1.3', U, 'TLSv1.3');
+test('TLSv1', 'TLSv1.3', U, 'TLSv1.2', 'TLSv1.2', U, 'TLSv1.2');
+test('TLSv1', 'TLSv1.3', U, 'TLSv1.1', 'TLSv1.1', U, 'TLSv1.1');
+test('TLSv1', 'TLSv1.3', U, 'TLSv1', 'TLSv1', U, 'TLSv1');
+
+// v-specific client can connect to v-any server
+test('TLSv1.3', 'TLSv1.3', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.3');
+test('TLSv1.2', 'TLSv1.2', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.2');
+test('TLSv1.1', 'TLSv1.1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1.1');
+test('TLSv1', 'TLSv1', U, 'TLSv1', 'TLSv1.3', U, 'TLSv1');
diff --git a/test/parallel/test-tls-net-socket-keepalive-12.js b/test/parallel/test-tls-net-socket-keepalive-12.js
new file mode 100644
index 00000000000000..d2fb230796e553
--- /dev/null
+++ b/test/parallel/test-tls-net-socket-keepalive-12.js
@@ -0,0 +1,13 @@
+'use strict';
+
+// test-tls-net-socket-keepalive specifically for TLS1.2.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
+require('./test-tls-net-socket-keepalive.js');
diff --git a/test/parallel/test-tls-net-socket-keepalive.js b/test/parallel/test-tls-net-socket-keepalive.js
index c184e902b42685..4acb4e80224ee9 100644
--- a/test/parallel/test-tls-net-socket-keepalive.js
+++ b/test/parallel/test-tls-net-socket-keepalive.js
@@ -20,8 +20,11 @@ const options = {
 };
 
 const server = tls.createServer(options, common.mustCall((conn) => {
-  conn.write('hello');
+  conn.write('hello', common.mustCall());
   conn.on('data', common.mustCall());
+  conn.on('end', common.mustCall());
+  conn.on('data', common.mustCall());
+  conn.on('close', common.mustCall());
   conn.end();
 })).listen(0, common.mustCall(() => {
   const netSocket = new net.Socket({
@@ -42,6 +45,7 @@ const server = tls.createServer(options, common.mustCall((conn) => {
     address,
   });
 
+  socket.on('secureConnect', common.mustCall());
   socket.on('end', common.mustCall());
   socket.on('data', common.mustCall());
   socket.on('close', common.mustCall(() => {
diff --git a/test/parallel/test-tls-server-verify.js b/test/parallel/test-tls-server-verify.js
index 2fd815d627fdf7..347dfd985ab97d 100644
--- a/test/parallel/test-tls-server-verify.js
+++ b/test/parallel/test-tls-server-verify.js
@@ -272,6 +272,8 @@ function runTest(port, testIndex) {
   if (tcase.renegotiate) {
     serverOptions.secureOptions =
         SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+    // Renegotiation as a protocol feature was dropped after TLS1.2.
+    serverOptions.maxVersion = 'TLSv1.2';
   }
 
   let renegotiated = false;
diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js
index 55dd92e81d259c..2a74be0521df21 100644
--- a/test/parallel/test-tls-session-cache.js
+++ b/test/parallel/test-tls-session-cache.js
@@ -48,7 +48,8 @@ function doTest(testOptions, callback) {
     cert,
     ca: [cert],
     requestCert: true,
-    rejectUnauthorized: false
+    rejectUnauthorized: false,
+    secureProtocol: 'TLS_method',
   };
   let requestCount = 0;
   let resumeCount = 0;
diff --git a/test/parallel/test-tls-set-ciphers-error.js b/test/parallel/test-tls-set-ciphers-error.js
index 5ef08dda041f01..f963b414f44630 100644
--- a/test/parallel/test-tls-set-ciphers-error.js
+++ b/test/parallel/test-tls-set-ciphers-error.js
@@ -19,4 +19,7 @@ const fixtures = require('../common/fixtures');
   options.ciphers = 'FOOBARBAZ';
   assert.throws(() => tls.createServer(options, common.mustNotCall()),
                 /no cipher match/i);
+  options.ciphers = 'TLS_not_a_cipher';
+  assert.throws(() => tls.createServer(options, common.mustNotCall()),
+                /no cipher match/i);
 }
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index ef2c2543517e5f..f21478b9251270 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -1,62 +1,94 @@
-// Copyright Joyent, Inc. and other Node contributors.
-//
-// Permission is hereby granted, free of charge, to any person obtaining a
-// copy of this software and associated documentation files (the
-// "Software"), to deal in the Software without restriction, including
-// without limitation the rights to use, copy, modify, merge, publish,
-// distribute, sublicense, and/or sell copies of the Software, and to permit
-// persons to whom the Software is furnished to do so, subject to the
-// following conditions:
-//
-// The above copyright notice and this permission notice shall be included
-// in all copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
-// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
-// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
-// USE OR OTHER DEALINGS IN THE SOFTWARE.
-
 'use strict';
 const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+const fixtures = require('../common/fixtures');
 
-if (!common.opensslCli)
-  common.skip('node compiled without OpenSSL CLI.');
+// Test cipher: option for TLS.
 
-if (!common.hasCrypto)
-  common.skip('missing crypto');
+const {
+  assert, connect, keys
+} = require(fixtures.path('tls-connect'));
 
-const assert = require('assert');
-const exec = require('child_process').exec;
-const tls = require('tls');
-const fixtures = require('../common/fixtures');
 
-const options = {
-  key: fixtures.readKey('agent2-key.pem'),
-  cert: fixtures.readKey('agent2-cert.pem'),
-  ciphers: 'AES256-SHA'
-};
+function test(cciphers, sciphers, cipher, cerr, serr) {
+  assert(cipher || cerr || serr, 'test missing any expectations');
+  const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
+  connect({
+    client: {
+      checkServerIdentity: (servername, cert) => { },
+      ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
+      ciphers: cciphers,
+    },
+    server: {
+      cert: keys.agent6.cert,
+      key: keys.agent6.key,
+      ciphers: sciphers,
+    },
+  }, common.mustCall((err, pair, cleanup) => {
+    function u(_) { return _ === undefined ? 'U' : _; }
+    console.log('test:', u(cciphers), u(sciphers),
+                'expect', u(cipher), u(cerr), u(serr));
+    console.log('  ', where);
+    if (!cipher) {
+      console.log('client', pair.client.err ? pair.client.err.code : undefined);
+      console.log('server', pair.server.err ? pair.server.err.code : undefined);
+      if (cerr) {
+        assert(pair.client.err);
+        assert.strictEqual(pair.client.err.code, cerr);
+      }
+      if (serr) {
+        assert(pair.server.err);
+        assert.strictEqual(pair.server.err.code || pair.server.err.message,
+                           serr);
+      }
+      return cleanup();
+    }
 
-const reply = 'I AM THE WALRUS'; // something recognizable
-let response = '';
+    const reply = 'So long and thanks for all the fish.';
 
-process.on('exit', function() {
-  assert.ok(response.includes(reply));
-});
+    assert.ifError(err);
+    assert.ifError(pair.server.err);
+    assert.ifError(pair.client.err);
+    assert(pair.server.conn);
+    assert(pair.client.conn);
+    assert.strictEqual(pair.client.conn.getCipher().name, cipher);
+    assert.strictEqual(pair.server.conn.getCipher().name, cipher);
 
-const server = tls.createServer(options, common.mustCall(function(conn) {
-  conn.end(reply);
-}));
+    pair.server.conn.write(reply);
 
-server.listen(0, '127.0.0.1', function() {
-  const cmd = `"${common.opensslCli}" s_client -cipher ${
-    options.ciphers} -connect 127.0.0.1:${this.address().port}`;
+    pair.client.conn.on('data', common.mustCall((data) => {
+      assert.strictEqual(data.toString(), reply);
+      return cleanup();
+    }));
+  }));
+}
 
-  exec(cmd, function(err, stdout, stderr) {
-    assert.ifError(err);
-    response = stdout;
-    server.close();
-  });
-});
+const U = undefined;
+
+// Have shared ciphers.
+test(U, 'AES256-SHA', 'AES256-SHA');
+test('AES256-SHA', U, 'AES256-SHA');
+
+test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
+test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
+
+// Do not have shared ciphers.
+test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',
+     U, 'ECONNRESET', 'ERR_SSL_NO_SHARED_CIPHER');
+
+test('AES128-SHA', 'AES256-SHA', U, 'ECONNRESET', 'ERR_SSL_NO_SHARED_CIPHER');
+test('AES128-SHA:TLS_AES_256_GCM_SHA384',
+     'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA',
+     U, 'ECONNRESET', 'ERR_SSL_NO_SHARED_CIPHER');
+
+// Cipher order ignored, TLS1.3 chosen before TLS1.2.
+test('AES256-SHA:TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
+test(U, 'AES256-SHA:TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384');
+
+// TLS_AES_128_CCM_8_SHA256 & TLS_AES_128_CCM_SHA256 are not enabled by
+// default, but work.
+test('TLS_AES_128_CCM_8_SHA256', U,
+     U, 'ECONNRESET', 'ERR_SSL_NO_SHARED_CIPHER');
+
+test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
+     'TLS_AES_128_CCM_8_SHA256');
diff --git a/test/parallel/test-tls-ticket-12.js b/test/parallel/test-tls-ticket-12.js
new file mode 100644
index 00000000000000..600c571a03bec4
--- /dev/null
+++ b/test/parallel/test-tls-ticket-12.js
@@ -0,0 +1,12 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+// Run test-tls-ticket.js with TLS1.2
+
+const tls = require('tls');
+
+tls.DEFAULT_MAX_VERSION = 'TLSv1.2';
+
+require('./test-tls-ticket.js');
diff --git a/test/parallel/test-tls-ticket-cluster.js b/test/parallel/test-tls-ticket-cluster.js
index 98fe533b6969d6..234c1bad09c9a7 100644
--- a/test/parallel/test-tls-ticket-cluster.js
+++ b/test/parallel/test-tls-ticket-cluster.js
@@ -40,13 +40,17 @@ if (cluster.isMaster) {
   let workerPort = null;
 
   function shoot() {
-    console.error('[master] connecting', workerPort);
+    console.error('[master] connecting', workerPort, 'session?', !!lastSession);
     const c = tls.connect(workerPort, {
       session: lastSession,
       rejectUnauthorized: false
     }, () => {
       c.end();
-
+    }).on('close', () => {
+      // Wait for close to shoot off another connection. We don't want to shoot
+      // until a new session is allocated, if one will be. The new session is
+      // not guaranteed on secureConnect (it depends on TLS1.2 vs TLS1.3), but
+      // it is guaranteed to happen before the connection is closed.
       if (++reqCount === expectedReqCount) {
         Object.keys(cluster.workers).forEach(function(id) {
           cluster.workers[id].send('die');
@@ -55,8 +59,11 @@ if (cluster.isMaster) {
         shoot();
       }
     }).once('session', (session) => {
+      assert(!lastSession);
       lastSession = session;
     });
+
+    c.resume(); // See close_notify comment in server
   }
 
   function fork() {
@@ -93,12 +100,15 @@ const cert = fixtures.readSync('agent.crt');
 const options = { key, cert };
 
 const server = tls.createServer(options, (c) => {
+  console.error('[worker] connection reused?', c.isSessionReused());
   if (c.isSessionReused()) {
     process.send({ msg: 'reused' });
   } else {
     process.send({ msg: 'not-reused' });
   }
-  c.end();
+  // Used to just .end(), but that means client gets close_notify before
+  // NewSessionTicket. Send data until that problem is solved.
+  c.end('x');
 });
 
 server.listen(0, () => {
diff --git a/test/parallel/test-tls-ticket.js b/test/parallel/test-tls-ticket.js
index d11535dd3a5255..8d9cd8cdd25155 100644
--- a/test/parallel/test-tls-ticket.js
+++ b/test/parallel/test-tls-ticket.js
@@ -34,6 +34,8 @@ const keys = crypto.randomBytes(48);
 const serverLog = [];
 const ticketLog = [];
 
+let s;
+
 let serverCount = 0;
 function createServer() {
   const id = serverCount++;
@@ -47,16 +49,37 @@ function createServer() {
     ticketKeys: keys
   }, function(c) {
     serverLog.push(id);
-    c.end();
+    // TODO(@sam-github) Triggers close_notify before NewSessionTicket bug.
+    // c.end();
+    c.end('x');
 
     counter++;
 
     // Rotate ticket keys
+    //
+    // Take especial care to account for TLS1.2 and TLS1.3 differences around
+    // when ticket keys are encrypted. In TLS1.2, they are encrypted before the
+    // handshake complete callback, but in TLS1.3, they are encrypted after.
+    // There is no callback or way for us to know when they were sent, so hook
+    // the client's reception of the keys, and use it as proof that the current
+    // keys were used, and its safe to rotate them.
+    //
+    // Rotation can occur right away if the session was reused, the keys were
+    // already decrypted or we wouldn't have a reused session.
+    function setTicketKeys(keys) {
+      if (c.isSessionReused())
+        server.setTicketKeys(keys);
+      else
+        s.once('session', () => {
+          server.setTicketKeys(keys);
+        });
+    }
     if (counter === 1) {
       previousKey = server.getTicketKeys();
-      server.setTicketKeys(crypto.randomBytes(48));
+      assert.strictEqual(previousKey.compare(keys), 0);
+      setTicketKeys(crypto.randomBytes(48));
     } else if (counter === 2) {
-      server.setTicketKeys(previousKey);
+      setTicketKeys(previousKey);
     } else if (counter === 3) {
       // Use keys from counter=2
     } else {
@@ -95,12 +118,15 @@ function start(callback) {
   let left = servers.length;
 
   function connect() {
-    const s = tls.connect(shared.address().port, {
+    s = tls.connect(shared.address().port, {
       session: sess,
       rejectUnauthorized: false
     }, function() {
-      sess = sess || s.getSession();
-      ticketLog.push(s.getTLSTicket().toString('hex'));
+      if (s.isSessionReused())
+        ticketLog.push(s.getTLSTicket().toString('hex'));
+    });
+    s.on('data', () => {
+      s.end();
     });
     s.on('close', function() {
       if (--left === 0)
@@ -108,7 +134,11 @@ function start(callback) {
       else
         connect();
     });
+    s.on('session', (session) => {
+      sess = sess || session;
+    });
     s.once('session', (session) => onNewSession(s, session));
+    s.once('session', () => ticketLog.push(s.getTLSTicket().toString('hex')));
   }
 
   connect();

From 109c097797b82efb2eb081a1e87284000c094871 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Thu, 28 Mar 2019 11:28:22 -0700
Subject: [PATCH 08/15] tls: revert default max to TLSv1.2

TLSv1.3 is still supported when explicitly configured, but it is not the
default.

PR-URL: https://github.com/nodejs/node/pull/26951
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 doc/api/tls.md                                    | 4 ++--
 lib/tls.js                                        | 4 +---
 src/node_options.cc                               | 4 ++--
 test/parallel/test-tls-cli-min-version-1.0.js     | 2 +-
 test/parallel/test-tls-cli-min-version-1.1.js     | 2 +-
 test/parallel/test-tls-cli-min-version-1.3.js     | 2 +-
 test/parallel/test-tls-client-renegotiation-13.js | 1 +
 test/parallel/test-tls-min-max-version.js         | 9 +++++++--
 test/parallel/test-tls-set-ciphers.js             | 6 +++++-
 9 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/doc/api/tls.md b/doc/api/tls.md
index 17972574e3e8ad..0c00adf188f0a4 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1351,7 +1351,7 @@ changes:
   * `maxVersion` {string} Optionally set the maximum TLS version to allow. One
     of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
     along with the `secureProtocol` option, use one or the other.
-    **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
+    **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
     `--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3`
     sets the default to `'TLSv1.3'`. If multiple of the options are provided,
     the highest maximum is used.
@@ -1360,7 +1360,7 @@ changes:
     along with the `secureProtocol` option, use one or the other. It is not
     recommended to use less than TLSv1.2, but it may be required for
     interoperability.
-    **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+    **Default:** `'TLSv1'`, unless changed using CLI options. Using
     `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
     the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
     `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
diff --git a/lib/tls.js b/lib/tls.js
index f920e4d8c625bd..e4dadaa284e6de 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -54,8 +54,6 @@ exports.DEFAULT_CIPHERS =
 
 exports.DEFAULT_ECDH_CURVE = 'auto';
 
-exports.DEFAULT_MAX_VERSION = 'TLSv1.3';
-
 if (getOptionValue('--tls-min-v1.0'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1';
 else if (getOptionValue('--tls-min-v1.1'))
@@ -70,7 +68,7 @@ if (getOptionValue('--tls-max-v1.3'))
 else if (getOptionValue('--tls-max-v1.2'))
   exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
 else
-  exports.DEFAULT_MAX_VERSION = 'TLSv1.3'; // Will depend on node version.
+  exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; // Will depend on node version.
 
 
 exports.getCiphers = internalUtil.cachedResult(
diff --git a/src/node_options.cc b/src/node_options.cc
index 0febe4b4d742e3..46ee2b9f6ad9ee 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -341,7 +341,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             &EnvironmentOptions::tls_min_v1_3,
             kAllowedInEnvironment);
   AddOption("--tls-max-v1.2",
-            "set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
+            "set default TLS maximum to TLSv1.2 (default: TLSv1.2)",
             &EnvironmentOptions::tls_max_v1_2,
             kAllowedInEnvironment);
   // Current plan is:
@@ -349,7 +349,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
   // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
   // In either case, support both options they are uniformly available.
   AddOption("--tls-max-v1.3",
-            "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
+            "set default TLS maximum to TLSv1.3 (default: TLSv1.2)",
             &EnvironmentOptions::tls_max_v1_3,
             kAllowedInEnvironment);
 }
diff --git a/test/parallel/test-tls-cli-min-version-1.0.js b/test/parallel/test-tls-cli-min-version-1.0.js
index 577562782eceee..0a227c0b949556 100644
--- a/test/parallel/test-tls-cli-min-version-1.0.js
+++ b/test/parallel/test-tls-cli-min-version-1.0.js
@@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto');
 const assert = require('assert');
 const tls = require('tls');
 
-assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
 assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1');
 
 // Check the min-max version protocol versions against these CLI settings.
diff --git a/test/parallel/test-tls-cli-min-version-1.1.js b/test/parallel/test-tls-cli-min-version-1.1.js
index 3af2b39546c42a..1219c82030da9b 100644
--- a/test/parallel/test-tls-cli-min-version-1.1.js
+++ b/test/parallel/test-tls-cli-min-version-1.1.js
@@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto');
 const assert = require('assert');
 const tls = require('tls');
 
-assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
 assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.1');
 
 // Check the min-max version protocol versions against these CLI settings.
diff --git a/test/parallel/test-tls-cli-min-version-1.3.js b/test/parallel/test-tls-cli-min-version-1.3.js
index 1bccc2f6cd331a..3ac335ecdd5bfb 100644
--- a/test/parallel/test-tls-cli-min-version-1.3.js
+++ b/test/parallel/test-tls-cli-min-version-1.3.js
@@ -8,7 +8,7 @@ if (!common.hasCrypto) common.skip('missing crypto');
 const assert = require('assert');
 const tls = require('tls');
 
-assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.3');
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
 assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.3');
 
 // Check the min-max version protocol versions against these CLI settings.
diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js
index 8af63c4f791ddc..bd7ab70316dc59 100644
--- a/test/parallel/test-tls-client-renegotiation-13.js
+++ b/test/parallel/test-tls-client-renegotiation-13.js
@@ -1,3 +1,4 @@
+// Flags: --tls-max-v1.3
 'use strict';
 
 const common = require('../common');
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index e2f35a5803ab24..f30b9b3b9897c9 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -68,8 +68,13 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
 
 const U = undefined;
 
-// Default protocol is the max version.
-test(U, U, U, U, U, U, DEFAULT_MAX_VERSION);
+if (DEFAULT_MAX_VERSION === 'TLSv1.2' && DEFAULT_MIN_VERSION === 'TLSv1.3') {
+  // No connections are possible by default.
+  test(U, U, U, U, U, U, U, 'ERR_SSL_NO_PROTOCOLS_AVAILABLE', U);
+} else {
+  // Default protocol is the max version.
+  test(U, U, U, U, U, U, DEFAULT_MAX_VERSION);
+}
 
 // Insecure or invalid protocols cannot be enabled.
 test(U, U, U, U, U, 'SSLv2_method',
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index f21478b9251270..ecf9176c4020a6 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -6,9 +6,13 @@ const fixtures = require('../common/fixtures');
 // Test cipher: option for TLS.
 
 const {
-  assert, connect, keys
+  assert, connect, keys, tls
 } = require(fixtures.path('tls-connect'));
 
+const tls13 = !!require('constants').TLS1_3_VERSION;
+
+if (tls13)
+  tls.DEFAULT_MAX_VERSION = 'TLSv1.3';
 
 function test(cciphers, sciphers, cipher, cerr, serr) {
   assert(cipher || cerr || serr, 'test missing any expectations');

From 225417b8495b1e7032e1e62ff37f94afc0d99e46 Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Thu, 21 Mar 2019 16:45:44 +0100
Subject: [PATCH 09/15] tls: add CHECK for impossible condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26843
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
---
 src/tls_wrap.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index dbd1f59579f175..17f9ccacf1b379 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -747,10 +747,10 @@ void TLSWrap::OnStreamRead(ssize_t nread, const uv_buf_t& buf) {
     return;
   }
 
-  if (ssl_ == nullptr) {
-    EmitRead(UV_EPROTO);
-    return;
-  }
+  // DestroySSL() is the only thing that un-sets ssl_, but that also removes
+  // this TLSWrap as a stream listener, so we should not receive OnStreamRead()
+  // calls anymore.
+  CHECK(ssl_);
 
   // Commit the amount of data actually read into the peeked/allocated buffer
   // from the underlying stream.

From d2666e6ded3ab77a222c784eda8662a3d9f321f8 Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Thu, 21 Mar 2019 17:01:12 +0100
Subject: [PATCH 10/15] tls: add debugging to native TLS code
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26843
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
---
 src/tls_wrap.cc | 103 +++++++++++++++++++++++++++++++++++++++++-------
 src/tls_wrap.h  |   2 +
 2 files changed, 91 insertions(+), 14 deletions(-)

diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
index 17f9ccacf1b379..59400d8f3a4a72 100644
--- a/src/tls_wrap.cc
+++ b/src/tls_wrap.cc
@@ -21,6 +21,7 @@
 
 #include "tls_wrap.h"
 #include "async_wrap-inl.h"
+#include "debug_utils.h"
 #include "node_buffer.h"  // Buffer
 #include "node_crypto.h"  // SecureContext
 #include "node_crypto_bio.h"  // NodeBIO
@@ -72,15 +73,18 @@ TLSWrap::TLSWrap(Environment* env,
   stream->PushStreamListener(this);
 
   InitSSL();
+  Debug(this, "Created new TLSWrap");
 }
 
 
 TLSWrap::~TLSWrap() {
+  Debug(this, "~TLSWrap()");
   sc_ = nullptr;
 }
 
 
 bool TLSWrap::InvokeQueued(int status, const char* error_str) {
+  Debug(this, "InvokeQueued(%d, %s)", status, error_str);
   if (!write_callback_scheduled_)
     return false;
 
@@ -95,6 +99,7 @@ bool TLSWrap::InvokeQueued(int status, const char* error_str) {
 
 
 void TLSWrap::NewSessionDoneCb() {
+  Debug(this, "NewSessionDoneCb()");
   Cycle();
 }
 
@@ -184,6 +189,7 @@ void TLSWrap::Receive(const FunctionCallbackInfo<Value>& args) {
   CHECK(Buffer::HasInstance(args[0]));
   char* data = Buffer::Data(args[0]);
   size_t len = Buffer::Length(args[0]);
+  Debug(wrap, "Receiving %zu bytes injected from JS", len);
 
   // Copy given buffer entirely or partiall if handle becomes closed
   while (len > 0 && wrap->IsAlive() && !wrap->IsClosing()) {
@@ -230,6 +236,7 @@ void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) {
   Local<Object> object = c->object();
 
   if (where & SSL_CB_HANDSHAKE_START) {
+    Debug(c, "SSLInfoCallback(SSL_CB_HANDSHAKE_START);");
     // Start is tracked to limit number and frequency of renegotiation attempts,
     // since excessive renegotiation may be an attack.
     Local<Value> callback;
@@ -245,6 +252,7 @@ void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) {
   // sending HelloRequest in OpenSSL-1.1.1.
   // We need to check whether this is in a renegotiation state or not.
   if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) {
+    Debug(c, "SSLInfoCallback(SSL_CB_HANDSHAKE_DONE);");
     CHECK(!SSL_renegotiate_pending(ssl));
     Local<Value> callback;
 
@@ -259,31 +267,46 @@ void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) {
 
 
 void TLSWrap::EncOut() {
+  Debug(this, "Trying to write encrypted output");
+
   // Ignore cycling data if ClientHello wasn't yet parsed
-  if (!hello_parser_.IsEnded())
+  if (!hello_parser_.IsEnded()) {
+    Debug(this, "Returning from EncOut(), hello_parser_ active");
     return;
+  }
 
   // Write in progress
-  if (write_size_ != 0)
+  if (write_size_ != 0) {
+    Debug(this, "Returning from EncOut(), write currently in progress");
     return;
+  }
 
   // Wait for `newSession` callback to be invoked
-  if (is_awaiting_new_session())
+  if (is_awaiting_new_session()) {
+    Debug(this, "Returning from EncOut(), awaiting new session");
     return;
+  }
 
   // Split-off queue
-  if (established_ && current_write_ != nullptr)
+  if (established_ && current_write_ != nullptr) {
+    Debug(this, "EncOut() setting write_callback_scheduled_");
     write_callback_scheduled_ = true;
+  }
 
-  if (ssl_ == nullptr)
+  if (ssl_ == nullptr) {
+    Debug(this, "Returning from EncOut(), ssl_ == nullptr");
     return;
+  }
 
   // No encrypted output ready to write to the underlying stream.
   if (BIO_pending(enc_out_) == 0) {
+    Debug(this, "No pending encrypted output");
     if (pending_cleartext_input_.empty()) {
       if (!in_dowrite_) {
+        Debug(this, "No pending cleartext input, not inside DoWrite()");
         InvokeQueued(0);
       } else {
+        Debug(this, "No pending cleartext input, inside DoWrite()");
         // TODO(@sam-github, @addaleax) If in_dowrite_ is true, appdata was
         // passed to SSL_write().  If we are here, the data was not encrypted to
         // enc_out_ yet.  Calling Done() "works", but since the write is not
@@ -313,6 +336,7 @@ void TLSWrap::EncOut() {
   for (size_t i = 0; i < count; i++)
     buf[i] = uv_buf_init(data[i], size[i]);
 
+  Debug(this, "Writing %zu buffers to the underlying stream", count);
   StreamWriteResult res = underlying_stream()->Write(bufs, count);
   if (res.err != 0) {
     InvokeQueued(res.err);
@@ -320,6 +344,7 @@ void TLSWrap::EncOut() {
   }
 
   if (!res.async) {
+    Debug(this, "Write finished synchronously");
     HandleScope handle_scope(env()->isolate());
 
     // Simulate asynchronous finishing, TLS cannot handle this at the moment.
@@ -331,21 +356,26 @@ void TLSWrap::EncOut() {
 
 
 void TLSWrap::OnStreamAfterWrite(WriteWrap* req_wrap, int status) {
+  Debug(this, "OnStreamAfterWrite(status = %d)", status);
   if (current_empty_write_ != nullptr) {
+    Debug(this, "Had empty write");
     WriteWrap* finishing = current_empty_write_;
     current_empty_write_ = nullptr;
     finishing->Done(status);
     return;
   }
 
-  if (ssl_ == nullptr)
+  if (ssl_ == nullptr) {
+    Debug(this, "ssl_ == nullptr, marking as cancelled");
     status = UV_ECANCELED;
+  }
 
   // Handle error
   if (status) {
-    // Ignore errors after shutdown
-    if (shutdown_)
+    if (shutdown_) {
+      Debug(this, "Ignoring error after shutdown");
       return;
+    }
 
     // Notify about error
     InvokeQueued(status);
@@ -446,16 +476,23 @@ Local<Value> TLSWrap::GetSSLError(int status, int* err, std::string* msg) {
 
 
 void TLSWrap::ClearOut() {
+  Debug(this, "Trying to read cleartext output");
   // Ignore cycling data if ClientHello wasn't yet parsed
-  if (!hello_parser_.IsEnded())
+  if (!hello_parser_.IsEnded()) {
+    Debug(this, "Returning from ClearOut(), hello_parser_ active");
     return;
+  }
 
   // No reads after EOF
-  if (eof_)
+  if (eof_) {
+    Debug(this, "Returning from ClearOut(), EOF reached");
     return;
+  }
 
-  if (ssl_ == nullptr)
+  if (ssl_ == nullptr) {
+    Debug(this, "Returning from ClearOut(), ssl_ == nullptr");
     return;
+  }
 
   crypto::MarkPopErrorOnReturn mark_pop_error_on_return;
 
@@ -463,6 +500,7 @@ void TLSWrap::ClearOut() {
   int read;
   for (;;) {
     read = SSL_read(ssl_.get(), out, sizeof(out));
+    Debug(this, "Read %d bytes of cleartext output", read);
 
     if (read <= 0)
       break;
@@ -480,8 +518,10 @@ void TLSWrap::ClearOut() {
       // Caveat emptor: OnRead() calls into JS land which can result in
       // the SSL context object being destroyed.  We have to carefully
       // check that ssl_ != nullptr afterwards.
-      if (ssl_ == nullptr)
+      if (ssl_ == nullptr) {
+        Debug(this, "Returning from read loop, ssl_ == nullptr");
         return;
+      }
 
       read -= avail;
       current += avail;
@@ -507,6 +547,7 @@ void TLSWrap::ClearOut() {
       return;
 
     if (!arg.IsEmpty()) {
+      Debug(this, "Got SSL error (%d), calling onerror", err);
       // When TLS Alert are stored in wbio,
       // it should be flushed to socket before destroyed.
       if (BIO_pending(enc_out_) != 0)
@@ -519,12 +560,17 @@ void TLSWrap::ClearOut() {
 
 
 void TLSWrap::ClearIn() {
+  Debug(this, "Trying to write cleartext input");
   // Ignore cycling data if ClientHello wasn't yet parsed
-  if (!hello_parser_.IsEnded())
+  if (!hello_parser_.IsEnded()) {
+    Debug(this, "Returning from ClearIn(), hello_parser_ active");
     return;
+  }
 
-  if (ssl_ == nullptr)
+  if (ssl_ == nullptr) {
+    Debug(this, "Returning from ClearIn(), ssl_ == nullptr");
     return;
+  }
 
   std::vector<uv_buf_t> buffers;
   buffers.swap(pending_cleartext_input_);
@@ -537,6 +583,7 @@ void TLSWrap::ClearIn() {
     size_t avail = buffers[i].len;
     char* data = buffers[i].base;
     written = SSL_write(ssl_.get(), data, avail);
+    Debug(this, "Writing %zu bytes, written = %d", avail, written);
     CHECK(written == -1 || written == static_cast<int>(avail));
     if (written == -1)
       break;
@@ -544,6 +591,7 @@ void TLSWrap::ClearIn() {
 
   // All written
   if (i == buffers.size()) {
+    Debug(this, "Successfully wrote all data to SSL");
     // We wrote all the buffers, so no writes failed (written < 0 on failure).
     CHECK_GE(written, 0);
     return;
@@ -557,11 +605,13 @@ void TLSWrap::ClearIn() {
   std::string error_str;
   Local<Value> arg = GetSSLError(written, &err, &error_str);
   if (!arg.IsEmpty()) {
+    Debug(this, "Got SSL error (%d)", err);
     write_callback_scheduled_ = true;
     // TODO(@sam-github) Should forward an error object with
     // .code/.function/.etc, if possible.
     InvokeQueued(UV_EPROTO, error_str.c_str());
   } else {
+    Debug(this, "Pushing back %zu buffers", buffers.size() - i);
     // Push back the not-yet-written pending buffers into their queue.
     // This can be skipped in the error case because no further writes
     // would succeed anyway.
@@ -574,6 +624,17 @@ void TLSWrap::ClearIn() {
 }
 
 
+std::string TLSWrap::diagnostic_name() const {
+  std::string name = "TLSWrap ";
+  if (is_server())
+    name += "server (";
+  else
+    name += "client (";
+  name += std::to_string(static_cast<int64_t>(get_async_id())) + ")";
+  return name;
+}
+
+
 AsyncWrap* TLSWrap::GetAsyncWrap() {
   return static_cast<AsyncWrap*>(this);
 }
@@ -603,6 +664,7 @@ bool TLSWrap::IsClosing() {
 
 
 int TLSWrap::ReadStart() {
+  Debug(this, "ReadStart()");
   if (stream_ != nullptr)
     return stream_->ReadStart();
   return 0;
@@ -610,6 +672,7 @@ int TLSWrap::ReadStart() {
 
 
 int TLSWrap::ReadStop() {
+  Debug(this, "ReadStop()");
   if (stream_ != nullptr)
     return stream_->ReadStop();
   return 0;
@@ -633,6 +696,7 @@ int TLSWrap::DoWrite(WriteWrap* w,
                      size_t count,
                      uv_stream_t* send_handle) {
   CHECK_NULL(send_handle);
+  Debug(this, "DoWrite()");
 
   if (ssl_ == nullptr) {
     ClearError();
@@ -660,8 +724,10 @@ int TLSWrap::DoWrite(WriteWrap* w,
   // onto the socket, we just want the side-effects. After, make sure the
   // WriteWrap was accepted by the stream, or that we call Done() on it.
   if (empty) {
+    Debug(this, "Empty write");
     ClearOut();
     if (BIO_pending(enc_out_) == 0) {
+      Debug(this, "No pending encrypted output, writing to underlying stream");
       CHECK_NULL(current_empty_write_);
       current_empty_write_ = w;
       StreamWriteResult res =
@@ -692,6 +758,7 @@ int TLSWrap::DoWrite(WriteWrap* w,
   for (i = 0; i < count; i++) {
     written = SSL_write(ssl_.get(), bufs[i].base, bufs[i].len);
     CHECK(written == -1 || written == static_cast<int>(bufs[i].len));
+    Debug(this, "Writing %zu bytes, written = %d", bufs[i].len, written);
     if (written == -1)
       break;
   }
@@ -702,10 +769,12 @@ int TLSWrap::DoWrite(WriteWrap* w,
 
     // If we stopped writing because of an error, it's fatal, discard the data.
     if (!arg.IsEmpty()) {
+      Debug(this, "Got SSL error (%d), returning UV_EPROTO", err);
       current_write_ = nullptr;
       return UV_EPROTO;
     }
 
+    Debug(this, "Saving %zu buffers for later write", count - i);
     // Otherwise, save unwritten data so it can be written later by ClearIn().
     pending_cleartext_input_.insert(pending_cleartext_input_.end(),
                                     &bufs[i],
@@ -732,6 +801,7 @@ uv_buf_t TLSWrap::OnStreamAlloc(size_t suggested_size) {
 
 
 void TLSWrap::OnStreamRead(ssize_t nread, const uv_buf_t& buf) {
+  Debug(this, "Read %zd bytes from underlying stream", nread);
   if (nread < 0)  {
     // Error should be emitted only after all data was read
     ClearOut();
@@ -765,6 +835,7 @@ void TLSWrap::OnStreamRead(ssize_t nread, const uv_buf_t& buf) {
     size_t avail = 0;
     uint8_t* data = reinterpret_cast<uint8_t*>(enc_in->Peek(&avail));
     CHECK_IMPLIES(data == nullptr, avail == 0);
+    Debug(this, "Passing %zu bytes to the hello parser", avail);
     return hello_parser_.Parse(data, avail);
   }
 
@@ -779,6 +850,7 @@ ShutdownWrap* TLSWrap::CreateShutdownWrap(Local<Object> req_wrap_object) {
 
 
 int TLSWrap::DoShutdown(ShutdownWrap* req_wrap) {
+  Debug(this, "DoShutdown()");
   crypto::MarkPopErrorOnReturn mark_pop_error_on_return;
 
   if (ssl_ && SSL_shutdown(ssl_.get()) == 0)
@@ -844,6 +916,7 @@ void TLSWrap::EnableSessionCallbacks(
 void TLSWrap::DestroySSL(const FunctionCallbackInfo<Value>& args) {
   TLSWrap* wrap;
   ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+  Debug(wrap, "DestroySSL()");
 
   // If there is a write happening, mark it as finished.
   wrap->write_callback_scheduled_ = true;
@@ -858,6 +931,7 @@ void TLSWrap::DestroySSL(const FunctionCallbackInfo<Value>& args) {
 
   if (wrap->stream_ != nullptr)
     wrap->stream_->RemoveStreamListener(wrap);
+  Debug(wrap, "DestroySSL() finished");
 }
 
 
@@ -870,6 +944,7 @@ void TLSWrap::EnableCertCb(const FunctionCallbackInfo<Value>& args) {
 
 void TLSWrap::OnClientHelloParseEnd(void* arg) {
   TLSWrap* c = static_cast<TLSWrap*>(arg);
+  Debug(c, "OnClientHelloParseEnd()");
   c->Cycle();
 }
 
diff --git a/src/tls_wrap.h b/src/tls_wrap.h
index 84abd55c164b8d..85a53f236df5c9 100644
--- a/src/tls_wrap.h
+++ b/src/tls_wrap.h
@@ -88,6 +88,8 @@ class TLSWrap : public AsyncWrap,
   SET_MEMORY_INFO_NAME(TLSWrap)
   SET_SELF_SIZE(TLSWrap)
 
+  std::string diagnostic_name() const override;
+
  protected:
   // Alternative to StreamListener::stream(), that returns a StreamBase instead
   // of a StreamResource.

From fa6f0f16441797f939131ad00cdc9d4a7479c5eb Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Thu, 7 Mar 2019 14:51:33 -0800
Subject: [PATCH 11/15] doc: describe tls.DEFAULT_MIN_VERSION/_MAX_VERSION

Backport-PR-URL: https://github.com/nodejs/node/pull/26951
PR-URL: https://github.com/nodejs/node/pull/26821
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
---
 doc/api/cli.md | 22 ++++++++++++----------
 doc/api/tls.md | 40 +++++++++++++++++++++++++++++++---------
 2 files changed, 43 insertions(+), 19 deletions(-)

diff --git a/doc/api/cli.md b/doc/api/cli.md
index 266aeffbb8d9d2..8c68db546b3742 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -448,38 +448,40 @@ with crypto support (default).
 added: REPLACEME
 -->
 
-Set default [`maxVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1.3.
+Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
+TLSv1.3.
 
 ### `--tls-max-v1.3`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`maxVersion`][] to `'TLSv1.3'`. Use to enable support for TLSv1.3.
+Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
+for TLSv1.3.
 
 ### `--tls-min-v1.0`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`minVersion`][] to `'TLSv1'`. Use for compatibility with old TLS
-clients or servers.
+Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1'. Use for compatibility with
+old TLS clients or servers.
 
 ### `--tls-min-v1.1`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`minVersion`][] to `'TLSv1.1'`. Use for compatibility with old TLS
-clients or servers.
+Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
+with old TLS clients or servers.
 
 ### `--tls-min-v1.3`
 <!-- YAML
 added: REPLACEME
 -->
 
-Set default [`minVersion`][] to `'TLSv1.3'`. Use to disable support for TLSv1.2
-in favour of TLSv1.3, which is more secure.
+Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
+for TLSv1.2, which is not as secure as TLSv1.3.
 
 ### `--trace-deprecation`
 <!-- YAML
@@ -918,9 +920,9 @@ greater than `4` (its current default value). For more information, see the
 [`--openssl-config`]: #cli_openssl_config_file
 [`Buffer`]: buffer.html#buffer_class_buffer
 [`SlowBuffer`]: buffer.html#buffer_class_slowbuffer
-[`maxVersion`]: tls.html#tls_tls_createsecurecontext_options
-[`minVersion`]: tls.html#tls_tls_createsecurecontext_options
 [`process.setUncaughtExceptionCaptureCallback()`]: process.html#process_process_setuncaughtexceptioncapturecallback_fn
+[`tls.DEFAULT_MAX_VERSION`]: tls.html#tls_tls_default_max_version
+[`tls.DEFAULT_MIN_VERSION`]: tls.html#tls_tls_default_min_version
 [Chrome DevTools Protocol]: https://chromedevtools.github.io/devtools-protocol/
 [REPL]: repl.html
 [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 0c00adf188f0a4..574f5519e71d47 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1351,20 +1351,13 @@ changes:
   * `maxVersion` {string} Optionally set the maximum TLS version to allow. One
     of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
     along with the `secureProtocol` option, use one or the other.
-    **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
-    `--tls-max-v1.2` sets the default to `'TLSv1.2`'. Using `--tls-max-v1.3`
-    sets the default to `'TLSv1.3'`. If multiple of the options are provided,
-    the highest maximum is used.
+    **Default:** [`tls.DEFAULT_MAX_VERSION`][].
   * `minVersion` {string} Optionally set the minimum TLS version to allow. One
     of `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified
     along with the `secureProtocol` option, use one or the other. It is not
     recommended to use less than TLSv1.2, but it may be required for
     interoperability.
-    **Default:** `'TLSv1'`, unless changed using CLI options. Using
-    `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
-    the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
-    `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
-    used.
+    **Default:** [`tls.DEFAULT_MIN_VERSION`][].
   * `passphrase` {string} Shared passphrase used for a single private key and/or
     a PFX.
   * `pfx` {string|string[]|Buffer|Buffer[]|Object[]} PFX or PKCS12 encoded
@@ -1532,6 +1525,33 @@ The default curve name to use for ECDH key agreement in a tls server. The
 default value is `'auto'`. See [`tls.createSecureContext()`] for further
 information.
 
+## tls.DEFAULT_MAX_VERSION
+<!-- YAML
+added: v11.4.0
+-->
+
+* {string} The default value of the `maxVersion` option of
+  [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
+  protocol versions, `TLSv1.3`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+  **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
+  `--tls-max-v1.2` sets the default to `'TLSv1.2`'.  Using `--tls-max-v1.3` sets
+  the default to `'TLSv1.3'`. If multiple of the options are provided, the
+  highest maximum is used.
+
+## tls.DEFAULT_MIN_VERSION
+<!-- YAML
+added: v11.4.0
+-->
+
+* {string} The default value of the `minVersion` option of
+  [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
+  protocol versions, `'TLSv1.3'`, `TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`.
+  **Default:** `'TLSv1'`, unless changed using CLI options. Using
+  `--tls-min-v1.0` sets the default to `'TLSv1'`. Using `--tls-min-v1.1` sets
+  the default to `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
+  `'TLSv1.3'`. If multiple of the options are provided, the lowest minimum is
+  used.
+
 ## Deprecated APIs
 
 ### Class: CryptoStream
@@ -1660,6 +1680,8 @@ where `secureSocket` has the same API as `pair.cleartext`.
 [`server.setTicketKeys()`]: #tls_server_setticketkeys_keys
 [`socket.setTimeout(timeout)`]: #net_socket_settimeout_timeout_callback
 [`tls.DEFAULT_ECDH_CURVE`]: #tls_tls_default_ecdh_curve
+[`tls.DEFAULT_MAX_VERSION`]: #tls_tls_default_max_version
+[`tls.DEFAULT_MIN_VERSION`]: #tls_tls_default_min_version
 [`tls.Server`]: #tls_class_tls_server
 [`tls.TLSSocket.getPeerCertificate()`]: #tls_tlssocket_getpeercertificate_detailed
 [`tls.TLSSocket.getSession()`]: #tls_tlssocket_getsession

From 7aeca270f6664753c378489311e3314762fb1204 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Fri, 29 Mar 2019 12:34:49 -0700
Subject: [PATCH 12/15] tls: supported shared openssl 1.1.0

PR-URL: https://github.com/nodejs/node/pull/26951
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 lib/_tls_common.js                                |  2 +-
 src/node_constants.cc                             |  2 ++
 src/node_crypto.cc                                |  9 +++++++--
 test/parallel/test-tls-client-renegotiation-13.js |  3 +++
 test/parallel/test-tls-getcipher.js               |  3 +++
 test/parallel/test-tls-min-max-version.js         | 12 ++++++++++++
 test/parallel/test-tls-set-ciphers-error.js       |  3 +++
 test/parallel/test-tls-set-ciphers.js             |  4 ++++
 8 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index 618f40e7562b05..a0970571be3383 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -47,7 +47,7 @@ function toV(which, v, def) {
   if (v === 'TLSv1') return TLS1_VERSION;
   if (v === 'TLSv1.1') return TLS1_1_VERSION;
   if (v === 'TLSv1.2') return TLS1_2_VERSION;
-  if (v === 'TLSv1.3') return TLS1_3_VERSION;
+  if (v === 'TLSv1.3' && TLS1_3_VERSION) return TLS1_3_VERSION;
   throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);
 }
 
diff --git a/src/node_constants.cc b/src/node_constants.cc
index f08bcbcb25b6d8..4593760b2f3d94 100644
--- a/src/node_constants.cc
+++ b/src/node_constants.cc
@@ -1245,7 +1245,9 @@ void DefineCryptoConstants(Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, TLS1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_2_VERSION);
+#ifdef TLS1_3_VERSION
   NODE_DEFINE_CONSTANT(target, TLS1_3_VERSION);
+#endif
 #endif
   NODE_DEFINE_CONSTANT(target, INT_MAX);
 }
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 568b44cf26c25a..8cafc808800b0e 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -411,7 +411,12 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
 
 // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
 // Node.js doesn't, so pin the max to what we do support.
-const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
+const int MAX_SUPPORTED_VERSION =
+#ifdef TLS1_3_VERSION
+  TLS1_3_VERSION;
+#else
+  TLS1_2_VERSION;
+#endif
 
 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   SecureContext* sc;
@@ -947,7 +952,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
 
 void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
   // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
-#ifndef OPENSSL_IS_BORINGSSL
+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_IS_BORINGSSL)
   SecureContext* sc;
   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
   Environment* env = sc->env();
diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js
index bd7ab70316dc59..cce41578ba31b2 100644
--- a/test/parallel/test-tls-client-renegotiation-13.js
+++ b/test/parallel/test-tls-client-renegotiation-13.js
@@ -4,6 +4,9 @@
 const common = require('../common');
 const fixtures = require('../common/fixtures');
 
+if (!require('constants').TLS1_3_VERSION)
+  common.skip(`openssl ${process.versions.openssl} does not support TLSv1.3`);
+
 // Confirm that for TLSv1.3, renegotiate() is disallowed.
 
 const {
diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
index 03c32da03c945b..4379d74897a7dd 100644
--- a/test/parallel/test-tls-getcipher.js
+++ b/test/parallel/test-tls-getcipher.js
@@ -56,6 +56,9 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   }));
 }));
 
+if (!require('constants').TLS1_3_VERSION)
+  return console.log('cannot test TLSv1.3 against 1.3-incapable shared lib');
+
 tls.createServer({
   key: fixtures.readKey('agent2-key.pem'),
   cert: fixtures.readKey('agent2-cert.pem'),
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
index f30b9b3b9897c9..cd8bccca04d612 100644
--- a/test/parallel/test-tls-min-max-version.js
+++ b/test/parallel/test-tls-min-max-version.js
@@ -9,6 +9,13 @@ const {
 } = require(fixtures.path('tls-connect'));
 const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
 const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;
+const tls13 = !!require('constants').TLS1_3_VERSION;
+
+if (!tls13 && (
+  DEFAULT_MAX_VERSION === 'TLSv1.3' ||
+  DEFAULT_MIN_VERSION === 'TLSv1.3')) {
+  return common.skip('cannot test TLSv1.3 against 1.3-incapable shared lib');
+}
 
 function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
   assert(proto || cerr || serr, 'test missing any expectations');
@@ -16,6 +23,11 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
   //     at Object.<anonymous> (file:line)
   // from the stack location, we only want the file:line part.
   const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
+  if (Array.prototype.includes.call(arguments, 'TLSv1.3')) {
+    console.log('test: skip because TLSv1.3 is not supported');
+    console.log('  ', where);
+    return;
+  }
   connect({
     client: {
       checkServerIdentity: (servername, cert) => { },
diff --git a/test/parallel/test-tls-set-ciphers-error.js b/test/parallel/test-tls-set-ciphers-error.js
index f963b414f44630..a09c12b321cba0 100644
--- a/test/parallel/test-tls-set-ciphers-error.js
+++ b/test/parallel/test-tls-set-ciphers-error.js
@@ -4,6 +4,9 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
+if (!require('constants').TLS1_3_VERSION)
+  return common.skip('openssl before TLS1.3 does not check for failure');
+
 const assert = require('assert');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index ecf9176c4020a6..254cc52ad4ef37 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -15,6 +15,10 @@ if (tls13)
   tls.DEFAULT_MAX_VERSION = 'TLSv1.3';
 
 function test(cciphers, sciphers, cipher, cerr, serr) {
+  if (!tls13 && (/TLS_/.test(cciphers) || /TLS_/.test(sciphers))) {
+    // Test relies on TLS1.3, skip it.
+    return;
+  }
   assert(cipher || cerr || serr, 'test missing any expectations');
   const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
   connect({

From bf2c283555c6b2651d55ef37816616a16c3f37f5 Mon Sep 17 00:00:00 2001
From: Sam Roberts <vieuxtech@gmail.com>
Date: Thu, 28 Mar 2019 10:52:41 -0700
Subject: [PATCH 13/15] tls: add --tls-min-v1.2 CLI switch

For 11.x, the default minimum is TLSv1, so it needs a CLI switch to
change the default to the more secure minimum of TLSv1.2.

PR-URL: https://github.com/nodejs/node/pull/26951
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 doc/api/cli.md                                |  8 ++++++++
 doc/node.1                                    |  4 ++++
 lib/tls.js                                    |  2 ++
 src/node_options.cc                           |  4 ++++
 src/node_options.h                            |  1 +
 test/parallel/test-tls-cli-min-version-1.2.js | 15 +++++++++++++++
 6 files changed, 34 insertions(+)
 create mode 100644 test/parallel/test-tls-cli-min-version-1.2.js

diff --git a/doc/api/cli.md b/doc/api/cli.md
index 8c68db546b3742..3d4a1adb91aee2 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -475,6 +475,14 @@ added: REPLACEME
 Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
 with old TLS clients or servers.
 
+### `--tls-min-v1.2`
+<!-- YAML
+added: REPLACEME
+-->
+
+Set default [`minVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1
+and TLSv1.1 in favour of TLSv1.2, which is more secure.
+
 ### `--tls-min-v1.3`
 <!-- YAML
 added: REPLACEME
diff --git a/doc/node.1 b/doc/node.1
index 7bcb1edc59ab5d..4a3759ad0de031 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -250,6 +250,10 @@ or servers.
 Set default minVersion to 'TLSv1.1'. Use for compatibility with old TLS clients
 or servers.
 .
+.It Fl -tls-min-v1.2
+Set default minVersion to 'TLSv1.2'. Use to disable support for TLSv1 and
+TLSv1.1 in favour of TLSv1.2, which is more secure.
+.
 .It Fl -tls-min-v1.3
 Set default minVersion to 'TLSv1.3'. Use to disable support for TLSv1.2 in
 favour of TLSv1.3, which is more secure.
diff --git a/lib/tls.js b/lib/tls.js
index e4dadaa284e6de..c951727e5589c3 100644
--- a/lib/tls.js
+++ b/lib/tls.js
@@ -58,6 +58,8 @@ if (getOptionValue('--tls-min-v1.0'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1';
 else if (getOptionValue('--tls-min-v1.1'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
+else if (getOptionValue('--tls-min-v1.2'))
+  exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
 else if (getOptionValue('--tls-min-v1.3'))
   exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
 else
diff --git a/src/node_options.cc b/src/node_options.cc
index 46ee2b9f6ad9ee..94e9f16ad218a9 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -336,6 +336,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             "set default TLS minimum to TLSv1.1 (default: TLSv1)",
             &EnvironmentOptions::tls_min_v1_1,
             kAllowedInEnvironment);
+  AddOption("--tls-min-v1.2",
+            "set default TLS minimum to TLSv1.2 (default: TLSv1)",
+            &EnvironmentOptions::tls_min_v1_2,
+            kAllowedInEnvironment);
   AddOption("--tls-min-v1.3",
             "set default TLS minimum to TLSv1.3 (default: TLSv1)",
             &EnvironmentOptions::tls_min_v1_3,
diff --git a/src/node_options.h b/src/node_options.h
index 7c9da1c69b278a..c21e0caf407094 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -138,6 +138,7 @@ class EnvironmentOptions : public Options {
 
   bool tls_min_v1_0 = false;
   bool tls_min_v1_1 = false;
+  bool tls_min_v1_2 = false;
   bool tls_min_v1_3 = false;
   bool tls_max_v1_2 = false;
   bool tls_max_v1_3 = false;
diff --git a/test/parallel/test-tls-cli-min-version-1.2.js b/test/parallel/test-tls-cli-min-version-1.2.js
new file mode 100644
index 00000000000000..058dc180f6065e
--- /dev/null
+++ b/test/parallel/test-tls-cli-min-version-1.2.js
@@ -0,0 +1,15 @@
+// Flags: --tls-min-v1.2
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+// Check that node `--tls-min-v1.2` is supported.
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.strictEqual(tls.DEFAULT_MAX_VERSION, 'TLSv1.2');
+assert.strictEqual(tls.DEFAULT_MIN_VERSION, 'TLSv1.2');
+
+// Check the min-max version protocol versions against these CLI settings.
+require('./test-tls-min-max-version.js');

From 7da23dcbfa89f0f154fb90ee8349c0c9f95843e6 Mon Sep 17 00:00:00 2001
From: Anna Henningsen <anna@addaleax.net>
Date: Tue, 16 Apr 2019 15:12:34 +0200
Subject: [PATCH 14/15] deps: V8: backport 61f4c22

The differences to the original patch are the replacement of
`i::IsIdentifier...()` with `unicode_cache_.IsIdentifier...()`,
because the former is not available on Node.js v11.x, as well
as the omitted `no_gc` argument for `GetFlatContent()`.

Original commit message:

    Assume flat string when checking CompileFunctionInContext arguments.

    R=jkummerow@chromium.org

    Change-Id: I54c6137a3c6e14d4102188f154aa7216e7414dbc
    Reviewed-on: https://chromium-review.googlesource.com/c/1388533
    Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
    Commit-Queue: Yang Guo <yangguo@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#58562}

Refs: https://github.com/v8/v8/commit/61f4c2251e107aebca620054701f2faec36209a8
Fixes: https://github.com/nodejs/node/issues/27256

PR-URL: https://github.com/nodejs/node/pull/27259
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
---
 common.gypi                          |  2 +-
 deps/v8/src/api.cc                   | 58 ++++++++++------------------
 deps/v8/test/cctest/test-compiler.cc | 19 ++++-----
 3 files changed, 32 insertions(+), 47 deletions(-)

diff --git a/common.gypi b/common.gypi
index 338ed2cbbb9bb8..f405156a20b26c 100644
--- a/common.gypi
+++ b/common.gypi
@@ -30,7 +30,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.18',
+    'v8_embedder_string': '-node.19',
 
     # Turn on SipHash for hash seed generation, addresses HashWick
     'v8_use_siphash': 'true',
diff --git a/deps/v8/src/api.cc b/deps/v8/src/api.cc
index 3f0cad545f5cee..372387e0c9ef51 100644
--- a/deps/v8/src/api.cc
+++ b/deps/v8/src/api.cc
@@ -2424,44 +2424,29 @@ MaybeLocal<Module> ScriptCompiler::CompileModule(
   return ToApiHandle<Module>(i_isolate->factory()->NewModule(shared));
 }
 
-
-class IsIdentifierHelper {
- public:
-  IsIdentifierHelper() : is_identifier_(false), first_char_(true) {}
-
-  bool Check(i::String* string) {
-    i::ConsString* cons_string = i::String::VisitFlat(this, string, 0);
-    if (cons_string == nullptr) return is_identifier_;
-    // We don't support cons strings here.
-    return false;
-  }
-  void VisitOneByteString(const uint8_t* chars, int length) {
-    for (int i = 0; i < length; ++i) {
-      if (first_char_) {
-        first_char_ = false;
-        is_identifier_ = unicode_cache_.IsIdentifierStart(chars[0]);
-      } else {
-        is_identifier_ &= unicode_cache_.IsIdentifierPart(chars[i]);
-      }
+namespace {
+bool IsIdentifier(i::Isolate* isolate, i::Handle<i::String> string) {
+  i::UnicodeCache unicode_cache_;
+  string = i::String::Flatten(isolate, string);
+  const int length = string->length();
+  if (length == 0) return false;
+  if (!unicode_cache_.IsIdentifierStart(string->Get(0))) return false;
+  i::DisallowHeapAllocation no_gc;
+  i::String::FlatContent flat = string->GetFlatContent();
+  if (flat.IsOneByte()) {
+    auto vector = flat.ToOneByteVector();
+    for (int i = 1; i < length; i++) {
+      if (!unicode_cache_.IsIdentifierPart(vector[i])) return false;
     }
-  }
-  void VisitTwoByteString(const uint16_t* chars, int length) {
-    for (int i = 0; i < length; ++i) {
-      if (first_char_) {
-        first_char_ = false;
-        is_identifier_ = unicode_cache_.IsIdentifierStart(chars[0]);
-      } else {
-        is_identifier_ &= unicode_cache_.IsIdentifierPart(chars[i]);
-      }
+  } else {
+    auto vector = flat.ToUC16Vector();
+    for (int i = 1; i < length; i++) {
+      if (!unicode_cache_.IsIdentifierPart(vector[i])) return false;
     }
   }
-
- private:
-  bool is_identifier_;
-  bool first_char_;
-  i::UnicodeCache unicode_cache_;
-  DISALLOW_COPY_AND_ASSIGN(IsIdentifierHelper);
-};
+  return true;
+}
+}  // anonymous namespace
 
 MaybeLocal<Function> ScriptCompiler::CompileFunctionInContext(
     Local<Context> v8_context, Source* source, size_t arguments_count,
@@ -2486,9 +2471,8 @@ MaybeLocal<Function> ScriptCompiler::CompileFunctionInContext(
   i::Handle<i::FixedArray> arguments_list =
       isolate->factory()->NewFixedArray(static_cast<int>(arguments_count));
   for (int i = 0; i < static_cast<int>(arguments_count); i++) {
-    IsIdentifierHelper helper;
     i::Handle<i::String> argument = Utils::OpenHandle(*arguments[i]);
-    if (!helper.Check(*argument)) return Local<Function>();
+    if (!IsIdentifier(isolate, argument)) return Local<Function>();
     arguments_list->set(i, *argument);
   }
 
diff --git a/deps/v8/test/cctest/test-compiler.cc b/deps/v8/test/cctest/test-compiler.cc
index 63904e086f7de3..0263d20c4891b0 100644
--- a/deps/v8/test/cctest/test-compiler.cc
+++ b/deps/v8/test/cctest/test-compiler.cc
@@ -487,8 +487,8 @@ TEST(CompileFunctionInContextArgs) {
   v8::Local<v8::Object> ext[1];
   ext[0] = v8::Local<v8::Object>::Cast(
       env->Global()->Get(env.local(), v8_str("a")).ToLocalChecked());
-  v8::ScriptCompiler::Source script_source(v8_str("result = x + b"));
-  v8::Local<v8::String> arg = v8_str("b");
+  v8::ScriptCompiler::Source script_source(v8_str("result = x + abc"));
+  v8::Local<v8::String> arg = v8_str("abc");
   v8::Local<v8::Function> fun =
       v8::ScriptCompiler::CompileFunctionInContext(env.local(), &script_source,
                                                    1, &arg, 1, ext)
@@ -498,8 +498,8 @@ TEST(CompileFunctionInContextArgs) {
                   ->ToInt32(env.local())
                   .ToLocalChecked()
                   ->Value());
-  v8::Local<v8::Value> b_value = v8::Number::New(CcTest::isolate(), 42.0);
-  fun->Call(env.local(), env->Global(), 1, &b_value).ToLocalChecked();
+  v8::Local<v8::Value> arg_value = v8::Number::New(CcTest::isolate(), 42.0);
+  fun->Call(env.local(), env->Global(), 1, &arg_value).ToLocalChecked();
   CHECK(env->Global()->Has(env.local(), v8_str("result")).FromJust());
   v8::Local<v8::Value> result =
       env->Global()->Get(env.local(), v8_str("result")).ToLocalChecked();
@@ -516,16 +516,17 @@ TEST(CompileFunctionInContextComments) {
   v8::Local<v8::Object> ext[1];
   ext[0] = v8::Local<v8::Object>::Cast(
       env->Global()->Get(env.local(), v8_str("a")).ToLocalChecked());
-  v8::ScriptCompiler::Source script_source(
-      v8_str("result = /* y + */ x + b // + z"));
-  v8::Local<v8::String> arg = v8_str("b");
+  v8::Local<v8::String> source =
+      CompileRun("'result = /* y + */ x + a\\u4e00 // + z'").As<v8::String>();
+  v8::ScriptCompiler::Source script_source(source);
+  v8::Local<v8::String> arg = CompileRun("'a\\u4e00'").As<v8::String>();
   v8::Local<v8::Function> fun =
       v8::ScriptCompiler::CompileFunctionInContext(env.local(), &script_source,
                                                    1, &arg, 1, ext)
           .ToLocalChecked();
   CHECK(!fun.IsEmpty());
-  v8::Local<v8::Value> b_value = v8::Number::New(CcTest::isolate(), 42.0);
-  fun->Call(env.local(), env->Global(), 1, &b_value).ToLocalChecked();
+  v8::Local<v8::Value> arg_value = v8::Number::New(CcTest::isolate(), 42.0);
+  fun->Call(env.local(), env->Global(), 1, &arg_value).ToLocalChecked();
   CHECK(env->Global()->Has(env.local(), v8_str("result")).FromJust());
   v8::Local<v8::Value> result =
       env->Global()->Get(env.local(), v8_str("result")).ToLocalChecked();

From e65a904f111276c244ab5ab1ee35f6ba27b1fd52 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Fri, 19 Apr 2019 11:18:38 -0700
Subject: [PATCH 15/15] 2019-04-30, Version 11.15.0 (Current)

Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](https://github.com/nodejs/node/pull/19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](https://github.com/nodejs/node/pull/25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)

PR-URL: https://github.com/nodejs/node/pull/27314
---
 CHANGELOG.md                    |  3 ++-
 doc/api/cli.md                  | 12 ++++++------
 doc/api/tls.md                  |  2 +-
 doc/changelogs/CHANGELOG_V11.md | 33 +++++++++++++++++++++++++++++++++
 src/node_version.h              |  6 +++---
 5 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd0c8b516091ad..625d3b44b114b2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,7 +28,8 @@ release.
 </tr>
 <tr>
     <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V11.md#11.14.0">11.14.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V11.md#11.15.0">11.15.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V11.md#11.14.0">11.14.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V11.md#11.13.0">11.13.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V11.md#11.12.0">11.12.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V11.md#11.11.0">11.11.0</a><br/>
diff --git a/doc/api/cli.md b/doc/api/cli.md
index 3d4a1adb91aee2..f1236a088abd5b 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -445,7 +445,7 @@ with crypto support (default).
 
 ### `--tls-max-v1.2`
 <!-- YAML
-added: REPLACEME
+added: v11.15.0
 -->
 
 Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
@@ -453,7 +453,7 @@ TLSv1.3.
 
 ### `--tls-max-v1.3`
 <!-- YAML
-added: REPLACEME
+added: v11.15.0
 -->
 
 Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
@@ -461,7 +461,7 @@ for TLSv1.3.
 
 ### `--tls-min-v1.0`
 <!-- YAML
-added: REPLACEME
+added: v11.15.0
 -->
 
 Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1'. Use for compatibility with
@@ -469,7 +469,7 @@ old TLS clients or servers.
 
 ### `--tls-min-v1.1`
 <!-- YAML
-added: REPLACEME
+added: v11.15.0
 -->
 
 Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.1'. Use for compatibility
@@ -477,7 +477,7 @@ with old TLS clients or servers.
 
 ### `--tls-min-v1.2`
 <!-- YAML
-added: REPLACEME
+added: v11.15.0
 -->
 
 Set default [`minVersion`][] to `'TLSv1.2'`. Use to disable support for TLSv1
@@ -485,7 +485,7 @@ and TLSv1.1 in favour of TLSv1.2, which is more secure.
 
 ### `--tls-min-v1.3`
 <!-- YAML
-added: REPLACEME
+added: v11.15.0
 -->
 
 Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 574f5519e71d47..d4a333279d9d56 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -1256,7 +1256,7 @@ argument.
 <!-- YAML
 added: v0.11.13
 changes:
-  - version: REPLACEME
+  - version: v11.15.0
     pr-url: https://github.com/nodejs/node/pull/26209
     description: TLSv1.3 support added.
   - version: v11.5.0
diff --git a/doc/changelogs/CHANGELOG_V11.md b/doc/changelogs/CHANGELOG_V11.md
index fffa3d9b1ba425..3eefa7ebe85184 100644
--- a/doc/changelogs/CHANGELOG_V11.md
+++ b/doc/changelogs/CHANGELOG_V11.md
@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#11.15.0">11.15.0</a><br/>
 <a href="#11.14.0">11.14.0</a><br/>
 <a href="#11.13.0">11.13.0</a><br/>
 <a href="#11.12.0">11.12.0</a><br/>
@@ -42,6 +43,38 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="11.15.0"></a>
+## 2019-04-30, Version 11.15.0 (Current), @codebytere
+
+### Notable changes
+
+* **deps**: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](https://github.com/nodejs/node/pull/19794)
+* **src**: add .code and SSL specific error properties (Sam Roberts) [#25093](https://github.com/nodejs/node/pull/25093)
+* **tls**:
+  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+  * revert default max toTLSv1.2 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+  * revert change to invalid protocol error type (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+  * support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
+  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)
+
+### Commits
+
+* [[`7da23dcbfa`](https://github.com/nodejs/node/commit/7da23dcbfa)] - **deps**: V8: backport 61f4c22 (Anna Henningsen) [#27259](https://github.com/nodejs/node/pull/27259)
+* [[`8db791d0fe`](https://github.com/nodejs/node/commit/8db791d0fe)] - **deps**: update archs files for OpenSSL-1.1.1b (Sam Roberts) [#26327](https://github.com/nodejs/node/pull/26327)
+* [[`1c98b720b1`](https://github.com/nodejs/node/commit/1c98b720b1)] - **(SEMVER-MINOR)** **deps**: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](https://github.com/nodejs/node/pull/19794)
+* [[`d8cc478ae9`](https://github.com/nodejs/node/commit/d8cc478ae9)] - **deps**: upgrade openssl sources to 1.1.1b (Sam Roberts) [#26327](https://github.com/nodejs/node/pull/26327)
+* [[`fa6f0f1644`](https://github.com/nodejs/node/commit/fa6f0f1644)] - **doc**: describe tls.DEFAULT\_MIN\_VERSION/\_MAX\_VERSION (Sam Roberts) [#26821](https://github.com/nodejs/node/pull/26821)
+* [[`8b5d350a35`](https://github.com/nodejs/node/commit/8b5d350a35)] - **(SEMVER-MINOR)** **src**: add .code and SSL specific error properties (Sam Roberts) [#25093](https://github.com/nodejs/node/pull/25093)
+* [[`bf2c283555`](https://github.com/nodejs/node/commit/bf2c283555)] - **(SEMVER-MINOR)** **tls**: add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+* [[`7aeca270f6`](https://github.com/nodejs/node/commit/7aeca270f6)] - **(SEMVER-MINOR)** **tls**: supported shared openssl 1.1.0 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+* [[`d2666e6ded`](https://github.com/nodejs/node/commit/d2666e6ded)] - **tls**: add debugging to native TLS code (Anna Henningsen) [#26843](https://github.com/nodejs/node/pull/26843)
+* [[`225417b849`](https://github.com/nodejs/node/commit/225417b849)] - **tls**: add CHECK for impossible condition (AnnaHenningsen) [#26843](https://github.com/nodejs/node/pull/26843)
+* [[`109c097797`](https://github.com/nodejs/node/commit/109c097797)] - **(SEMVER-MINOR)** **tls**: revert default max toTLSv1.2 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+* [[`7393e37af1`](https://github.com/nodejs/node/commit/7393e37af1)] - **(SEMVER-MINOR)** **tls**: support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
+* [[`8e14859459`](https://github.com/nodejs/node/commit/8e14859459)] - **(SEMVER-MINOR)** **tls**: revert change to invalid protocol error type (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
+* [[`00688b6042`](https://github.com/nodejs/node/commit/00688b6042)] - **(SEMVER-MINOR)** **tls**: add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)
+
 <a id="11.14.0"></a>
 ## 2019-04-11, Version 11.14.0 (Current), @BethGriggs
 
diff --git a/src/node_version.h b/src/node_version.h
index d47323849f20c1..95e75c16828229 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 11
-#define NODE_MINOR_VERSION 14
-#define NODE_PATCH_VERSION 1
+#define NODE_MINOR_VERSION 15
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)