tls: do not crash on STARTTLS when OCSP requested #10706
Conversation
`TLSSocket` should not have a hard dependency on `tls.Server`, since it may be running without it in cases like `STARTTLS`. Fix: nodejs#10704
nodejs-github-bot
added
tls
|
cc @nodejs/crypto |
|
cc @nodejs/collaborators |
|
this looks like semver-patch but just to be safe, is there any possibility that this could break anything? (I highly doubt it but given the removal of the requirement there's always a slight possibility) |
| }), | ||
|
|
||
| SNICallback: common.mustCall((hostname, callback) => { | ||
| assert.equal(hostname, 'test.test'); |
There was a problem hiding this comment.
Can you change this to assert.strictEqual().
There was a problem hiding this comment.
Fixed, and removed that console.log() below.
|
@jasnell no possibility, everything that hit that code path was broken until this patch |
| }; | ||
|
|
||
| const client = tls.connect(opts, function() { | ||
| client.end(); |
There was a problem hiding this comment.
can just use this, and delete the const client =
| return; | ||
| } | ||
|
|
||
| const assert = require('assert'); |
| SNICallback: common.mustCall((hostname, callback) => { | ||
| assert.deepEqual(hostname, 'test.test'); | ||
|
|
||
| callback(null, null); |
There was a problem hiding this comment.
SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance.
Is (null, null) valid? Should it be valid?
There was a problem hiding this comment.
Yes, it is valid and it should be valid.
| @@ -0,0 +1,49 @@ | |||
| 'use strict'; | |||
| const common = require('../common'); | |||
|
|
|||
There was a problem hiding this comment.
https://github.com/nodejs/node/blob/master/doc/guides/writing-tests.md#test-structure
A test should start with a comment containing a brief description of what it is designed to test.
lib/_tls_wrap.js
Outdated
| @@ -114,6 +114,12 @@ function requestOCSP(self, hello, ctx, cb) { | |||
|
|
|||
| if (!ctx) | |||
| ctx = self.server._sharedCreds; | |||
|
|
|||
| // Running on non-TLS server | |||
There was a problem hiding this comment.
This comment confused me when I read it, and I only understood when reading the unit test and PR history. Can I suggest:
TLS socket is using a net.Server, instead of a tls.TLSServer, so some TLS properties will not be present.
There was a problem hiding this comment.
Agreed this comment is rather cryptic.
|
Do you have any information on when this will be merged and released? |
|
@nodejs/crypto a review from one of you is required, I believe. |
lib/_tls_wrap.js
Outdated
| @@ -114,6 +114,12 @@ function requestOCSP(self, hello, ctx, cb) { | |||
|
|
|||
| if (!ctx) | |||
| ctx = self.server._sharedCreds; | |||
|
|
|||
| // Running on non-TLS server | |||
There was a problem hiding this comment.
Agreed this comment is rather cryptic.
|
Is it possible to catch this crash as an exception? I didn't succeed so far. This would be a good workaround until this is packaged. |
|
Pushed the fix to the comment, PTAL. Landing if the wording is fine. |
lib/_tls_wrap.js
Outdated
| @@ -115,7 +115,8 @@ function requestOCSP(self, hello, ctx, cb) { | |||
| if (!ctx) | |||
| ctx = self.server._sharedCreds; | |||
|
|
|||
| // Running on non-TLS server | |||
| // TLS socket is using a `net.Server` instead of a tls.TLSServer. | |||
| // Some TLS properties will not be present. | |||
There was a problem hiding this comment.
Consider giving one or two examples of properties that won't be there.
|
@bnoordhuis ACK |
|
hello, sorry for asking this but I'd like to know if there is any planning on merging+packaging this PR. Thanks. |
|
@webertrlz Yes, this should land assuming that CI comes back good. |
|
Landed in a1802e6 |
|
Won't show up packaged until the next 7.x release, which will be a couple weeks at least. |
|
The post above means that it won't go packaged for 6.XX LTS? |
|
@webertrlz The rules are that changes first have to live an a Current release for two weeks before they are applied to the LTS branches. This change will almost certainly be available in the next one or two v6.x releases, and probably v4.x as well. |
|
@addaleax understood! Thanks! |
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
tls
TLSSocketshould not have a hard dependency ontls.Server, since itmay be running without it in cases like
STARTTLS.Fix: #10704