test/document TLS authentication, then add support for TRUSTED CERTIFICATE pem headers #24733
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
addaleax
approved these changes
Nov 30, 2018
|
|
||
| const { | ||
| assert, connect, keys | ||
| } = require(fixtures.path('tls-connect')); |
There was a problem hiding this comment.
Should this module maybe rather be in test/common/?
There was a problem hiding this comment.
I don't know. It predates test/common, AFAICT, but perhaps it should have been moved there when test/common was created? Moving it would be a good code-n-learn activity.
sam-github
force-pushed
the
test-client-auth
branch
from
479d168
to
2934a3d
Compare
sam-github
added
the
semver-minor
sam-github
force-pushed
the
test-client-auth
branch
from
2934a3d
to
4b48cf9
Compare
sam-github
changed the title
sam-github
force-pushed
the
test-client-auth
branch
2 times, most recently
from
3674751
to
61380b3
Compare
|
While I was doing some support yesterday for people banging their head against node's tls, I found that node wasn't working with "TRUSTED CERATIFICATE", and @bnoordhuis pointed me towards the root cause. I pushed the fix onto this PR so I can use the tests to prove it did not used to work, and now it does. is what openssl's-CAfile option eventually leads to, so I believe calling PEM_read_bio_X509_AUX() is the right thing for Node.js to do as well.
@addaleax @bnoordhuis PTAL |
|
Travis failed to find the first commit, as it often does. |
|
Resume Build CI: https://ci.nodejs.org/job/node-test-pull-request/19129/ |
bnoordhuis
approved these changes
Dec 2, 2018
| ca: client.ca, | ||
| requestCert: true, | ||
| }, | ||
| }, function(err, pair, cleanup) { |
There was a problem hiding this comment.
Wrap in common.mustCall(...) here and below?
There was a problem hiding this comment.
The common connect() function does that already.
|
The linux failures look unrelated but the windows failures do. As to why the connection is being established when it shouldn't, I have no idea. |
sam-github
force-pushed
the
test-client-auth
branch
from
61380b3
to
a75dd8e
Compare
|
Resume CI (scheduled): https://ci.nodejs.org/job/node-test-pull-request/19190/ |
|
Windows failures on CI are relevant: 03:11:38 not ok 456 parallel/test-tls-client-auth
03:11:38 ---
03:11:38 duration_ms: 0.239
03:11:38 severity: fail
03:11:38 exitcode: 1
03:11:38 stack: |-
03:11:38 c:\workspace\node-test-binary-windows\test\parallel\test-tls-client-auth.js:152
03:11:38 assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
03:11:38 ^
03:11:38
03:11:38 TypeError: Cannot read property 'code' of undefined
03:11:38 at c:\workspace\node-test-binary-windows\test\parallel\test-tls-client-auth.js:152:26
03:11:38 at c:\workspace\node-test-binary-windows\test\common\index.js:346:15
03:11:38 at maybeCallback (c:\workspace\node-test-binary-windows\test\fixtures\tls-connect.js:97:7)
03:11:38 at TLSSocket.<anonymous> (c:\workspace\node-test-binary-windows\test\fixtures\tls-connect.js:68:13)
03:11:38 at TLSSocket.emit (events.js:189:13)
03:11:38 at TLSSocket.onConnectSecure (_tls_wrap.js:1168:10)
03:11:38 at TLSSocket.emit (events.js:189:13)
03:11:38 at TLSSocket._finishInit (_tls_wrap.js:629:8)
03:11:38 ... |
This was referenced Dec 5, 2018
sam-github
force-pushed
the
test-client-auth
branch
2 times, most recently
from
f838013
to
62e0408
Compare
|
Ah, Windows CRLF... I do not love thee. |
|
linux failures: https://ci.nodejs.org/job/node-test-commit-linux/23842/ Look like exit code test failures, not related to TLS. re-ci: https://ci.nodejs.org/job/node-test-commit-linux/23845/ |
|
more aix & linux exit code and CLI syntax failures, retry: https://ci.nodejs.org/job/node-test-commit/24172/ |
|
The only failures were test-cli-syntax.js, which is flaky. I'm re-running ci, but I think this is landable. |
|
Landed in 83ec33b...2e4a163 |
sam-github
added a commit
that referenced
this pull request
Dec 11, 2018
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
BethGriggs
pushed a commit
that referenced
this pull request
Dec 17, 2018
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Merged
BethGriggs
added a commit
that referenced
this pull request
Dec 18, 2018
Notable changes:
* **test**:
* test TLS client authentication (Sam Roberts)
[#24733](#24733)
* **tls**:
* support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
[#24733](#24733)
* **tools**:
* update ESLint to 5.10.0 (cjihrig)
[#24903](#24903)
* **util**:
* add inspection getter option (Ruben Bridgewater)
[#24852](#24852)
PR-URL: #25102
MylesBorins
pushed a commit
that referenced
this pull request
Dec 18, 2018
Notable changes:
* **test**:
* test TLS client authentication (Sam Roberts)
[#24733](#24733)
* **tls**:
* support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
[#24733](#24733)
* **tools**:
* update ESLint to 5.10.0 (cjihrig)
[#24903](#24903)
* **util**:
* add inspection getter option (Ruben Bridgewater)
[#24852](#24852)
PR-URL: #25102
BethGriggs
added a commit
that referenced
this pull request
Dec 18, 2018
BethGriggs
added a commit
that referenced
this pull request
Dec 18, 2018
refack
pushed a commit
to refack/node
that referenced
this pull request
Jan 14, 2019
TLS client authentication should be tested, including failure scenarios. PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
refack
pushed a commit
to refack/node
that referenced
this pull request
Jan 14, 2019
Support the same PEM certificate formats for the ca: option to tls.createSecureContext() that are supported by openssl when loading a CAfile. Fixes: nodejs#24761 PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
refack
pushed a commit
to refack/node
that referenced
this pull request
Jan 14, 2019
Notable changes:
* **tls**:
* support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
[nodejs#24733](nodejs#24733)
* **util**:
* add inspection getter option (Ruben Bridgewater)
[nodejs#24852](nodejs#24852)
PR-URL: nodejs#25102
BethGriggs
pushed a commit
that referenced
this pull request
Apr 17, 2019
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
BethGriggs
pushed a commit
that referenced
this pull request
Apr 28, 2019
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Apr 29, 2019
Support the same PEM certificate formats for the ca: option to tls.createSecureContext() that are supported by openssl when loading a CAfile. Fixes: nodejs#24761 PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Merged
MylesBorins
pushed a commit
that referenced
this pull request
May 16, 2019
TLS client authentication should be tested, including failure scenarios. PR-URL: #24733 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This was referenced May 29, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TLS client authentication should be tested, including failure scenarios.
There were tests for a couple success scenarios as side-effects of testing other things, but little coverage for the various ways intermediate and root CAs can be configured.
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes