TLS/SSL: tls.TLSSocket emits error event on handshake failure#8805
Uh oh!
There was an error while loading. Please reload this page.
Conversation
jasnell commented Sep 27, 2016
Couple of nits. /cc @nodejs/streams for review |
mscdex commented Sep 27, 2016
/cc @indutny ? |
There was a problem hiding this comment.
Is there any validation you can add to the error?
There was a problem hiding this comment.
@cjihrig quite right, added basic validation.
There was a problem hiding this comment.
this must be common.platformTimeout based.
There was a problem hiding this comment.
we don't need common.mustCall here, but it does not hurt either. Any other opinions?
lib/_tls_wrap.js Outdated
There was a problem hiding this comment.
it is not clear why this change fix the described issue. Can you please add a comment describing why?
There was a problem hiding this comment.
Furthermore, _tlsError returns null if self._controlReleased === false. I don't see how this particular change makes it behave differently.
There was a problem hiding this comment.
@mcollina@indutnyself._tlsError returning null is exactly what i am addressing here. When handshake fails and ssl.onerror is called control is not released yet, so self.destroy is called with null, and error event is not fired in destroy.
Here is debug output from upstream:
NET 26944: listen2 null 1337 4 false undefined NET 26944: _listen2: create a handle NET 26944: bind to :: NET 26944: onconnection NET 26944: _read NET 26944: Socket._read readStart NET 26944: _read TLS 26944: onhandshakestart NET 26944: destroy null NET 26944: destroy NET 26944: close NET 26944: close handle NET 26944: destroy undefined NET 26944: destroy NET 26944: close NET 26944: close handle NET 26944: has server NET 26944: SERVER _emitCloseIfDrained NET 26944: SERVER handle? true connections? 0 NET 26944: emit close NET 26944: emit close ...and here after the patch:
NET 31249: listen2 null 1337 4 0 undefined NET 31249: _listen2: create a handle NET 31249: bind to :: NET 31249: onconnection NET 31249: _read NET 31249: Socket._read readStart NET 31249: _read TLS 31249: onhandshakestart NET 31249: destroy Error: 140507750061888:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:../deps/openssl/openssl/ssl/s3_srvr.c:1418: NET 31249: destroy NET 31249: close NET 31249: close handle NET 31249: destroy undefined NET 31249: destroy NET 31249: close NET 31249: close handle NET 31249: has server NET 31249: SERVER _emitCloseIfDrained NET 31249: SERVER handle? true connections? 0 NET 31249: emit close NET 31249: emit close Now, just replacing self.destroy(self._tlsError(err)) with self.destroy(err) there also fixes #8803 and same tests pass, but since self._tlsError emits additional '_tlsError' event which could be used in something not covered with tests, i opted for safer approach.
There was a problem hiding this comment.
_tlsError is used for emitting tlsClientError, which is in turn used in https module to kill the request.
lib/_tls_wrap.js Outdated
There was a problem hiding this comment.
Furthermore, _tlsError returns null if self._controlReleased === false. I don't see how this particular change makes it behave differently.
lekoder commented Sep 28, 2016
Confused. I rebased my branch to upstream/master as per step 4 of contributing guide, but it doesn't feel right now. Should i rebase it back? |
mcollina commented Sep 29, 2016
@lekoder no it doesn't feel right. I think you might want to start clean and force push your individual changes here again. Usually you rebase when you get some LGTMs, before it's merged. |
lekoderforce-pushed the tls-socket-emit-clienterror branch from 4b4f028 to 68458e0Comparelekoder commented Sep 29, 2016
@mcollina I did just that. I would suggest adding this info to contributing guide, ie:
|
mcollina commented Sep 29, 2016
@lekoder rebasing is fine, you might have made a mistake in the process. Your commits needs to sit on top of upstream master. You should probably squash your commits into one. |
mcollina commented Sep 29, 2016
I'm LGTM for the streams point of view, but @indutny has the final say. |
lekoderforce-pushed the tls-socket-emit-clienterror branch from 68458e0 to 28af293CompareThere was a problem hiding this comment.
Is this a case you fixing? Creating a socket manually for a server?
indutny commented Sep 29, 2016
I had more time to think about it, and it looks like the patch is correct. Whilst reviewing things I have found that we have quite a funny possible infinite loop in Please reduce the branching code, and this PR will be good to go. Thank you! |
lekoder commented Sep 30, 2016
@indutny Removed branch as suggested. Also added tests to make sure that |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and controll was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Makes tests conform to defined linting rules.
lekoderforce-pushed the tls-socket-emit-clienterror branch from 1c2a46c to d3027e8Comparelekoder commented Oct 7, 2016
@mcollina I did some testing of the whole rebasing problem i had with. Problem was caused by doing: ...and that ended up with pull request that contained not only my changes, but also all commits from ...or even better: ...which makes my |
jasnell commented Oct 7, 2016
mcollina commented Oct 10, 2016
Landed as c7bc9bc. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected. Fixes: #8803 PR-URL: #8805 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
MylesBorins commented Nov 22, 2016
when backporting to v4.x we get some failing tests Would someone be willing to manually backport |
bnoordhuis commented Nov 22, 2016
I'll take a look. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request nodejs#4557. Fixes: nodejs#8803 PR-URL: nodejs#8805 Refs: nodejs#4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
bnoordhuis commented Nov 22, 2016
#9742 - 'tlsClientError' wasn't introduced until v6.x, it emits 'clientError' instead. |
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
Removes branch that would make TLSSocket emit '_tlsError' event if error occured on handshake and control was not released, as it was never happening. Added test for tls.Server to ensure it still emits 'tlsClientError' as expected. Note that 'tlsClientError' does not exist in the v4.x branch so this back-port emits 'clientError' instead. See also pull request #4557. Fixes: #8803 PR-URL: #8805 Refs: #4557 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
9 participants
Checklist
make -j8 test(UNIX), orvcbuild test nosign(Windows) passes *Affected core subsystem(s)
tls/sslDescription of change
tls.TLSSocketemits nowerrorevent on handshake failure.Fixes#8803
Notes
upstream/masterdoes not passmake -j8 teston time of this contribution - with unrelated errors. Tests related totls/ssland new test to highlight referenced issue pass.