https requestCert unusable with Firefox and Chrome

Fixes #1516.
nodejs · Aug 21, 2011 · 7326444 · 7326444
1 parent ce9caa2
commit 7326444
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 3 deletions.
diff --git a/lib/tls.js b/lib/tls.js
@@ -483,9 +483,16 @@ function SecurePair(credentials, isServer, requestCert, rejectUnauthorized) {
   this._rejectUnauthorized = rejectUnauthorized ? true : false;
   this._requestCert = requestCert ? true : false;
 
+  if (this._isServer && this._requestCert) {
+    this._sessionIdCtx = crypto.createHash('md5').
+                                update(process.argv.join(' ')).
+                                digest('hex');
+  }
+
   this.ssl = new Connection(this.credentials.context,
                              this._isServer ? true : false,
                              this._requestCert,
+                             this._sessionIdCtx,
                              this._rejectUnauthorized);
 
 

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -491,8 +491,10 @@ int Connection::HandleSSLError(const char* func, int rv) {
   if (rv >= 0) return rv;
 
   int err = SSL_get_error(ssl_, rv);
+  if (err == SSL_ERROR_NONE) {
+    return 0;
 
-  if (err == SSL_ERROR_WANT_WRITE) {
+  } else if (err == SSL_ERROR_WANT_WRITE) {
     DEBUG_PRINT("[%p] SSL: %s want write\n", ssl_, func);
     return 0;
 
@@ -502,7 +504,12 @@ int Connection::HandleSSLError(const char* func, int rv) {
 
   } else {
     static char ssl_error_buf[512];
-    ERR_error_string_n(err, ssl_error_buf, sizeof(ssl_error_buf));
+#ifdef HAVE_ERR_PEEK_LAST_ERROR
+    ERR_error_string_n(ERR_peek_last_error(), ssl_error_buf,
+            sizeof(ssl_error_buf));
+#else
+    ERR_error_string_n(ERR_peek_error(), ssl_error_buf, sizeof(ssl_error_buf));
+#endif
 
     HandleScope scope;
     Local<Value> e = Exception::Error(String::New(ssl_error_buf));
@@ -647,7 +654,12 @@ Handle<Value> Connection::New(const Arguments& args) {
       // Note reject_unauthorized ignored.
       verify_mode = SSL_VERIFY_NONE;
     } else {
-      bool reject_unauthorized = args[3]->BooleanValue();
+      String::Utf8Value sessionIdCtx(args[3]->ToString());
+      SSL_CTX_set_session_id_context(sc->ctx_,
+                                     (const unsigned char*) *sessionIdCtx,
+                                     sessionIdCtx.length());
+
+      bool reject_unauthorized = args[4]->BooleanValue();
       verify_mode = SSL_VERIFY_PEER;
       if (reject_unauthorized) verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
     }

diff --git a/test/simple/test-tls-session-cache.js b/test/simple/test-tls-session-cache.js
@@ -0,0 +1,69 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+if (!process.versions.openssl) {
+  console.error("Skipping because node compiled without OpenSSL.");
+  process.exit(0);
+}
+
+var common = require('../common');
+var assert = require('assert');
+var tls = require('tls');
+var fs = require('fs');
+var join = require('path').join;
+var spawn = require('child_process').spawn;
+
+var keyFile = join(common.fixturesDir, 'agent.key');
+var certFile = join(common.fixturesDir, 'agent.crt');
+var key = fs.readFileSync(keyFile);
+var cert = fs.readFileSync(certFile);
+var options = {
+  key: key,
+  cert: cert,
+  ca: [ cert ],
+  requestCert: true
+};
+var requestCount = 0;
+
+var server = tls.createServer(options, function(cleartext) {
+  ++requestCount;
+  cleartext.end();
+});
+server.listen(common.PORT, function() {
+  var client = spawn('openssl', [
+      's_client',
+      '-connect', 'localhost:' + common.PORT,
+      '-key', join(common.fixturesDir, 'agent.key'),
+      '-cert', join(common.fixturesDir, 'agent.crt'),
+      '-reconnect'
+    ]);
+  client.stdout.pipe(process.stdout);
+  client.stderr.pipe(process.stderr);
+  client.on('exit', function(code) {
+    assert.equal(code, 0);
+    server.close();
+  });
+});
+
+process.on('exit', function() {
+  // initial request + reconnect requtsts (5 times)
+  assert.equal(requestCount, 6);
+});