From 1e66668138e09cb763761a53af65ca9d8cc62eab Mon Sep 17 00:00:00 2001
From: Fedor Indutny <fedor@indutny.com>
Date: Thu, 19 May 2016 20:25:05 -0400
Subject: [PATCH] tls: catch `certCbDone` exceptions

Catch and emit `certCbDone` exceptions instead of throwing them as
`uncaughtException` and crashing the whole process.

Fix: https://github.com/nodejs/node/issues/6822
PR-URL: https://github.com/nodejs/node/pull/6887
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
---
 lib/_tls_wrap.js                            |  6 ++-
 test/parallel/test-tls-empty-sni-context.js | 42 +++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 test/parallel/test-tls-empty-sni-context.js

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 5c5370e09c19e0..6acf5e26a65ebf 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -184,7 +184,11 @@ function oncertcb(info) {
       if (!self._handle)
         return self.destroy(new Error('Socket is closed'));
 
-      self._handle.certCbDone();
+      try {
+        self._handle.certCbDone();
+      } catch (e) {
+        self.destroy(e);
+      }
     });
   });
 }
diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js
new file mode 100644
index 00000000000000..3a1934ba3240c0
--- /dev/null
+++ b/test/parallel/test-tls-empty-sni-context.js
@@ -0,0 +1,42 @@
+'use strict';
+
+if (!process.features.tls_sni) {
+  console.log('1..0 # Skipped: node compiled without OpenSSL or ' +
+              'with old OpenSSL version.');
+  return;
+}
+
+const common = require('../common');
+const assert = require('assert');
+
+if (!common.hasCrypto) {
+  console.log('1..0 # Skipped: missing crypto');
+  return;
+}
+
+const tls = require('tls');
+
+const options = {
+  SNICallback: (name, callback) => {
+    callback(null, tls.createSecureContext());
+  }
+};
+
+const server = tls.createServer(options, (c) => {
+  common.fail('Should not be called');
+}).on('clientError', common.mustCall((err, c) => {
+  assert(/SSL_use_certificate:passed a null parameter/i.test(err.message));
+  server.close();
+})).listen(common.PORT, common.mustCall(() => {
+  const c = tls.connect({
+    port: common.PORT,
+    rejectUnauthorized: false,
+    servername: 'any.name'
+  }, () => {
+    common.fail('Should not be called');
+  });
+
+  c.on('error', common.mustCall((err) => {
+    assert(/socket hang up/.test(err.message));
+  }));
+}));