refactor: use tls.connect instead of using tls.TLSSocket directly

arthurschreiber · arthurschreiber · commit 23e5bcd1da8c · 2018-07-20T09:54:25.000+02:00
This ensures we actually always perform a proper tls connection setup - 
and that errors are handled correctly.
diff --git a/src/message-io.js b/src/message-io.js
@@ -59,6 +59,8 @@ module.exports = class MessageIO extends EventEmitter {
     this._packetSize = _packetSize;
     this.debug = debug;
 
+    this.tlsNegotiationComplete = false;
+
     this.packetStream = new ReadablePacketStream();
     this.packetStream.on('data', (packet) => {
       this.logPacket('Received', packet);
@@ -84,47 +86,36 @@ module.exports = class MessageIO extends EventEmitter {
   startTls(credentialsDetails, hostname, trustServerCertificate) {
     const credentials = tls.createSecureContext ? tls.createSecureContext(credentialsDetails) : crypto.createCredentials(credentialsDetails);
 
-    this.securePair = this.createSecurePair(credentials);
-    this.tlsNegotiationComplete = false;
-
-    this.securePair.cleartext.on('secure', () => {
-      const cipher = this.securePair.cleartext.getCipher();
-
-      if (!trustServerCertificate) {
-        let verifyError = this.securePair.ssl.verifyError();
-
-        // Verify that server's identity matches it's certificate's names
-        if (!verifyError) {
-          verifyError = tls.checkServerIdentity(hostname, this.securePair.cleartext.getPeerCertificate());
-        }
+    const duplexpair = new DuplexPair();
+    const securePair = this.securePair = {
+      cleartext: tls.connect({
+        socket: duplexpair.socket1,
+        secureContext: credentials,
+        rejectUnauthorized: !trustServerCertificate
+      }),
+      encrypted: duplexpair.socket2
+    };
 
-        if (verifyError) {
-          this.securePair.destroy();
-          this.socket.destroy(verifyError);
-          return;
-        }
+    // If an error happens in the TLS layer, there is nothing we can do about it.
+    // Forward the error to the socket so the connection gets properly cleaned up.
+    securePair.cleartext.on('error', (err) => {
+      // Streams in node.js versions before 8.0.0 don't support `.destroy`
+      if (typeof securePair.encrypted.destroy === 'function') {
+        securePair.encrypted.destroy();
       }
+      this.socket.destroy(err);
+    });
 
+    securePair.cleartext.on('secureConnect', () => {
+      const cipher = securePair.cleartext.getCipher();
       this.debug.log('TLS negotiated (' + cipher.name + ', ' + cipher.version + ')');
-      this.emit('secure', this.securePair.cleartext);
+      this.emit('secure', securePair.cleartext);
       this.encryptAllFutureTraffic();
     });
 
-    this.securePair.encrypted.on('data', (data) => {
+    securePair.encrypted.on('data', (data) => {
       this.sendMessage(TYPE.PRELOGIN, data);
     });
-
-    // If an error happens in the TLS layer, there is nothing we can do about it.
-    // Forward the error to the socket so the connection gets properly cleaned up.
-    this.securePair.cleartext.on('error', (err) => {
-      this.socket.destroy(err);
-    });
-
-    // On Node >= 0.12, the encrypted stream automatically starts spewing out
-    // data once we attach a `data` listener. But on Node <= 0.10.x, this is not
-    // the case. We need to kick the cleartext stream once to get the
-    // encrypted end of the secure pair to emit the TLS handshake data.
-    this.securePair.cleartext.write('');
   }
 
   encryptAllFutureTraffic() {
@@ -195,15 +186,4 @@ module.exports = class MessageIO extends EventEmitter {
   resume() {
     this.packetStream.resume();
   }
-
-  createSecurePair(credentials) {
-    const duplexpair = new DuplexPair();
-    return {
-      cleartext: new tls.TLSSocket(duplexpair.socket1, {
-        secureContext: credentials,
-        rejectUnauthorized: false
-      }),
-      encrypted: duplexpair.socket2
-    };
-  }
 };
