jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-09 14:32:49 +00:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity
11,945 Commits 67 Branches 878 Tags 2.1 GiB
f1810ed1b8
Commit Graph

214 Commits

Author SHA1 Message Date
Andy Burke
595b5974d7 Add bytesWritten to tls.CryptoStream 
This adds a proxy for bytesWritten to the tls.CryptoStream.  This
change makes the connection object more similar between HTTP and
HTTPS requests in an effort to avoid confusion.

See issue #4650 for more background information.
 2013-01-24 16:48:49 -08:00
Fedor Indutny
82f1d340c1 tls: make slab buffer's size configurable 
see #4636
 2013-01-24 08:47:07 -08:00
Fedor Indutny
b4b750b6a5 tls: follow RFC6125 more stricly 
* Allow wildcards only in left-most part of hostname identifier.
* Do not match CN if altnames are present
 2013-01-14 17:18:30 -08:00
Fedor Indutny
4dd70bb12c tls: allow wildcards in common name 
see #4592
 2013-01-14 21:10:03 +04:00
isaacs
77ed12fe7a Merge remote-tracking branch 'ry/v0.8' into master 
Conflicts:
	AUTHORS
	ChangeLog
	deps/uv/test/test-spawn.c
	deps/uv/uv.gyp
	src/cares_wrap.cc
	src/node.cc
	src/node_version.h
	test/simple/test-buffer.js
	tools/gyp/pylib/gyp/common.py
	tools/install.py
 2012-12-13 16:57:58 -08:00
Ben Noordhuis
5b65638124 tls, https: add tls handshake timeout 
Don't allow connections to stall indefinitely if the SSL/TLS handshake does
not complete.

Adds a new tls.Server and https.Server configuration option, handshakeTimeout.

Fixes #4355.
 2012-12-06 17:39:24 +01:00
Ben Noordhuis
121ed91331 tls: fix tls.connect() resource leak 
The 'secureConnect' event listener was attached with .on(), which blocked it
from getting garbage collected. Use .once() instead.

Fixes #4308.
 2012-11-26 01:51:05 +01:00
Girish Ramakrishnan
2f03eaf76f doc: tls: rejectUnauthorized defaults to true after 35607f3a 2012-11-01 16:16:27 +01:00
Brandon Philips
19b87bbda0 tls: delete useless removeListener call 
onclose was never attached to 'end' so this call to remove this listener
is useless.  Delete it.
 2012-10-30 16:58:07 +01:00
isaacs
4266f5cf2e tls: Provide buffer to Connection.setSession 2012-10-23 10:48:50 -07:00
isaacs
061f2075cf string_decoder: Add 'end' method, do base64 properly 2012-10-11 16:46:18 -07:00
Ben Noordhuis
0ad005852c https: fix renegotation attack protection 
Listen for the 'clientError' event that is emitted when a renegotation attack
is detected and close the connection.

Fixes test/pummel/test-https-ci-reneg-attack.js
 2012-10-09 16:38:00 +02:00
Ben Noordhuis
7394e89ff6 tls: remove dead code 
Remove dead code. Forgotten in 76ddf06.
 2012-10-09 16:32:51 +02:00
Ben Noordhuis
76ddf06f10 tls: don't use a timer to track renegotiations 
It makes tls.createSecurePair(null, true) hang until the timer expires.

Using a timer here is silly. Use a timestamp instead.
 2012-10-08 02:23:46 +02:00
isaacs
411d46087f tls: lint 
cc @indutny >_<
 2012-09-25 11:09:39 -07:00
Fedor Indutny
7651228ab2 tls: use slab allocator 2012-09-25 08:37:08 -07:00
Ben Noordhuis
35607f3a2d tls, https: validate server certificate by default 
This commit changes the default value of the rejectUnauthorized option from
false to true.

What that means is that tls.connect(), https.get() and https.request() will
reject invalid server certificates from now on, including self-signed
certificates.

There is an escape hatch: if you set the NODE_TLS_REJECT_UNAUTHORIZED
environment variable to the literal string "0", node.js reverts to its
old behavior.

Fixes #3949.
 2012-09-15 00:19:06 +02:00
Fedor Indutny
8e0c830cd0 tls: async session storage 2012-09-05 02:01:54 +04:00
Ben Noordhuis
972cdf82f1 Merge remote-tracking branch 'origin/v0.8' 
Conflicts:
	deps/uv/include/uv.h
	src/node_crypto.cc
 2012-09-04 15:02:20 +02:00
Shigeki Ohtsu
f347077e78 tls: support unix domain socket/named pipe in tls.connect 2012-08-31 00:23:36 +02:00
Ben Noordhuis
8bec26122d tls, https: throw exception on missing key/cert 
Throw an exception in the tls.Server constructor when the options object
doesn't contain either a PFX or a key/certificate combo.

Said change exposed a bug in simple/test-tls-junk-closes-server. Addressed.

Fixes #3941.
 2012-08-29 22:53:07 +02:00
Bert Belder
bf16d9280e Merge branch 'v0.8' 
Conflicts:
	ChangeLog
	deps/openssl/openssl.gyp
	src/node_version.h
 2012-08-28 02:54:22 +02:00
isaacs
ee200942dd lint 2012-08-22 11:03:14 -07:00
Ben Noordhuis
badbd1af27 tls: update default cipher list 
Update the default cipher list from RC4-SHA:AES128-SHA:AES256-SHA
to ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
in order to mitigate BEAST attacks.

The documentation suggested AES256-SHA but unfortunately that's a CBC cipher
and therefore susceptible to attacks.

Fixes #3900.
 2012-08-21 22:27:13 +02:00
Ben Noordhuis
a177f55b0c Merge remote-tracking branch 'origin/v0.8' 
Conflicts:
	ChangeLog
	src/node_version.h
	test/message/stdin_messages.out
	tools/install.py
 2012-08-17 13:05:20 +02:00
Ben Noordhuis
c492d43f48 tls: fix segfault in pummel/test-tls-ci-reneg-attack 
Commit 4e5fe2d changed the way how process.nextTick() works:

    process.nextTick(function foo() {
      process.nextTick(function bar() {
        // ...
      });
    });

Before said commit, foo() and bar() used to run on separate event loop ticks
but that is no longer the case.

However, that's exactly the behavior that the TLS renegotiation attack guard
relies on. It gets called by OpenSSL and needs to defer the 'error' event to a
later tick because the default action is to destroy the TLS context - the same
context that OpenSSL currently operates on.

When things change underneath your feet, bad things happen and OpenSSL is no
exception. Ergo, use setImmediate() instead of process.nextTick() to ensure
that the 'error' event is actually emitted at a later tick.

Fixes #3840.
 2012-08-13 18:10:26 +02:00
Ben Noordhuis
6b18e88b68 tls: handle multiple CN fields when verifying cert 
Fixes #3861.
 2012-08-12 21:48:26 +02:00
Fedor Indutny
42c6952edb tls: pass linting 2012-07-20 22:07:39 +04:00
Fedor Indutny
85185bbbaa tls: pass linting 2012-07-20 22:07:16 +04:00
Fedor Indutny
92e7433ff9 tls: fix 'hostless' tls connection verification 
And fix last failing tests
 2012-07-20 21:48:59 +04:00
Fedor Indutny
50122fed8a tls: fix 'hostless' tls connection verification 
And fix last failing tests
 2012-07-20 21:43:12 +04:00
Fedor Indutny
93d496a4ec tls: revert accidental API change 
socket.authorizationError should always be string. Also make sni test
pass.
 2012-07-20 21:13:54 +04:00
Fedor Indutny
5950db197c tls: revert accidental API change 
socket.authorizationError should always be string. Also make sni test
pass.
 2012-07-20 21:10:23 +04:00
Fedor Indutny
4aa09d1e0e tls: localhost is valid against identity-check 2012-07-20 20:51:38 +04:00
Fedor Indutny
0cf235410d tls: localhost is valid against identity-check 2012-07-20 20:47:05 +04:00
Fedor Indutny
eb2ca10462 tls: veryify server's identity 2012-07-20 01:49:31 +04:00
Fedor Indutny
8ba189b8d3 tls: veryify server's identity 2012-07-20 00:53:36 +04:00
isaacs
3ad07ed0b8 lint 2012-07-11 17:46:28 -07:00
isaacs
424cd5a020 Merge remote-tracking branch 'ry/v0.8' into v0.8-merge 
Conflicts:
	src/node_version.h
 2012-07-11 17:38:11 -07:00
Jonas Westerlund
4cfdc57712 Inline timeout function, avoiding declaration in conditional 
Moving it out would require an anonymous function, or bind(), anyway.
Luckily It's a tiny function. Fixes crash in strict mode.
 2012-07-06 19:28:35 -07:00
Fedor Indutny
f210530f46 tls: use slab allocator 2012-07-05 16:06:33 -04:00
Ben Noordhuis
ff552ddbaa tls: fix off-by-one error in renegotiation check 
Make CLIENT_RENEG_LIMIT inclusive instead of exclusive, i.e. a limit of 2
means the peer can renegotiate twice, not just once.

Update pummel/test-tls-ci-reneg-attack accordingly and make it less timing
sensitive (and run faster) while we're at it.
 2012-06-18 04:31:40 +02:00
Andreas Madsen
1e0ce5d1bd domain: the EventEmitter constructor is now always called in nodecore 2012-06-15 09:49:05 -07:00
isaacs
9611354f08 lint 2012-05-15 13:03:43 -07:00
isaacs
5164ae3838 Merge remote-tracking branch 'ry/v0.6' into v0.6-merge 
Conflicts:
	ChangeLog
	deps/uv/include/uv-private/uv-unix.h
	deps/uv/src/unix/core.c
	deps/uv/src/unix/sunos.c
	deps/v8/src/runtime.cc
	doc/api/crypto.markdown
	lib/http.js
	src/node_version.h
	test/gc/test-http-client-timeout.js
	wscript
 2012-05-15 11:37:34 -07:00
ssuda
fb7348ae06 crypto: add PKCS12/PFX support 
Fixes #2845.
 2012-05-14 17:12:59 +02:00
fukayatsu
0f95a93a2c tls: remove duplicate line 2012-04-16 21:38:26 +02:00
Yosef Dinerstein
d7c96cf289 tls: reduce memory overhead, reuse buffer 
Instead of allocating a new 64KB buffer each time when checking if there is
something to transform, continue to use the same buffer. Once the buffer is
exhausted, allocate a new buffer. This solves the problem of huge allocations
when small fragments of data are processed, but will also continue to work
well with big pieces of data.
 2012-03-29 17:17:15 +02:00
Shigeki Ohtsu
e1199fa335 tls: fix CryptoStream.setKeepAlive() 2012-03-23 00:20:46 +01:00
ssuda
9b672bcaa2 tls: parsing multiple values of a key in ssl certificate 
Fixes #2864.
 2012-03-10 23:43:16 +09:00
Dmitry Nizovtsev
1e9bcf26ce net, http, https: add localAddress option 
Binds to a local address before making the outgoing connection.
 2012-03-06 13:35:49 +01:00
isaacs
959a19e118 lint 2012-03-03 23:48:57 -08:00
Jimb Esser
78db18739a tls: proxy set(Timeout|NoDelay|KeepAlive) methods 
- fix crash calling ClientRequest::setKeepAlive if the underlying request is
  HTTPS.
- fix discarding of callback parameter when calling ClientRequest::setTimeout on
  HTTPS requests.
- fix discarding of noDelay parameter when calling ClientRequest::setNoDelay on
  HTTPS requests.
 2012-03-03 00:28:43 +01:00
Blake Miner
7343f8e776 tls: add honorCipherOrder option to tls.createServer() 
Documented how to mitigate BEAST attacks.
 2012-02-29 02:16:08 +01:00
Maciej Małecki
da908364a8 tls http https: don't pollute user's options object 2012-02-20 21:58:00 +01:00
isaacs
0cdf85e28d Lint all the JavaScripts. 2012-02-18 15:34:57 -08:00
isaacs
31721da4b1 Merge remote-tracking branch 'ry/v0.6' into v0.6-merge 
Conflicts:
	AUTHORS
	ChangeLog
	Makefile
	doc/about/index.html
	doc/api/tls.markdown
	doc/community/index.html
	doc/index.html
	doc/logos/index.html
	doc/template.html
	lib/http.js
	lib/tls.js
	src/node_version.h
	src/platform_win32.cc
	test/simple/test-tls-connect-given-socket.js
 2012-02-18 09:46:58 -08:00
Ben Noordhuis
3415427dbf tls: mitigate session renegotiation attacks 
The TLS protocol allows (and sometimes requires) clients to renegotiate the
session. However, renegotiation requires a disproportional amount of server-side
resources, particularly CPU time, which makes it a potential vector for
denial-of-service attacks.

To mitigate this issue, we keep track of and limit the number of renegotiation
requests over time, emitting an error if the threshold is exceeded.
 2012-02-16 18:15:21 +01:00
koichik
b19b8836c3 tls: Allow establishing secure connection on the existing socket 2012-02-14 11:53:05 -08:00
Ben Noordhuis
e806ad39d0 net, tls, http: remove socket.ondrain 
Replace the ondrain hack with a regular 'drain' listener. Speeds up the
bytes/1024 http benchmark by about 1.2%.
 2012-01-24 15:57:50 +01:00
Fedor Indutny
667aae596c Merge branch 'v0.6' 
Conflicts:
	ChangeLog
	doc/template.html
	lib/cluster.js
	lib/http.js
	lib/tls.js
	src/node.h
	src/node_version.h
	test/simple/test-cluster-kill-workers.js
 2012-01-24 00:30:28 +06:00
koichik
534df2f8d2 tls: fix double 'error' events on HTTPS Requests 
Fixes #2549.
 2012-01-17 17:09:27 +01:00
koichik
c1a63a9e90 tls: Allow establishing secure connection on the existing socket 
This is necessary to use SSL over HTTP tunnels.

Refs #2259, #2474.
Fixes #2489.
 2012-01-09 02:31:46 +01:00
Maciej Małecki
4b4d059791 tls: make tls.connect accept port and host in options 
Previous API used form:

    tls.connect(443, "google.com", options, ...)

now it's replaced with:

    tls.connect({port: 443, host: "google.com", ...}, ...)

It simplifies argument parsing in `tls.connect` and makes the API
consistent with other parts.

Fixes #1983.
 2012-01-08 11:12:56 +01:00
koichik
b962ff35dd tls: fix test-https-client-reject fails 
Fixes #2417.
 2011-12-27 17:33:23 +09:00
Ryan Dahl
f7f8af8420 Merge remote branch 'origin/v0.6' 
Conflicts:
	Makefile
	lib/_debugger.js
 2011-12-21 12:17:23 -08:00
koichik
07c27e040e tls: Fix node swallows openssl error on request 
Fixes #2308.
Fixes #2246.
 2011-12-21 19:48:15 +01:00
Ben Noordhuis
7a7f1062bf tls: remove duplicate assignment 2011-12-21 15:01:07 +01:00
koichik
f8c335d0ca tls: enable rejectUnauthorized option to client 
Fiexes #2247.
 2011-12-07 22:47:06 +09:00
koichik
5451ba3aa8 tls: fix https with fs.openReadStream hangs 
Fixes #2185.
Fixes #2198.
 2011-11-27 16:31:45 +09:00
Ben Noordhuis
5e3b0095de tls: make cipher list configurable 
options.ciphers existed but didn't work, the cipher list was effectively
hard-coded to RC4-SHA:AES128-SHA:AES256-SHA.

Fixes #2066.
 2011-11-17 00:01:41 +01:00
koichik
f53d092a2a tls, https: add passphrase option 
Fixes #1925.
 2011-10-31 17:36:43 +09:00
koichik
cbcaeedba9 tls: add address(), remoteAddress/remotePort 
Fixes #758.
Fixes #1055.
 2011-10-27 00:28:16 +09:00
koichik
0e8a55d2a2 tls: does not emit 'end' from EncryptedStream 
de09168 and 4cdf9d4 breaks `test/pummel/test-https-large-response.js`.
It is never finished.

Fixes #1936.
 2011-10-27 00:18:29 +09:00
Ryan Dahl
493d3b9f7c Merge remote branch 'origin/v0.4' 
Conflicts:
	ChangeLog
	Makefile
	deps/libev/wscript
	doc/index.html
	doc/template.html
	lib/net.js
	src/node_version.h
	src/platform_cygwin.cc
	test/pummel/test-net-write-callbacks.js
	test/simple/test-buffer.js
 2011-10-21 18:02:30 -07:00
Ryan Dahl
de09168e5a Emit 'end' from crypto streams on close 
Fixes test/simple/test-tls-peer-certificate.js on Windows

Patch from bnoordhuis.

See also 75a0cf970f
 2011-10-21 13:16:41 -07:00
koichik
68cc173c6d tls: The TLS API is inconsistent with the TCP API 
Add 'secureConnect' event to tls.CleartextStream.

Fixes #1467.
 2011-10-15 19:27:21 +09:00
koichik
19a855382c tls: requestCert unusable with Firefox and Chrome 
Fixes #1516.
 2011-10-15 00:54:46 +09:00
koichik
4cdf9d4158 tls: Improve TLS flow control 
Fixes #1775.
 2011-09-30 15:44:45 +09:00
Ben Noordhuis
243c218c7a tls: remove superfluous setOptions() call 2011-09-19 16:28:22 +02:00
Sean Cunningham
eb99083d0b tls: add client-side session resumption support 2011-09-07 20:01:14 +02:00
koichik
6f60683802 tls: x509 certificate subject parsing fail 
Fixes #1568.
 2011-08-31 03:47:23 +09:00
Fedor Indutny
942f8b5afb Add NPN and SNI documentation. 
Fixes #1420.
Fixes #1426.
 2011-08-10 09:44:35 -07:00
Fedor Indutny
9010f5fbab Add support for TLS SNI 
Fixes #1411
 2011-07-29 16:57:28 -07:00
Robert Mustacchi
de0b8d601c jslint cleanup: path.js, readline.js, repl.js, tls.js, tty_win32.js, url.js 2011-07-29 11:58:02 -07:00
Ryan Dahl
041c983290 Merge branch 'v0.4' 
Conflicts:
	deps/libev/wscript
	doc/api/modules.markdown
 2011-07-14 15:52:08 -07:00
Stefan Rusu
901ebed8ff Fixes #1304. The Connection instance may be destroyed by abort() when process.nextTick is executed. 2011-07-15 00:32:46 +09:00
Ryan Dahl
59274e8a33 Merge branch 'v0.4' 
Conflicts:
	lib/crypto.js
	lib/tls.js
 2011-05-20 10:29:16 -07:00
Ryan Dahl
9c7f89bf56 CryptoStream.prototype.readyState shoudn't reference fd 
Fixes #1069
 2011-05-20 10:20:22 -07:00
Fedor Indutny
21724ecaec Share SSL context between server connections 
Fixes #1073.
 2011-05-19 14:45:42 -07:00
Ryan Dahl
85bc8d02fa Merge branch 'v0.4' 
Conflicts:
	src/node_crypto.cc
 2011-05-16 19:29:02 -07:00
Felix Geisendörfer
1fde5f51b4 Make https 'timeout' events bubble up 
Also adds a test case for it.
 2011-05-14 13:38:04 -07:00
isaacs
205b9beb6b Merge branch 'v0.4' 
Conflicts:
	lib/tls.js
	lib/url.js
	src/node_version.h
	test/simple/test-buffer.js
	test/simple/test-url.js
 2011-05-07 20:38:32 -07:00
Ryan Dahl
55bff5bab9 TLS: simplify logic 2011-05-06 17:06:36 -07:00
Ryan Dahl
75a0cf970f cleartextstream.destroy() should destroy socket. 
This fixes a critical bug see in MJR's production. Very difficult to build a
test case. Sometimes HTTPS server gets sockets that are hanging in a
half-duplex state.
 2011-05-02 15:03:50 -07:00
Fedor Indutny
c9b40da368 OpenSSL NPN in node.js 
closes #926.
 2011-04-19 11:32:26 -07:00
Ryan Dahl
9e6498d5fa Merge branch 'v0.4' 
Conflicts:
	src/node_version.h
 2011-04-18 18:58:16 -07:00
Ryan Dahl
bb621f7c2e CryptoStream.write returns false when queue > 128kb 
Previously the return value of write was dependent on if it was paused or
not which was causing a strange error demoed in the previous commit.

Fixes #892
 2011-04-13 20:32:46 -07:00
Ryan Dahl
050bbf0bc4 TLS use RC4-SHA by default 2011-04-13 18:43:08 -07:00
Theo Schlossnagle
d6f5b8a2a6 allow setting of ciphers in credentials 
fixes #873
 2011-04-13 18:35:39 -07:00