Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: for tls.createServer options, providing ctx to SNICallback cb call is optionary. #34085

Closed
1 task done
mkrawczuk opened this issue Jun 27, 2020 · 3 comments
Closed
1 task done
Labels
doc Issues and PRs related to the documentations. tls Issues and PRs related to the tls subsystem.

Comments

@mkrawczuk
Copy link
Contributor

📗 API Reference Docs Problem

Location

tls.createServer -> options -> SNICallback description
Affected URL(s):
https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener

Problem description

Turns out that ctx is not mandatory when calling cb passed to SNICallback, contrary to what the documentation states. It appears that cb falls back to the server's SecureContext if the second parameter (ctx) is not provided.

I assume this is a documentation bug since such behavior makes sense to me.

Below is a test that proves my point:

'use strict';
const common = require('../common');
if (!common.hasCrypto)
  common.skip('missing crypto');
const fixtures = require('../common/fixtures');
const assert = require('assert');
const tls = require('tls');
const { spawn } = require('child_process');

if (!common.opensslCli)
  common.skip('node compiled without OpenSSL CLI.');

const key = fixtures.readKey('rsa_private.pem');
const cert = fixtures.readKey('rsa_cert.crt');
const options = {
  key,
  cert,
  ca: [cert],
  requestCert: true,
  rejectUnauthorized: false,
  secureProtocol: 'TLS_method',
  // Ensure that the SNICallback is actually called.
  // Notice that 'cb' is called with only one parameter.
  SNICallback: common.mustCall((servername, cb) => cb(null)),
};

const server = tls.createServer(options, function(cleartext) {
  cleartext.on('error', function(er) {
    // We're ok with getting ECONNRESET in this test, but it's
    // timing-dependent, and thus unreliable. Any other errors
    // are just failures, though.
    if (er.code !== 'ECONNRESET')
      throw er;
  });
  cleartext.end('');
});

// Ensure that a secure connection has been estabilished even though here is
// no secure context passed to SNICallback's `cb` call.
server.on('secureConnection', common.mustCall());
// Ensure that a client error does not occur even though there is no secure
// context passed to SNICallback's `cb` call.
server.on('tlsClientError', common.mustNotCall());

server.listen(0, function() {
  const args = [
    's_client',
    '-tls1',
    '-connect', `localhost:${this.address().port}`,
    '-servername', 'hurrmm',
    '-key', fixtures.path('keys/rsa_private.pem'),
    '-cert', fixtures.path('keys/rsa_cert.crt'),
  ];

  function spawnClient() {
    const client = spawn(common.opensslCli, args, {
      stdio: [ 0, 1, 'pipe' ]
    });
    let err = '';
    client.stderr.setEncoding('utf8');
    client.stderr.on('data', function(chunk) {
      err += chunk;
    });

    client.on('exit', common.mustCall(function(code, signal) {
      if (code !== 0) {
        // If SmartOS and connection refused, then retry. See
        // https://github.com/nodejs/node/issues/2663.
        if (common.isSunOS && err.includes('Connection refused')) {
          requestCount = 0;
          spawnClient();
          return;
        }
        assert.fail(`code: ${code}, signal: ${signal}, output: ${err}`);
      }
      assert.strictEqual(code, 0);

      server.close();
    }));
  }

  spawnClient();
});
  • I would like to work on this issue and submit a pull request.
@mkrawczuk mkrawczuk added the doc Issues and PRs related to the documentations. label Jun 27, 2020
@lpinca
Copy link
Member

lpinca commented Jun 27, 2020

If you call the callback with no SecureContext why using it in the first place?

@lpinca lpinca added the tls Issues and PRs related to the tls subsystem. label Jun 27, 2020
@mkrawczuk
Copy link
Contributor Author

@lpinca If you are asking why is cb called inside SNICallback, then it is mandatory - transmission hangs otherwise (see doc).
If you are asking why would anyone register an SNICallback without providing a SecureContext to cb call - then one of the use cases might be for metrics. Someone might be interested in measuring which servernames are requested by clients.

@lpinca
Copy link
Member

lpinca commented Jun 27, 2020

If you are asking why would anyone register an SNICallback without providing a SecureContext to cb call - then one of the use cases might be for metrics.

Yes this was my question.

lpinca added a commit to lpinca/node that referenced this issue Jun 28, 2020
Clarify that the `ctx` argument of the `SNICallback` callback is
optional.

Fixes: nodejs#34085
@jasnell jasnell closed this as completed in d2c8b3e Jul 3, 2020
MylesBorins pushed a commit that referenced this issue Jul 14, 2020
Clarify that the `ctx` argument of the `SNICallback` callback is
optional.

Fixes: #34085

PR-URL: #34097
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: James M Snell <[email protected]>
MylesBorins pushed a commit that referenced this issue Jul 16, 2020
Clarify that the `ctx` argument of the `SNICallback` callback is
optional.

Fixes: #34085

PR-URL: #34097
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: James M Snell <[email protected]>
addaleax pushed a commit that referenced this issue Sep 22, 2020
Clarify that the `ctx` argument of the `SNICallback` callback is
optional.

Fixes: #34085

PR-URL: #34097
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
doc Issues and PRs related to the documentations. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants