Skip to content

[v24.x] lib: backport _tls_common and _tls_wrap refactors #61044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aduh95 merged 3 commits into from
Feb 4, 2026
Merged

[v24.x] lib: backport _tls_common and _tls_wrap refactors #61044

aduh95 merged 3 commits into from
Feb 4, 2026
+1,976 −1,958

Conversation

@targos
Copy link
Member

@targos targos commented Dec 13, 2025

This is the same as the original change, minus the process.emitWarning calls and unit tests that expect the deprecation warnings.

Refs: #57643

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Dec 13, 2025

Review requested:

  • @nodejs/crypto
  • @nodejs/net
  • @nodejs/startup

@targos targos mentioned this pull request Dec 13, 2025
Merged
@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch. labels Dec 13, 2025
@targos
Copy link
Member Author

targos commented Dec 23, 2025

/cc @dario-piotrowicz

@targos targos added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 1, 2026
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 1, 2026
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 1, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/70646/

@targos
Copy link
Member Author

targos commented Jan 23, 2026

To be transparent: I rebased, ignored the conflict in lib/_tls_wrap.js (keep full deletion of the code) and reapplied the security fixes by cherry-picking them from the v25.x branch.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 3, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71183/

@codecov
Copy link

codecov bot commented Feb 3, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 95.23327% with 94 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.10%. Comparing base (4606233) to head (065c9b0).
⚠️ Report is 7 commits behind head on v24.x-staging.

Files with missing lines Patch % Lines
lib/internal/tls/wrap.js 95.00% 88 Missing and 2 partials ⚠️
lib/internal/tls/common.js 97.43% 4 Missing ⚠️
Additional details and impacted files 
@@                Coverage Diff                @@
##           v24.x-staging   #61044      +/-   ##
=================================================
+ Coverage          90.07%   90.10%   +0.03%     
=================================================
  Files                665      667       +2     
  Lines             199008   199019      +11     
  Branches           38909    38911       +2     
=================================================
+ Hits              179247   179335      +88     
+ Misses             12133    12040      -93     
- Partials            7628     7644      +16
Files with missing lines Coverage Δ
lib/_tls_common.js 100.00% <100.00%> (+2.56%) ⬆️
lib/_tls_wrap.js 100.00% <100.00%> (+5.00%) ⬆️
lib/internal/crypto/x509.js 91.66% <100.00%> (ø)
lib/tls.js 93.10% <100.00%> (ø)
src/node_builtins.cc 79.56% <ø> (-0.25%) ⬇️
lib/internal/tls/common.js 97.43% <97.43%> (ø)
lib/internal/tls/wrap.js 95.00% <95.00%> (ø)

... and 37 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 4, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71193/

aduh95 pushed a commit to targos/node that referenced this pull request Feb 4, 2026
@dario-piotrowicz @aduh95
lib: backport _tls_common and _tls_wrap refactors
5d12fe2 
This is the same as the original change, minus the `process.emitWarning`
calls and unit tests that expect the deprecation warnings, plus
re-application of the fixes for CVE-2025-59465 and CVE-2026-21637.

Original commit message:
    lib: deprecate _tls_common and _tls_wrap

    runtime deprecate the _tls_common and _tls_wrap
    modules, users should use nust node:tls insteal
    and internally internal/tls/commond and
    internal/tls/wrap should be used instead

PR-URL: nodejs#57643
Backport-PR-URL: nodejs#61044
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
aduh95 pushed a commit to targos/node that referenced this pull request Feb 4, 2026
@RafaelGSS @aduh95
lib: add TLSSocket default error handler
b7fa7e2 
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#750
Backport-PR-URL: nodejs#61044
Fixes: nodejs#44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
Refs: nodejs#57643
aduh95 pushed a commit to targos/node that referenced this pull request Feb 4, 2026
@mcollina @aduh95
tls: route callback exceptions through error handlers
c6215d7 
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
Backport-PR-URL: nodejs#61044
CVE-ID: CVE-2026-21637
Refs: nodejs#57643
dario-piotrowicz and others added 3 commits February 4, 2026 12:22
@dario-piotrowicz @targos @aduh95
lib: backport _tls_common and _tls_wrap refactors
203dcfc 
This is the same as the original change, minus the `process.emitWarning`
calls and unit tests that expect the deprecation warnings, plus
re-application of the fixes for CVE-2025-59465 and CVE-2026-21637.

Original commit message:
    lib: deprecate _tls_common and _tls_wrap

    runtime deprecate the _tls_common and _tls_wrap
    modules, users should use nust node:tls insteal
    and internally internal/tls/commond and
    internal/tls/wrap should be used instead

PR-URL: nodejs#57643
Backport-PR-URL: nodejs#61044
Co-authored-by: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@RafaelGSS @aduh95
lib: add TLSSocket default error handler
ba70a6d 
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#750
Backport-PR-URL: nodejs#61044
Fixes: nodejs#44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
Refs: nodejs#57643
@mcollina @aduh95
tls: route callback exceptions through error handlers
065c9b0 
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
Backport-PR-URL: nodejs#61044
CVE-ID: CVE-2026-21637
Refs: nodejs#57643
@aduh95 aduh95 merged commit 065c9b0 into nodejs:v24.x-staging Feb 4, 2026
19 of 20 checks passed
@aduh95
Copy link
Contributor

aduh95 commented Feb 4, 2026

Landed in 736dce3...065c9b0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avivkeller avivkeller avivkeller approved these changes

Assignees

No one assigned

Labels

lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@targos @nodejs-github-bot @aduh95 @avivkeller @dario-piotrowicz @RafaelGSS @mcollina