TLS/SSL: tls.TLSSocket emits error event on handshake failure #8805
Conversation
| @@ -0,0 +1,31 @@ | |||
| 'use strict'; | |||
| var common = require('../common'); | |||
| return; | ||
| } | ||
| var tls = require('tls'); | ||
| var net = require('net'); |
|
Couple of nits. /cc @nodejs/streams for review |
|
/cc @indutny ? |
| server: server | ||
| }); | ||
|
|
||
| s.on('error', common.mustCall(function() {})); |
There was a problem hiding this comment.
Is there any validation you can add to the error?
There was a problem hiding this comment.
@cjihrig quite right, added basic validation.
| server.close(); | ||
| s.destroy(); | ||
| }); | ||
| }), 200); |
There was a problem hiding this comment.
this must be common.platformTimeout based.
| var bonkers = Buffer.alloc(1024, 42); | ||
|
|
||
| var server = net.createServer(common.mustCall(function(c) { | ||
| setTimeout(common.mustCall(function() { |
There was a problem hiding this comment.
we don't need common.mustCall here, but it does not hurt either. Any other opinions?
|
|
||
| var bonkers = Buffer.alloc(1024, 42); | ||
|
|
||
| var server = net.createServer(common.mustCall(function(c) { |
| var tls = require('tls'); | ||
| var net = require('net'); | ||
|
|
||
| var bonkers = Buffer.alloc(1024, 42); |
| self.destroy(err); | ||
| } else { | ||
| self.destroy(self._tlsError(err)); | ||
| } |
There was a problem hiding this comment.
it is not clear why this change fix the described issue. Can you please add a comment describing why?
There was a problem hiding this comment.
Furthermore, _tlsError returns null if self._controlReleased === false. I don't see how this particular change makes it behave differently.
There was a problem hiding this comment.
@mcollina @indutny self._tlsError returning null is exactly what i am addressing here. When handshake fails and ssl.onerror is called control is not released yet, so self.destroy is called with null, and error event is not fired in destroy.
Here is debug output from upstream:
NET 26944: listen2 null 1337 4 false undefined
NET 26944: _listen2: create a handle
NET 26944: bind to ::
NET 26944: onconnection
NET 26944: _read
NET 26944: Socket._read readStart
NET 26944: _read
TLS 26944: onhandshakestart
NET 26944: destroy null
NET 26944: destroy
NET 26944: close
NET 26944: close handle
NET 26944: destroy undefined
NET 26944: destroy
NET 26944: close
NET 26944: close handle
NET 26944: has server
NET 26944: SERVER _emitCloseIfDrained
NET 26944: SERVER handle? true connections? 0
NET 26944: emit close
NET 26944: emit close
...and here after the patch:
NET 31249: listen2 null 1337 4 0 undefined
NET 31249: _listen2: create a handle
NET 31249: bind to ::
NET 31249: onconnection
NET 31249: _read
NET 31249: Socket._read readStart
NET 31249: _read
TLS 31249: onhandshakestart
NET 31249: destroy Error: 140507750061888:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:../deps/openssl/openssl/ssl/s3_srvr.c:1418:
NET 31249: destroy
NET 31249: close
NET 31249: close handle
NET 31249: destroy undefined
NET 31249: destroy
NET 31249: close
NET 31249: close handle
NET 31249: has server
NET 31249: SERVER _emitCloseIfDrained
NET 31249: SERVER handle? true connections? 0
NET 31249: emit close
NET 31249: emit close
Now, just replacing self.destroy(self._tlsError(err)) with self.destroy(err) there also fixes #8803 and same tests pass, but since self._tlsError emits additional '_tlsError' event which could be used in something not covered with tests, i opted for safer approach.
There was a problem hiding this comment.
_tlsError is used for emitting tlsClientError, which is in turn used in https module to kill the request.
| self.destroy(err); | ||
| } else { | ||
| self.destroy(self._tlsError(err)); | ||
| } |
There was a problem hiding this comment.
Furthermore, _tlsError returns null if self._controlReleased === false. I don't see how this particular change makes it behave differently.
|
Confused. I rebased my branch to upstream/master as per step 4 of contributing guide, but it doesn't feel right now. Should i rebase it back? |
|
@lekoder no it doesn't feel right. I think you might want to start clean and force push your individual changes here again. Usually you rebase when you get some LGTMs, before it's merged. |
lekoder
force-pushed
the
tls-socket-emit-clienterror
branch
from
4b4f028
to
68458e0
Compare
|
@mcollina I did just that. I would suggest adding this info to contributing guide, ie:
|
|
@lekoder rebasing is fine, you might have made a mistake in the process. Your commits needs to sit on top of upstream master. You should probably squash your commits into one. |
|
I'm LGTM for the streams point of view, but @indutny has the final say. |
lekoder
force-pushed
the
tls-socket-emit-clienterror
branch
from
68458e0
to
28af293
Compare
| server: server | ||
| }); | ||
|
|
||
| s.on('error', common.mustCall(function(e) { |
There was a problem hiding this comment.
Is this a case you fixing? Creating a socket manually for a server?
|
I had more time to think about it, and it looks like the patch is correct. Whilst reviewing things I have found that we have quite a funny possible infinite loop in Please reduce the branching code, and this PR will be good to go. Thank you! |
|
@indutny Removed branch as suggested. Also added tests to make sure that |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and controll was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Makes tests conform to defined linting rules.
lekoder
force-pushed
the
tls-socket-emit-clienterror
branch
from
1c2a46c
to
d3027e8
Compare
|
@mcollina I did some testing of the whole rebasing problem i had with. Problem was caused by doing: ...and that ended up with pull request that contained not only my changes, but also all commits from ...or even better: ...which makes my |
|
Landed as c7bc9bc. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
|
when backporting to v4.x we get some failing tests Would someone be willing to manually backport |
|
I'll take a look. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request nodejs#4557. Fixes: nodejs#8803 PR-URL: nodejs#8805 Refs: nodejs#4557 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
|
#9742 - 'tlsClientError' wasn't introduced until v6.x, it emits 'clientError' instead. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com>
Checklist
make -j8 test(UNIX), orvcbuild test nosign(Windows) passes *Affected core subsystem(s)
tls/sslDescription of change
tls.TLSSocketemits nowerrorevent on handshake failure.Fixes #8803
Notes
upstream/masterdoes not passmake -j8 teston time of this contribution - with unrelated errors. Tests related totls/ssland new test to highlight referenced issue pass.