Browse Source

tls: do not crash on STARTTLS when OCSP requested

`TLSSocket` should not have a hard dependency on `tls.Server`, since it
may be running without it in cases like `STARTTLS`.

Fix: #10704
PR-URL: https://github.com/nodejs/node/pull/10706
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
v6.x
Fedor Indutny 8 years ago
committed by Myles Borins
parent
commit
2a168917cb
No known key found for this signature in database GPG Key ID: 933B01F40B5CA946
  1. 7
      lib/_tls_wrap.js
  2. 53
      test/parallel/test-tls-starttls-server.js

7
lib/_tls_wrap.js

@ -114,6 +114,13 @@ function requestOCSP(self, hello, ctx, cb) {
if (!ctx)
ctx = self.server._sharedCreds;
// TLS socket is using a `net.Server` instead of a tls.TLSServer.
// Some TLS properties like `server._sharedCreds` will not be present
if (!ctx)
return cb(null);
// TODO(indutny): eventually disallow raw `SecureContext`
if (ctx.context)
ctx = ctx.context;

53
test/parallel/test-tls-starttls-server.js

@ -0,0 +1,53 @@
'use strict';
// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to
// `net.Server` instead of `tls.Server`
const common = require('../common');
if (!common.hasCrypto) {
common.skip('missing crypto');
return;
}
const assert = require('assert');
const fs = require('fs');
const net = require('net');
const tls = require('tls');
const key = fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem');
const cert = fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem');
const server = net.createServer(common.mustCall((s) => {
const tlsSocket = new tls.TLSSocket(s, {
isServer: true,
server: server,
secureContext: tls.createSecureContext({
key: key,
cert: cert
}),
SNICallback: common.mustCall((hostname, callback) => {
assert.strictEqual(hostname, 'test.test');
callback(null, null);
})
});
tlsSocket.on('secure', common.mustCall(() => {
tlsSocket.end();
server.close();
}));
})).listen(0, () => {
const opts = {
servername: 'test.test',
port: server.address().port,
rejectUnauthorized: false,
requestOCSP: true
};
tls.connect(opts, function() {
this.end();
});
});
Loading…
Cancel
Save