Minor fix to favor strict equality in http_server.js and tls_wrap.js
to ensure accurate comparisons without type coercion.
PR-URL: https://github.com/nodejs/node/pull/9849
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Writing data to TLSWrap instance during handshake will result in it
being queued in `write_item_queue_`. This queue won't get cleared up
until the end of the handshake.
Technically, it gets cleared on `~TLSWrap` invocation, however this
won't ever happen because every `WriteWrap` holds a reference to the
`TLSWrap` through JS object, meaning that they are doomed to be alive
for eternity.
To breach this dreadful contract a knight shall embark from the
`close` function to kill the dragon of memory leak with his magic
spear of `destroySSL`.
`destroySSL` cleans up `write_item_queue_` and frees `SSL` structure,
both are good for memory usage.
PR-URL: https://github.com/nodejs/node/pull/9586
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The `.` character does not need to be escaped when it appears inside a
regular expression character class. This removes instances of
unnecessary escapes of the `.` character.
This also removes a few unnecessary escapes of the `(` and `)`
characters within character classes too.
PR-URL: https://github.com/nodejs/node/pull/9449
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
Reviewed-By: James Snell <jasnell@gmail.com>
In most cases, named functions match the variable or property to which
they are being assigned. That also seems to be the practice in a series
of PRs currently being evaluated that name currently-anonymous
functions.
This change applies that rule to instances in the code base that don't
comply with that practice.
This will be enforceable with a lint rule once we upgrade to ESLint
3.8.0.
PR-URL: https://github.com/nodejs/node/pull/9113
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Removes branch that would make TLSSocket emit '_tlsError' event if error
occured on handshake and control was not released, as it was never happening.
Addedd test for tls.Server to ensure it still emits 'tlsClientError' as expected.
Fixes: https://github.com/nodejs/node/issues/8803
PR-URL: https://github.com/nodejs/node/pull/8805
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Previously `TLSSocket#_emitTLSError` was used as an `error` event
handler. However that function can emit `error` event itself, so it is
not suitable for such use. Luckily the event can be emitted only when
the control is released, so this looping-error can't happen.
Replace the error handler for clarity and correctness.
PR-URL: https://github.com/nodejs/node/pull/8889
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This PR simplifies Server.prototype.listen, removing some redundancy and
inconsistency. Because listen and connect have a similar function signature,
normalizeConnectArgs can be reused for listen.
listenAfterLookup renamed to lookupAndListen for consistency with
lookupAndConnect, and moved out of Server.prototype.listen.
PR-URL: https://github.com/nodejs/node/pull/4039
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Glen Keane <glenkeane.94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
When node began using the OneByte API (f150d56) it also switched to
officially supporting ISO-8859-1. Though at the time no new encoding
string was introduced.
Introduce the new encoding string 'latin1' to be more explicit. The
previous 'binary' and documented as an alias to 'latin1'. While many
tests have switched to use 'latin1', there are still plenty that do both
'binary' and 'latin1' checks side-by-side to ensure there is no
regression.
PR-URL: https://github.com/nodejs/node/pull/7111
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
There is no official way to figure out if the socket that you have on
hand is still connecting to the remote host. Introduce
`Socket#connecting`, which is essentially an unprefixed `_connecting`
property that we already had.
PR-URL: https://github.com/nodejs/node/pull/6404
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Introduce a new MACRO to check if the data is a String object and
update existing MACROs to include the actual object description to
be printed in case of an error.
PR-URL: https://github.com/nodejs/node/pull/3100
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Fail early in require('crypto'), require('tls'),
require('https'), etc when crypto is not available
(rather than depending on an internal try/catch).
Add documentation for detecting when crypto is not available.
PR-URL: https://github.com/nodejs/node/pull/5611
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Several changes:
* Soft-Deprecate Buffer() constructors
* Add `Buffer.from()`, `Buffer.alloc()`, and `Buffer.allocUnsafe()`
* Add `--zero-fill-buffers` command line option
* Add byteOffset and length to `new Buffer(arrayBuffer)` constructor
* buffer.fill('') previously had no effect, now zero-fills
* Update the docs
PR-URL: https://github.com/nodejs/node/pull/4682
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Instead of leaking the arguments object by passing it as an
argument to a function, copy it's contents to a new array,
then pass the array. This allows V8 to optimize the function
that contains this code, improving performance.
PR-URL: https://github.com/nodejs/node/pull/4361
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
The role of `this.server` is now split between `this._server` and
`this.server`. Where the first one is used for counting active
connections of `net.Server`, and the latter one is just a public API for
users' consumption.
The reasoning for this is simple, `TLSSocket` instances wrap
`net.Socket` instances, thus both refer to the `net.Server` through the
`this.server` property. However, only one of them should be used for
`net.Server` connection count book-keeping, otherwise double-decrement
will happen on socket destruction.
Fix: #5083
PR-URL: https://github.com/nodejs/node/pull/5262
Reviewed-By: James M Snell <jasnell@gmail.com>
This is an intermediate fix for an issue of accessing `TLSWrap` fields
after the parent handle was destroyed. While `close` listener cleans up
this field automatically, it can be done even earlier at the
`TLSWrap.close` call.
Proper fix is going to be submitted and landed after this one.
Fix: #5108
PR-URL: https://github.com/nodejs/node/pull/5168
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
This commit adds a new method for TLS sockets that returns the
negotiated protocol version.
PR-URL: https://github.com/nodejs/node/pull/4995
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
With an indentation style of two spaces, it is not possible to indent
multiline variable declarations by four spaces. Instead, the var keyword
is used on every new line.
Use const instead of var where applicable for changed lines.
PR-URL: https://github.com/nodejs/io.js/pull/2286
Reviewed-By: Roman Reiss <me@silverwind.io>
`clientError` will have `http.Server`-specific behavior, and we don't
want to shadow it in `tls.Server`.
PR-URL: https://github.com/nodejs/node/pull/4557
Reviewed-By: Brian White <mscdex@mscdex.net>
use `arrow functions` instead of `bind(this)` in order to improve
performance through optimizations.
PR-URL: https://github.com/nodejs/node/pull/3622
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Add `secureContext` option to `tls.connect`. It is useful for caching
client certificates, key, and CA certificates.
PR-URL: https://github.com/nodejs/node/pull/4246
Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().
PR-URL: https://github.com/nodejs/node/pull/3866
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().
PR-URL: https://github.com/nodejs/node/pull/3755
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This commit fixes some error messages that are not consistent with
some general rules which most of the error messages follow.
PR-URL: https://github.com/nodejs/node/pull/3374
Reviewed-By: Roman Reiss <me@silverwind.io>
Check that tls.connect() fails in the expected way when passing in
invalid minDHSize options.
PR-URL: https://github.com/nodejs/node/pull/3629
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
ALPN is added to tls according to RFC7301, which supersedes NPN.
When the server receives both NPN and ALPN extensions from the client,
ALPN takes precedence over NPN and the server does not send NPN
extension to the client. alpnProtocol in TLSSocket always returns
false when no selected protocol exists by ALPN.
In https server, http/1.1 token is always set when no
options.ALPNProtocols exists.
PR-URL: https://github.com/nodejs/node/pull/2564
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Upon creating a TLSSocket object, set the default isServer option to false
Updated tls docs and added test-tls-socket-default-options
PR-URL: https://github.com/nodejs/node/pull/2614
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Add a new option to specifiy a minimum size of an ephemeral DH
parameter to accept a tls connection. Default is 1024 bit.
PR-URL: https://github.com/nodejs/node/pull/1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Returns an object representing a type, name and size of an ephemeral
key exchange in a client connection. Currently only DHE and ECHE are
supported.
This api only works on on a client connection. When it is called on a
server connection, null is returned. When its key exchange is not
ephemeral, an empty object is returned.
PR-URL: https://github.com/nodejs/node/pull/1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
When closing the child TLSWrap handle - wait for the proper parent's
handle close callback invocation. `uv_close_cb` may be invoked much
later than the next libuv tick, depending on the platform.
The only platform that currently seem to defer `uv_close_cb` is Windows
XP. This behavior was not observed on other Windows systems, and is not
possible on Unixes.
Fix: https://github.com/nodejs/node/issues/2979
PR-URL: https://github.com/nodejs/node/pull/2991
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Expose and use in TLSWrap an `v8::External` wrap of the
`StreamBase*` pointer instead of guessing the ancestor C++ class in
`node_wrap.h`.
Make use of `StreamBase::Callback` structure for storing/passing both
callback and context in a single object.
Introduce `GetObject()` for future user-land usage, when a child class
is not going to be inherited from AsyncWrap.
PR-URL: https://github.com/nodejs/node/pull/2351
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
As per the discussion in #734, this patch deprecates the usage of
`EventEmitter.listenerCount` static function in the docs, and introduces
the `listenerCount` function in the prototype of `EventEmitter` itself.
PR-URL: https://github.com/nodejs/node/pull/2349
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
When TLS Session Ticket is renewed by server - no Certificate record is
to the client. We are prepared for empty certificate in this case, but
this relies on the session reuse check, which was implemented
incorrectly and was returning false when the TLS Session Ticket was
renewed.
Use session reuse check provided by OpenSSL instead.
Fix: https://github.com/nodejs/io.js/issues/2304
PR-URL: https://github.com/nodejs/io.js/pull/2312
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Queued write requests should be invoked on handle close, otherwise the
"consumer" might be already destroyed when the write callbacks of the
"consumed" handle will be invoked. Same applies to the shutdown
requests.
Make sure to "move" away socket from server to not break the
`connections` counter in `net.js`. Otherwise it might not call `close`
callback, or call it too early.
Fix: https://github.com/iojs/io.js/issues/1696
PR-URL: https://github.com/nodejs/io.js/pull/1910
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Defer reading until user-land has a chance to add listeners. This
allows the TLS wrapper to listen for _tlsError and trigger a
clientError event if the socket already has data that could trigger.
Fixes: https://github.com/nodejs/io.js/issues/1114
PR-URL: https://github.com/nodejs/io.js/pull/1496
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
5795e835a1 introduced unintentional
copy-paste bug. `cb` is not actually present in those functions and
should not be called, the socket should be destroy instead.
PR-URL: https://github.com/nodejs/io.js/pull/1951
Reviewed-By: Roman Reiss <me@silverwind.io>
Emit errors using `.destroy(err)` instead of `.destroy()` and
`.emit('error', err)`. Otherwise `close` event is emitted with the
`error` argument set to `false`, even if the connection was torn down
because of the error.
See: https://github.com/nodejs/io.js/issues/1119
PR-URL: https://github.com/nodejs/io.js/pull/1711
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
In ssl.onerror event, `this` refers `ssl` so that
`this._secureEstablished` is always undefined. Fix it to refer
TLSSocket.
PR-URL: https://github.com/nodejs/io.js/pull/1661
Reviewed-By: Fedor Indutny <fedor@indutny.com>
This makes `TLSWrap` and `SecureContext` objects collectable by the
incremental gc.
`res = null` destroys the cyclic reference in the `reading` property.
`this.ssl = null` removes the remaining reference to the `TLSWrap`.
`this.ssl._secureContext.context = null` removes the reference to
the `SecureContext` object, even though there might be references
to `this.ssl._secureContext` somewhere.
The `reading` property will now throw an error if accessed after the
socket is closed, but that should not happen.
PR-URL: https://github.com/iojs/io.js/pull/1580
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and
load the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).
NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use
`SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this
feature.
Fix: https://github.com/iojs/io.js/issues/1423
PR-URL: https://github.com/iojs/io.js/pull/1464
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
tls.connect(options) with no options.host should accept a certificate
with CN: 'localhost'. Fix Error: Hostname/IP doesn't match
certificate's altnames: "Host: undefined. is not cert's CN: localhost"
'localhost' is not added directly to defaults because that is not
always desired (for example, when using options.socket)
PR-URL: https://github.com/iojs/io.js/pull/1493
Fixes: https://github.com/iojs/io.js/issues/1489
Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
This commit better handles calls to process.binding() in lib/ by
no longer lazy loading the bindings (the load times themselves are
rather miniscule compared to the load time of V8) and never reloading
the bindings (which is 172 times slower than referencing a variable with
the same value).
PR-URL: https://github.com/iojs/io.js/pull/1367
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Set proxied methods wrappers in `TLSWrap` prototype instead of doing it
on every socket allocation. Should speed up things a bit and will
certainly make heapsnapshot less verbose.
PR-URL: https://github.com/iojs/io.js/pull/1108
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Hold non-persistent reference in JS, rather than in C++ to avoid cycles.
PR-URL: https://github.com/iojs/io.js/pull/1078
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Accept `new net.Socket()` as a `socket` option to `tls.connect()`
without triggering an assertion error in C++.
This is done by wrapping it into a JSStream to ensure that there will be
a handle at the time of wrapping the socket into TLSSocket.
Fix: https://github.com/iojs/io.js/issues/987
PR-URL: https://github.com/iojs/io.js/pull/1046
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
The problem does not manifest itself on unixes, because
`uv_read_start()` always return 0 there. However on Windows on a second
call `uv_read_start()` returns `UV__EALREADY` destroying all sockets on
a read attempt.
Set `.reading` property that is already handled by `net.js` code.
Fix: https://github.com/iojs/io.js/issues/988
PR-URL: https://github.com/iojs/io.js/pull/994
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Introduce a way to wrap plain-js `stream.Duplex` streams into C++
StreamBase's child class. With such method at hand it is now possible to
pass `stream.Duplex` instance as a `socket` parameter to
`tls.connect()`.
PR-URL: https://github.com/iojs/io.js/pull/926
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
StreamBase is an improved way to write C++ streams. The class itself is
for separting `StreamWrap` (with the methods like `.writeAsciiString`,
`.writeBuffer`, `.writev`, etc) from the `HandleWrap` class, making
possible to write abstract C++ streams that are not bound to any uv
socket.
The following methods are important part of the abstraction (which
mimics libuv's stream API):
* Events:
* `OnAlloc(size_t size, uv_buf_t*)`
* `OnRead(ssize_t nread, const uv_buf_t*, uv_handle_type pending)`
* `OnAfterWrite(WriteWrap*)`
* Wrappers:
* `DoShutdown(ShutdownWrap*)`
* `DoTryWrite(uv_buf_t** bufs, size_t* count)`
* `DoWrite(WriteWrap*, uv_buf_t*, size_t count, uv_stream_t* handle)`
* `Error()`
* `ClearError()`
The implementation should provide all of these methods, thus providing
the access to the underlying resource (be it uv handle, TLS socket, or
anything else).
A C++ stream may consume the input of another stream by replacing the
event callbacks and proxying the writes. This kind of API is actually
used now for the TLSWrap implementation, making it possible to wrap TLS
stream into another TLS stream. Thus legacy API calls are no longer
required in `_tls_wrap.js`.
PR-URL: https://github.com/iojs/io.js/pull/840
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
`TLSSocket` wraps the original `net.Socket`, but writes/reads to/from
`TLSSocket` do not touch the timers of original `net.Socket`.
Introduce `socket._parent` property, and iterate through all parents
to unref timers and prevent timeout event on original `net.Socket`.
Fix: https://github.com/joyent/node/issues/9242
PR-URL: https://github.com/iojs/io.js/pull/891
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This updates the default cipher suite to an more secure list, which
prefers strong ciphers with Forward Secrecy. Additionally, it enables
`honorCipherOrder` by default.
Noteable effect of this change is that the insecure RC4 ciphers are
disabled and that Chrome negotiates a more secure ECDHE cipher.
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: https://github.com/iojs/io.js/pull/826
Many of the util.is*() methods used to check data types
simply compare against a single value or the result of
typeof. This commit replaces calls to these methods with
equivalent checks. This commit does not touch calls to the
more complex methods (isRegExp(), isDate(), etc.).
Fixes: https://github.com/iojs/io.js/issues/607
PR-URL: https://github.com/iojs/io.js/pull/647
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit replaces a number of var statements throughout
the lib code with const statements.
PR-URL: https://github.com/iojs/io.js/pull/541
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The copyright and license notice is already in the LICENSE file. There
is no justifiable reason to also require that it be included in every
file, since the individual files are not individually distributed except
as part of the entire package.
Turn on strict mode for the files in the lib/ directory. It helps
catch bugs and can have a positive effect on performance.
PR-URL: https://github.com/node-forward/node/pull/64
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
When listening for client hello parser events (like OCSP requests), do
not hang if `newSession` event handler is not present.
fixjoyent/node#8660
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/node-forward/node/pull/47
In case of an invalid DH parameter file, it is sliently discarded. To
use auto DH parameter in a server and DHE key length check in a
client, we need to wait for the next release of OpenSSL-1.0.2.
Reviewed-By: Fedor Indutny <fedor@indutny.com>
When creating a TLSSocket instance based on the existing connecting
socket, `_connecting` property is copied after the initialization of
`net.Socket`. However, since `net.Socket` constructor will call
`.read(0)` if the `readable` is true - error may happen at this code
chunk in net.js:
Socket.prototype._read = function(n) {
debug('_read');
if (this._connecting || !this._handle) {
debug('_read wait for connection');
this.once('connect', this._read.bind(this, n));
...
Leading to a test failures on windows:
- test/simple/test-tls-connect-given-socket.js
Signed-off-by: Fedor Indutny <fedor@indutny.com>
Move `createCredentials` to `tls` module and rename it to
`createSecureContext`. Make it use default values from `tls` module:
`DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`.
fix#7249
These are an old and deprecated properties that was used by previous
stream implementation, and are still in use in some user-land modules.
Prior to this commit, they were read from the underlying socket, which
may be non-readable/non-writable while connecting or while staying
uninitialized.
Force set them to `true`, just to make sure that there will be no
inconsistency.
fix#7152
Right now no default ciphers are use in, e.g. https.get, meaning that
weak export ciphers like TLS_RSA_EXPORT_WITH_DES40_CBC_SHA are
accepted.
To reproduce:
node -e "require('https').get({hostname: 'www.howsmyssl.com', \
path: '/a/check'}, function(res) {res.on('data', \
function(d) {process.stdout.write(d)})})"
When creating TLSSocket on top of the regular socket that already
contains some received data, `_tls_wrap.js` should try to write all that
data to the internal `SSL*` instance.
fix#6940
Before this commit, verification exceptions had err.message set to the
OpenSSL error code (e.g. 'UNABLE_TO_VERIFY_LEAF_SIGNATURE').
This commit moves the error code to err.code and replaces err.message
with a human-readable error. Example:
// before
{
message: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
}
// after
{
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
message: 'unable to verify the first certificate'
}
UNABLE_TO_VERIFY_LEAF_SIGNATURE is a good example of why you want this:
the error code suggests that it's the last certificate that fails to
validate while it's actually the first certificate in the chain.
Going by the number of mailing list posts and StackOverflow questions,
it's a source of confusion to many people.
Wildcard server names should not match subdomains.
Quote from RFC2818:
...Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
fix#6610
When socket, passed in `tls.connect()` `options` argument is not yet
connected to the server, `_handle` gets assigned to a `net.Socket`,
instead of `TLSSocket`.
When socket is connecting to the remote server (i.e. not yet connected,
but already past dns resolve phase), derive `_connecting` property from
it, because otherwise `afterConnect()` will throw an assertion.
fix#6443
When `tls.connect()` is called with `socket` option, it should try to
reuse hostname previously passed to `net.connect()` and only after that
fall back to `'localhost'`.
fix#6409
`server.SNICallback` was initialized with `SNICallback.bind(this)`, and
therefore check `this.SNICallback === SNICallback` was always false, and
`_tls_wrap.js` always thought that it was a custom callback instead of
default one. Which in turn was causing clienthello parser to be enabled
regardless of presence of SNI contexts.
It shouldn't ignore it!
There're two possibile cases, which should be handled properly:
1. Having a default `SNICallback` which is using contexts, added with
`server.addContext(...)` routine
2. Having a custom `SNICallback`.
In first case we may want to opt-out setting `.onsniselect` method (and
thus save some CPU time), if there're no contexts added. But, if custom
`SNICallback` is used, `.onsniselect` should always be set, because
server contexts don't affect it.
Split `tls.js` into `_tls_legacy.js`, containing legacy
`createSecurePair` API, and `_tls_wrap.js` containing new code based on
`tls_wrap` binding.
Remove tests that are no longer useful/valid.
