Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 94b765f

Browse filesBrowse files
indutnyrvagg
indutny
authored and
rvagg
committed
tls: fix check for reused session
When TLS Session Ticket is renewed by server - no Certificate record is to the client. We are prepared for empty certificate in this case, but this relies on the session reuse check, which was implemented incorrectly and was returning false when the TLS Session Ticket was renewed. Use session reuse check provided by OpenSSL instead. Fix: #2304 PR-URL: #2312 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
1 parent e83a41a commit 94b765f
Copy full SHA for 94b765f

File tree

Expand file treeCollapse file tree

2 files changed

+57
-12
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+57
-12
lines changed
Open diff view settings
Collapse file

‎lib/_tls_wrap.js‎

Copy file name to clipboardExpand all lines: lib/_tls_wrap.js
+1-12Lines changed: 1 addition & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -584,17 +584,6 @@ TLSSocket.prototype._start = function() {
584584
this._handle.start();
585585
};
586586

587-
TLSSocket.prototype._isSessionResumed = function _isSessionResumed(session) {
588-
if (!session)
589-
return false;
590-
591-
var next = this.getSession();
592-
if (!next)
593-
return false;
594-
595-
return next.equals(session);
596-
};
597-
598587
TLSSocket.prototype.setServername = function(name) {
599588
this._handle.setServername(name);
600589
};
@@ -1011,7 +1000,7 @@ exports.connect = function(/* [port, host], options, cb */) {
10111000

10121001
// Verify that server's identity matches it's certificate's names
10131002
// Unless server has resumed our existing session
1014-
if (!verifyError && !socket._isSessionResumed(options.session)) {
1003+
if (!verifyError && !socket.isSessionReused()) {
10151004
var cert = socket.getPeerCertificate();
10161005
verifyError = options.checkServerIdentity(hostname, cert);
10171006
}
Collapse file

‎test/parallel/test-https-resume-after-renew.js‎

Copy file name to clipboard
+56Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
'use strict';
2+
var common = require('../common');
3+
var fs = require('fs');
4+
var https = require('https');
5+
var crypto = require('crypto');
6+
7+
var options = {
8+
key: fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'),
9+
cert: fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'),
10+
ca: fs.readFileSync(common.fixturesDir + '/keys/ca1-cert.pem')
11+
};
12+
13+
var server = https.createServer(options, function(req, res) {
14+
res.end('hello');
15+
});
16+
17+
var aes = new Buffer(16);
18+
aes.fill('S');
19+
var hmac = new Buffer(16);
20+
hmac.fill('H');
21+
22+
server._sharedCreds.context.enableTicketKeyCallback();
23+
server._sharedCreds.context.onticketkeycallback = function(name, iv, enc) {
24+
if (enc) {
25+
var newName = new Buffer(16);
26+
var newIV = crypto.randomBytes(16);
27+
newName.fill('A');
28+
} else {
29+
// Renew
30+
return [ 2, hmac, aes ];
31+
}
32+
33+
return [ 1, hmac, aes, newName, newIV ];
34+
};
35+
36+
server.listen(common.PORT, function() {
37+
var addr = this.address();
38+
39+
function doReq(callback) {
40+
https.request({
41+
method: 'GET',
42+
port: addr.port,
43+
servername: 'agent1',
44+
ca: options.ca
45+
}, function(res) {
46+
res.resume();
47+
res.once('end', callback);
48+
}).end();
49+
}
50+
51+
doReq(function() {
52+
doReq(function() {
53+
server.close();
54+
});
55+
});
56+
});

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.