Add the `sessionTimeout` integral value to the list of options
recognized by `tls.createServer`.
This option will be useful for applications which need frequently
establish short-lived TLS connections to the same endpoint. The TLS
tickets RFC is an ideal option to reduce the socket setup overhead
for such scenarios, but the default ticket timeout value (5
minutes) is too low to be useful.
Don't emit a 'connect' event on sockets that are handed off to
net.Server 'connection' event listeners.
1. It's superfluous because the connection has already been established
at that point.
2. The implementation is arguably wrong because the event is emitted on
the same tick of the event loop while the rule of thumb is to always
emit it on the next one.
This has been tried before in commit f0a440d but was reverted again in
ede1acc because the change was incomplete (at least one test hadn't
been updated).
Fixes#1047 (again).
Let ECONNRESET network errors bubble up so clients can detect them.
Commit c4454d2e suppressed and turned them into regular end-of-stream
events to fix the then-failing simple/test-regress-GH-1531 test. See
also issue #1571 for (scant) details.
It turns out that special handling is no longer necessary. Remove the
special casing and let the error bubble up naturally.
pummel/test-https-ci-reneg-attack and pummel/test-tls-ci-reneg-attack
are updated because they expected an EPIPE error code that is now an
ECONNRESET. Suppression of the ECONNRESET prevented the test from
detecting that the connection has been severed whereupon the next
write would fail with an EPIPE.
Fixes#1776.
Fix the following OOM error in pummel/test-net-connect-memleak
and pummel/test-tls-connect-memleak:
FATAL ERROR: CALL_AND_RETRY_0 Allocation failed - process out of
memory
Commit v8/v8@91afd39 increases the size of the deoptimization table
to the extent that a 64M float array pushes it over the brink. Switch
to SMIs so it stays below the limit.
pummel/test-net-connect-memleak is still failing albeit with a different
error this time. Needs further investigation.
=== release test-net-connect-memleak ===
Path: pummel/test-net-connect-memleak
-64 kB reclaimed
assert.js:102
throw new assert.AssertionError({
^
AssertionError: false == true
at done [as _onTimeout] (/home/bnoordhuis/src/nodejs/master/
test/pummel/test-net-connect-memleak.js:48:3)
at Timer.listOnTimeout [as ontimeout] (timers.js:110:15)
at process._makeCallback (node.js:306:20)
Update the tls and https tests to explicitly set rejectUnauthorized instead of
relying on the NODE_TLS_REJECT_UNAUTHORIZED environment variable getting set.
This commit changes the default value of the rejectUnauthorized option from
false to true.
What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.
There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.
Fixes#3949.
pummel/test-net-throttle assumes that a couple of big write requests result in
some of them getting queued because the kernel's send buffer fills up.
Said assumption breaks on systems with large send buffers. Raise the size of
the write request to ameliorate the issue.
This is a back-port of commit 6770555 from the master branch.
The test relied on a peculiarity of process.nextTick() that was changed in
commit 4e5fe2d. Before that commit, each nextTick callback corresponded with
the event loop moving forward one tick. That's no longer the case.
pummel/test-net-throttle assumes that a couple of big write requests result in
some of them getting queued because the kernel's send buffer fills up.
Said assumption breaks on systems with large send buffers. Raise the size of
the write request to ameliorate the issue.
Before this commit, `fs.unwatchFile(path)` removed *all* listeners for `path`.
The function is overloaded now: `fs.unwatchFile(path)` still removes all
listeners, but `fs.unwatchFile(path, cb)` lets you remove a specific listener.
Fixes#3660.
Make CLIENT_RENEG_LIMIT inclusive instead of exclusive, i.e. a limit of 2
means the peer can renegotiate twice, not just once.
Update pummel/test-tls-ci-reneg-attack accordingly and make it less timing
sensitive (and run faster) while we're at it.
DH_size returns number of bytes in a prime number, DH_compute_key returns number
of bytes in a remainder of exponent, which may have less bytes than a prime
number. Therefore add 0-padding to the allocated buffer.
Fixes#3372
It wasn't waiting for the child process' stderr to close, so not an
assertion was made *before* all the data that the child process sent
was received by node.
Instead of allocating a new 64KB buffer each time when checking if there is
something to transform, continue to use the same buffer. Once the buffer is
exhausted, allocate a new buffer. This solves the problem of huge allocations
when small fragments of data are processed, but will also continue to work
well with big pieces of data.
Throw, don't abort. `new Buffer(0x3fffffff + 1)` used to bring down the process
with the following error message:
FATAL ERROR: v8::Object::SetIndexedPropertiesToExternalArrayData() length
exceeds max acceptable value
Fixes#2280.
The TLS protocol allows (and sometimes requires) clients to renegotiate the
session. However, renegotiation requires a disproportional amount of server-side
resources, particularly CPU time, which makes it a potential vector for
denial-of-service attacks.
To mitigate this issue, we keep track of and limit the number of renegotiation
requests over time, emitting an error if the threshold is exceeded.