From 2e76cd382ff9bc413aa686c5ecae87650a5e9bb1 Mon Sep 17 00:00:00 2001 From: Ryan Dahl Date: Fri, 7 Jan 2011 10:57:39 -0800 Subject: [PATCH] TLS: Forward errors to cleartext But only after control has been inverted. --- lib/tls.js | 44 ++++++++++++++++++++++++-------- test/simple/test-https-simple.js | 21 ++++++++++----- 2 files changed, 48 insertions(+), 17 deletions(-) diff --git a/lib/tls.js b/lib/tls.js index 3dc1ca77b2..4324038cd4 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -551,14 +551,14 @@ function Server(/* [options], listener */) { true, self.requestCert, self.rejectUnauthorized); - pair.encrypted.pipe(socket); - socket.pipe(pair.encrypted); - pair.cleartext.socket = socket; + var cleartext = pipe(pair, socket); + cleartext._controlReleased = false; pair.on('secure', function() { pair.cleartext.authorized = false; if (!self.requestCert) { + cleartext._controlReleased = true; self.emit('secureConnection', pair.cleartext, pair.encrypted); } else { var verifyError = pair._ssl.verifyError(); @@ -569,10 +569,12 @@ function Server(/* [options], listener */) { socket.destroy(); pair._destroy(); } else { + cleartext._controlReleased = true; self.emit('secureConnection', pair.cleartext, pair.encrypted); } } else { pair.cleartext.authorized = true; + cleartext._controlReleased = true; self.emit('secureConnection', pair.cleartext, pair.encrypted); } } @@ -661,13 +663,7 @@ exports.connect = function(port /* host, options, cb */) { var pair = new SecurePair(sslcontext, false); - pair.encrypted.pipe(socket); - socket.pipe(pair.encrypted); - - var cleartext = pair.cleartext; - cleartext.socket = socket; - cleartext.encrypted = pair.encrypted; - cleartext.authorized = false; + var cleartext = pipe(pair, socket); socket.connect(port, host); @@ -684,5 +680,33 @@ exports.connect = function(port /* host, options, cb */) { if (cb) cb(); }); + cleartext._controlReleased = true; return cleartext; }; + + +function pipe(pair, socket) { + pair.encrypted.pipe(socket); + socket.pipe(pair.encrypted); + + var cleartext = pair.cleartext; + cleartext.socket = socket; + cleartext.encrypted = pair.encrypted; + cleartext.authorized = false; + + function onerror(e) { + if (cleartext._controlReleased) { + cleartext.emit('error', e); + } + } + + function onclose() { + socket.removeListener('error', onerror); + socket.removeListener('close', onclose); + } + + socket.on('error', onerror); + socket.on('close', onclose); + + return cleartext; +} diff --git a/test/simple/test-https-simple.js b/test/simple/test-https-simple.js index a90c0269e6..08de464cc9 100644 --- a/test/simple/test-https-simple.js +++ b/test/simple/test-https-simple.js @@ -26,17 +26,24 @@ var server = https.createServer(options, function (req, res) { res.end(body); }) -function afterCurl (err, stdout, stderr) { - if (err) throw err; - server.close(); - common.error(common.inspect(stdout)); - assert.equal(body, stdout); -}; server.listen(common.PORT, function () { var cmd = 'curl --insecure https://127.0.0.1:' + common.PORT + '/'; console.error("executing %j", cmd); - exec(cmd, afterCurl); + exec(cmd, function(err, stdout, stderr) { + if (err) throw err; + common.error(common.inspect(stdout)); + assert.equal(body, stdout); + + // Do the same thing now without --insecure + // The connection should not be accepted. + var cmd = 'curl https://127.0.0.1:' + common.PORT + '/'; + console.error("executing %j", cmd); + exec(cmd, function(err, stdout, stderr) { + assert.ok(err); + server.close(); + }); + }); }); process.on('exit', function () {