From 0ad005852c7bd7e896c9c94ae5284493aa35cb83 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Mon, 8 Oct 2012 01:22:44 +0200 Subject: [PATCH] https: fix renegotation attack protection Listen for the 'clientError' event that is emitted when a renegotation attack is detected and close the connection. Fixes test/pummel/test-https-ci-reneg-attack.js --- doc/api/http.markdown | 5 ++++- doc/api/tls.markdown | 4 +++- lib/http.js | 6 +++++- lib/https.js | 4 ++++ lib/tls.js | 2 +- 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/doc/api/http.markdown b/doc/api/http.markdown index bcc1111d46..61121166ed 100644 --- a/doc/api/http.markdown +++ b/doc/api/http.markdown @@ -127,10 +127,13 @@ sent to the server on that socket. ### Event: 'clientError' -`function (exception) { }` +`function (exception, socket) { }` If a client connection emits an 'error' event - it will forwarded here. +`socket` is the `net.Socket` object that the error originated from. + + ### server.listen(port, [hostname], [backlog], [callback]) Begin accepting connections on the specified port and hostname. If the diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 4d8b7f1dae..d8392ed24e 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -367,11 +367,13 @@ SNI. ### Event: 'clientError' -`function (exception) { }` +`function (exception, securePair) { }` When a client connection emits an 'error' event before secure connection is established - it will be forwarded here. +`securePair` is the `tls.SecurePair` that the error originated from. + ### Event: 'newSession' diff --git a/lib/http.js b/lib/http.js index 5f4d842b92..4aa8f5cb40 100644 --- a/lib/http.js +++ b/lib/http.js @@ -1647,6 +1647,10 @@ function Server(requestListener) { this.httpAllowHalfOpen = false; this.addListener('connection', connectionListener); + + this.addListener('clientError', function(err, conn) { + conn.destroy(err); + }); } util.inherits(Server, net.Server); @@ -1705,7 +1709,7 @@ function connectionListener(socket) { } socket.addListener('error', function(e) { - self.emit('clientError', e); + self.emit('clientError', e, this); }); socket.ondata = function(d, start, end) { diff --git a/lib/https.js b/lib/https.js index bc4e8eeea0..0ed653c065 100644 --- a/lib/https.js +++ b/lib/https.js @@ -39,6 +39,10 @@ function Server(opts, requestListener) { if (requestListener) { this.addListener('request', requestListener); } + + this.addListener('clientError', function(err, conn) { + conn.destroy(err); + }); } inherits(Server, tls.Server); diff --git a/lib/tls.js b/lib/tls.js index 7a37b24531..1fe4f78999 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -1155,7 +1155,7 @@ function Server(/* [options], listener */) { } }); pair.on('error', function(err) { - self.emit('clientError', err); + self.emit('clientError', err, this); }); });