-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS/SSL: tls.TLSSocket emits error event on handshake failure #8805
Conversation
@@ -0,0 +1,31 @@ | |||
'use strict'; | |||
var common = require('../common'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: const
return; | ||
} | ||
var tls = require('tls'); | ||
var net = require('net'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const
here also
Couple of nits. /cc @nodejs/streams for review |
/cc @indutny ? |
server: server | ||
}); | ||
|
||
s.on('error', common.mustCall(function() {})); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any validation you can add to the error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cjihrig quite right, added basic validation.
server.close(); | ||
s.destroy(); | ||
}); | ||
}), 200); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this must be common.platformTimeout based.
var bonkers = Buffer.alloc(1024, 42); | ||
|
||
var server = net.createServer(common.mustCall(function(c) { | ||
setTimeout(common.mustCall(function() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we don't need common.mustCall here, but it does not hurt either. Any other opinions?
|
||
var bonkers = Buffer.alloc(1024, 42); | ||
|
||
var server = net.createServer(common.mustCall(function(c) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const
var tls = require('tls'); | ||
var net = require('net'); | ||
|
||
var bonkers = Buffer.alloc(1024, 42); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const
self.destroy(err); | ||
} else { | ||
self.destroy(self._tlsError(err)); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is not clear why this change fix the described issue. Can you please add a comment describing why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Furthermore, _tlsError
returns null
if self._controlReleased === false
. I don't see how this particular change makes it behave differently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mcollina @indutny self._tlsError
returning null
is exactly what i am addressing here. When handshake fails and ssl.onerror
is called control is not released yet, so self.destroy
is called with null
, and error
event is not fired in destroy
.
Here is debug output from upstream:
NET 26944: listen2 null 1337 4 false undefined
NET 26944: _listen2: create a handle
NET 26944: bind to ::
NET 26944: onconnection
NET 26944: _read
NET 26944: Socket._read readStart
NET 26944: _read
TLS 26944: onhandshakestart
NET 26944: destroy null
NET 26944: destroy
NET 26944: close
NET 26944: close handle
NET 26944: destroy undefined
NET 26944: destroy
NET 26944: close
NET 26944: close handle
NET 26944: has server
NET 26944: SERVER _emitCloseIfDrained
NET 26944: SERVER handle? true connections? 0
NET 26944: emit close
NET 26944: emit close
...and here after the patch:
NET 31249: listen2 null 1337 4 0 undefined
NET 31249: _listen2: create a handle
NET 31249: bind to ::
NET 31249: onconnection
NET 31249: _read
NET 31249: Socket._read readStart
NET 31249: _read
TLS 31249: onhandshakestart
NET 31249: destroy Error: 140507750061888:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:../deps/openssl/openssl/ssl/s3_srvr.c:1418:
NET 31249: destroy
NET 31249: close
NET 31249: close handle
NET 31249: destroy undefined
NET 31249: destroy
NET 31249: close
NET 31249: close handle
NET 31249: has server
NET 31249: SERVER _emitCloseIfDrained
NET 31249: SERVER handle? true connections? 0
NET 31249: emit close
NET 31249: emit close
Now, just replacing self.destroy(self._tlsError(err))
with self.destroy(err)
there also fixes #8803 and same tests pass, but since self._tlsError
emits additional '_tlsError'
event which could be used in something not covered with tests, i opted for safer approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_tlsError
is used for emitting tlsClientError
, which is in turn used in https
module to kill the request.
self.destroy(err); | ||
} else { | ||
self.destroy(self._tlsError(err)); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Furthermore, _tlsError
returns null
if self._controlReleased === false
. I don't see how this particular change makes it behave differently.
Confused. I rebased my branch to upstream/master as per step 4 of contributing guide, but it doesn't feel right now. Should i rebase it back? |
@lekoder no it doesn't feel right. I think you might want to start clean and force push your individual changes here again. Usually you rebase when you get some LGTMs, before it's merged. |
4b4f028
to
68458e0
Compare
@mcollina I did just that. I would suggest adding this info to contributing guide, ie:
|
@lekoder rebasing is fine, you might have made a mistake in the process. Your commits needs to sit on top of upstream master. You should probably squash your commits into one. |
I'm LGTM for the streams point of view, but @indutny has the final say. |
68458e0
to
28af293
Compare
server: server | ||
}); | ||
|
||
s.on('error', common.mustCall(function(e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a case you fixing? Creating a socket manually for a server?
I had more time to think about it, and it looks like the patch is correct. Whilst reviewing things I have found that we have quite a funny possible infinite loop in Please reduce the branching code, and this PR will be good to go. Thank you! |
@indutny Removed branch as suggested. Also added tests to make sure that |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and controll was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Makes tests conform to defined linting rules.
1c2a46c
to
d3027e8
Compare
@mcollina I did some testing of the whole rebasing problem i had with. Problem was caused by doing:
...and that ended up with pull request that contained not only my changes, but also all commits from
...or even better:
...which makes my |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Sorry for delay!
Landed as c7bc9bc. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
when backporting to v4.x we get some failing tests
Would someone be willing to manually backport |
I'll take a look. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request nodejs#4557. Fixes: nodejs#8803 PR-URL: nodejs#8805 Refs: nodejs#4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
#9742 - 'tlsClientError' wasn't introduced until v6.x, it emits 'clientError' instead. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Checklist
make -j8 test
(UNIX), orvcbuild test nosign
(Windows) passes *Affected core subsystem(s)
tls/ssl
Description of change
tls.TLSSocket
emits nowerror
event on handshake failure.Fixes #8803
Notes
upstream/master
does not passmake -j8 test
on time of this contribution - with unrelated errors. Tests related totls/ssl
and new test to highlight referenced issue pass.