Skip to content

Commit 2e76cd3

Browse files
ryry
committed
TLS: Forward errors to cleartext
But only after control has been inverted.
1 parent 08bec7a commit 2e76cd3

File tree

2 files changed

+48
-17
lines changed

2 files changed

+48
-17
lines changed

lib/tls.js

+34-10
Original file line numberDiff line numberDiff line change
@@ -551,14 +551,14 @@ function Server(/* [options], listener */) {
551551
true,
552552
self.requestCert,
553553
self.rejectUnauthorized);
554-
pair.encrypted.pipe(socket);
555-
socket.pipe(pair.encrypted);
556554

557-
pair.cleartext.socket = socket;
555+
var cleartext = pipe(pair, socket);
556+
cleartext._controlReleased = false;
558557

559558
pair.on('secure', function() {
560559
pair.cleartext.authorized = false;
561560
if (!self.requestCert) {
561+
cleartext._controlReleased = true;
562562
self.emit('secureConnection', pair.cleartext, pair.encrypted);
563563
} else {
564564
var verifyError = pair._ssl.verifyError();
@@ -569,10 +569,12 @@ function Server(/* [options], listener */) {
569569
socket.destroy();
570570
pair._destroy();
571571
} else {
572+
cleartext._controlReleased = true;
572573
self.emit('secureConnection', pair.cleartext, pair.encrypted);
573574
}
574575
} else {
575576
pair.cleartext.authorized = true;
577+
cleartext._controlReleased = true;
576578
self.emit('secureConnection', pair.cleartext, pair.encrypted);
577579
}
578580
}
@@ -661,13 +663,7 @@ exports.connect = function(port /* host, options, cb */) {
661663

662664
var pair = new SecurePair(sslcontext, false);
663665

664-
pair.encrypted.pipe(socket);
665-
socket.pipe(pair.encrypted);
666-
667-
var cleartext = pair.cleartext;
668-
cleartext.socket = socket;
669-
cleartext.encrypted = pair.encrypted;
670-
cleartext.authorized = false;
666+
var cleartext = pipe(pair, socket);
671667

672668
socket.connect(port, host);
673669

@@ -684,5 +680,33 @@ exports.connect = function(port /* host, options, cb */) {
684680
if (cb) cb();
685681
});
686682

683+
cleartext._controlReleased = true;
687684
return cleartext;
688685
};
686+
687+
688+
function pipe(pair, socket) {
689+
pair.encrypted.pipe(socket);
690+
socket.pipe(pair.encrypted);
691+
692+
var cleartext = pair.cleartext;
693+
cleartext.socket = socket;
694+
cleartext.encrypted = pair.encrypted;
695+
cleartext.authorized = false;
696+
697+
function onerror(e) {
698+
if (cleartext._controlReleased) {
699+
cleartext.emit('error', e);
700+
}
701+
}
702+
703+
function onclose() {
704+
socket.removeListener('error', onerror);
705+
socket.removeListener('close', onclose);
706+
}
707+
708+
socket.on('error', onerror);
709+
socket.on('close', onclose);
710+
711+
return cleartext;
712+
}

test/simple/test-https-simple.js

+14-7
Original file line numberDiff line numberDiff line change
@@ -26,17 +26,24 @@ var server = https.createServer(options, function (req, res) {
2626
res.end(body);
2727
})
2828

29-
function afterCurl (err, stdout, stderr) {
30-
if (err) throw err;
31-
server.close();
32-
common.error(common.inspect(stdout));
33-
assert.equal(body, stdout);
34-
};
3529

3630
server.listen(common.PORT, function () {
3731
var cmd = 'curl --insecure https://127.0.0.1:' + common.PORT + '/';
3832
console.error("executing %j", cmd);
39-
exec(cmd, afterCurl);
33+
exec(cmd, function(err, stdout, stderr) {
34+
if (err) throw err;
35+
common.error(common.inspect(stdout));
36+
assert.equal(body, stdout);
37+
38+
// Do the same thing now without --insecure
39+
// The connection should not be accepted.
40+
var cmd = 'curl https://127.0.0.1:' + common.PORT + '/';
41+
console.error("executing %j", cmd);
42+
exec(cmd, function(err, stdout, stderr) {
43+
assert.ok(err);
44+
server.close();
45+
});
46+
});
4047
});
4148

4249
process.on('exit', function () {

0 commit comments

Comments
 (0)