Skip to content

Commit

Permalink
tls: do not crash on STARTTLS when OCSP requested
Browse files Browse the repository at this point in the history
`TLSSocket` should not have a hard dependency on `tls.Server`, since it
may be running without it in cases like `STARTTLS`.

Fix: #10704
PR-URL: #10706
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
indutny authored and addaleax committed Feb 22, 2017
1 parent d301367 commit f37ab79
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 0 deletions.
7 changes: 7 additions & 0 deletions lib/_tls_wrap.js
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,13 @@ function requestOCSP(self, hello, ctx, cb) {

if (!ctx)
ctx = self.server._sharedCreds;

// TLS socket is using a `net.Server` instead of a tls.TLSServer.
// Some TLS properties like `server._sharedCreds` will not be present
if (!ctx)
return cb(null);

// TODO(indutny): eventually disallow raw `SecureContext`
if (ctx.context)
ctx = ctx.context;

Expand Down
53 changes: 53 additions & 0 deletions test/parallel/test-tls-starttls-server.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
'use strict';

// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to
// `net.Server` instead of `tls.Server`

const common = require('../common');

if (!common.hasCrypto) {
common.skip('missing crypto');
return;
}

const assert = require('assert');
const fs = require('fs');
const net = require('net');
const tls = require('tls');

const key = fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem');
const cert = fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem');

const server = net.createServer(common.mustCall((s) => {
const tlsSocket = new tls.TLSSocket(s, {
isServer: true,
server: server,

secureContext: tls.createSecureContext({
key: key,
cert: cert
}),

SNICallback: common.mustCall((hostname, callback) => {
assert.strictEqual(hostname, 'test.test');

callback(null, null);
})
});

tlsSocket.on('secure', common.mustCall(() => {
tlsSocket.end();
server.close();
}));
})).listen(0, () => {
const opts = {
servername: 'test.test',
port: server.address().port,
rejectUnauthorized: false,
requestOCSP: true
};

tls.connect(opts, function() {
this.end();
});
});

0 comments on commit f37ab79

Please sign in to comment.