-
Notifications
You must be signed in to change notification settings - Fork 30k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tls: add tlsSocket.disableRenegotiation()
Allows TLS renegotiation to be disabled per `TLSSocket` instance. Per HTTP/2, TLS renegotiation is forbidden after the initial connection prefix is exchanged. PR-URL: #14239 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
- Loading branch information
Showing
3 changed files
with
85 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
'use strict'; | ||
const common = require('../common'); | ||
const assert = require('assert'); | ||
const fs = require('fs'); | ||
|
||
// Tests that calling disableRenegotiation on a TLSSocket stops renegotiation. | ||
|
||
if (!common.hasCrypto) { | ||
common.skip('missing crypto'); | ||
return; | ||
} | ||
const tls = require('tls'); | ||
|
||
const options = { | ||
key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), | ||
cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) | ||
}; | ||
|
||
const server = tls.Server(options, common.mustCall((socket) => { | ||
socket.on('error', common.mustCall((err) => { | ||
assert.strictEqual( | ||
err.message, | ||
'TLS session renegotiation disabled for this socket'); | ||
socket.destroy(); | ||
server.close(); | ||
})); | ||
// Disable renegotiation after the first chunk of data received. | ||
// Demonstrates that renegotiation works successfully up until | ||
// disableRenegotiation is called. | ||
socket.on('data', common.mustCall((chunk) => { | ||
socket.write(chunk); | ||
socket.disableRenegotiation(); | ||
})); | ||
socket.on('secure', common.mustCall(() => { | ||
assert(socket._handle.handshakes < 2, | ||
`Too many handshakes [${socket._handle.handshakes}]`); | ||
})); | ||
})); | ||
|
||
|
||
server.listen(0, common.mustCall(() => { | ||
const port = server.address().port; | ||
const client = | ||
tls.connect({rejectUnauthorized: false, port: port}, common.mustCall(() => { | ||
client.write(''); | ||
// Negotiation is still permitted for this first | ||
// attempt. This should succeed. | ||
client.renegotiate( | ||
{rejectUnauthorized: false}, | ||
common.mustCall(() => { | ||
// Once renegotiation completes, we write some | ||
// data to the socket, which triggers the on | ||
// data event on the server. After that data | ||
// is received, disableRenegotiation is called. | ||
client.write('data', common.mustCall(() => { | ||
client.write(''); | ||
// This second renegotiation attempt should fail | ||
// and the callback should never be invoked. The | ||
// server will simply drop the connection after | ||
// emitting the error. | ||
client.renegotiate( | ||
{rejectUnauthorized: false}, | ||
common.mustNotCall()); | ||
})); | ||
})); | ||
})); | ||
})); |