-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Emission of secure events changed across versions of node #29421
Comments
You aren't pinning the TLS version to a particular value, the 12.x at least should be doing TLS1.3, it wouldn't surprise me at all if it was different. Could you print out some info about the versions and cipher suites negotiated and see if that explains the differences you see? |
Good point, @sam-github!! I've checked which versions of TLS and ciphers were being used in each case, and both node v8.16.1 and node v10.16.3 were using TLSv1.2 and cipher
then the weird behaviour of node v12.8.1 in the SecurePair-write-true case disappears (it emits the My concerns remain the same, though. There are undocumented differences in the behaviour of the old (and deprecated) |
createSecurePair has been deprecated for a long, long time. I've personally never used it or tried to understand its purpose. I run into it in the tests and code and wish it could be deleted already, so I've very little to say about it specifically. I took a shot at documenting some of this, #10846, it got rejected. I might try again sometime, or I welcome a PR if you would like to take it up, feel free to steal any text from there as your own. Specifically, I tried to document the As far as TLS1.3 being noticably different - it is different, the ordering of messages across a TLS setup changed from 1.2, its a pretty major protocol change (despite that the minor just got bumped). While we might wish that was abstracted away, it couldn't be. Its possible to write code robust across 1.2 and 1.3, see the docs, but code making assumptions that (in retrospect) were only true for 1.2 is going to have to be updated. |
Thanks a lot for your time and effort, @sam-github!! createSecurePair was (and still is) the only way to implement a pure "TLS building block" that encrypts whatever is coming "from the left" and decrypts whatever comes "from the right". This building block can be connected to another "TCP building block", but also to a "file bulding block" or to any other. I know it might not be the most popular use of TLS, but for us at Devo (www.devo.com), it's quite crucial. I was currently getting rid of |
@tufosa I thought that was possible by using the TLSSocket constructor. It was certainly intended that way, despite the lack of docs. Instead of describing how they are different (the difference may be an annoyance, but isn't obviously a bug), could you provide a running sample of code that achieves something with socketpair that cannot be converted to use TLSSocket? If so, I think we either prematurely deprecated socketpair, or have a bug, missing feature, or missing docs on the TLSSocket. |
@sam-github, consider the following example (included as a separate working file here):
This example creates two simple TLS building blocks and connects them through their encrypted side. When I connect them, they share their credentials and try to complete the TLS handshake. When this is done, the This example will only successfully run using node 8, because if you use node 10 or 12, the Now, could this be replicated using |
OK, that's enough info for me to take a look at it, thanks. |
It seems to be a bit of discordance in the emission of the
secure
event across versions of node and also if you use the deprecatedcreateSecurePair
vsnew tls.TLSSocket
.Steps to reproduce
First, you'll need to clone this repo containing the sample code.
This program starts a
tls.Server
, and then two clients, one using the deprecatedcreateSecurePair
and the other usingtls.TLSSocket
. It just opens the connections and wait for the different events to trigger. Each event leaves a trace. It reproduces 2 cases per client (4 in total): one just opening the connection (write: false
) and the other opening the connection and immediately writing an empty string to the socket (write: true
). Therefore the 4 cases are:In order to reproduce the bug, run
node main.js
using different versions of nodejs and observe the differences in behaviour through the traces left by the program. It seems like both thesecure
andsecureConnection
events are emitted with different criteria depending on the version of node used.I undestand that
createSecurePair
is deprecated and therefore should not be used, but I believe that the new way of doing things (tls.TLSSocket
) should have the same behaviour as the oldcreateSecurePair
in order to make the transition easier. It seems reasonable to wait for thesecure
event before attempting to write anything. This is how the oldcreateSecurePair
behaved in node v8.16.1, but this behaviour has been changed in node 10 and node 12.Also the documented
secureConnect
event is never emitted. An undocumentedsecure
event is emitted instead. I see that this has been reported before (at least here and here), but the docs haven't been fixed.node v8.16.1
The only case not emitting any event is TLSSocket-write-false.
node v10.16.3
All write-false cases fail (as in do not emit events) and all write-true cases
pass.
node v12.8.1
All write-false cases fail and the write-true cases behave slightly different,
as one of them (SecurePair-write-true) never emit the
secureConnection
event.The text was updated successfully, but these errors were encountered: