Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: fix negative sessionTimeout handling #53002

Merged

Conversation

tniessen
Copy link
Member

For historical reasons, the second argument of SSL_CTX_set_timeout is a signed integer, and Node.js has so far passed arbitrary (signed) int32_t values. However, new versions of OpenSSL have changed the handling of negative values inside SSL_CTX_set_timeout, and we should shield users of Node.js from both the old and the new behavior. Hence, reject any negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082

For historical reasons, the second argument of SSL_CTX_set_timeout is a
signed integer, and Node.js has so far passed arbitrary (signed) int32_t
values. However, new versions of OpenSSL have changed the handling of
negative values inside SSL_CTX_set_timeout, and we should shield users
of Node.js from both the old and the new behavior. Hence, reject any
negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082
@tniessen tniessen added tls Issues and PRs related to the tls subsystem. openssl Issues and PRs related to the OpenSSL dependency. labels May 15, 2024
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels May 15, 2024
@tniessen tniessen added review wanted PRs that need reviews. request-ci Add this label to start a Jenkins CI on a PR. labels May 17, 2024
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label May 17, 2024
@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot
Copy link
Collaborator

@tniessen
Copy link
Member Author

cc @nodejs/crypto

@pimterry pimterry added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue Add this label to land a pull request using GitHub Actions. labels May 18, 2024
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label May 18, 2024
@nodejs-github-bot nodejs-github-bot merged commit 559212e into nodejs:main May 18, 2024
78 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 559212e

targos pushed a commit that referenced this pull request May 21, 2024
For historical reasons, the second argument of SSL_CTX_set_timeout is a
signed integer, and Node.js has so far passed arbitrary (signed) int32_t
values. However, new versions of OpenSSL have changed the handling of
negative values inside SSL_CTX_set_timeout, and we should shield users
of Node.js from both the old and the new behavior. Hence, reject any
negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082
PR-URL: #53002
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tim Perry <[email protected]>
@RafaelGSS RafaelGSS mentioned this pull request Jun 7, 2024
sophoniie pushed a commit to sophoniie/node that referenced this pull request Jun 20, 2024
For historical reasons, the second argument of SSL_CTX_set_timeout is a
signed integer, and Node.js has so far passed arbitrary (signed) int32_t
values. However, new versions of OpenSSL have changed the handling of
negative values inside SSL_CTX_set_timeout, and we should shield users
of Node.js from both the old and the new behavior. Hence, reject any
negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082
PR-URL: nodejs#53002
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tim Perry <[email protected]>
bmeck pushed a commit to bmeck/node that referenced this pull request Jun 22, 2024
For historical reasons, the second argument of SSL_CTX_set_timeout is a
signed integer, and Node.js has so far passed arbitrary (signed) int32_t
values. However, new versions of OpenSSL have changed the handling of
negative values inside SSL_CTX_set_timeout, and we should shield users
of Node.js from both the old and the new behavior. Hence, reject any
negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082
PR-URL: nodejs#53002
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tim Perry <[email protected]>
marco-ippolito pushed a commit that referenced this pull request Jul 19, 2024
For historical reasons, the second argument of SSL_CTX_set_timeout is a
signed integer, and Node.js has so far passed arbitrary (signed) int32_t
values. However, new versions of OpenSSL have changed the handling of
negative values inside SSL_CTX_set_timeout, and we should shield users
of Node.js from both the old and the new behavior. Hence, reject any
negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082
PR-URL: #53002
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tim Perry <[email protected]>
marco-ippolito pushed a commit that referenced this pull request Jul 19, 2024
For historical reasons, the second argument of SSL_CTX_set_timeout is a
signed integer, and Node.js has so far passed arbitrary (signed) int32_t
values. However, new versions of OpenSSL have changed the handling of
negative values inside SSL_CTX_set_timeout, and we should shield users
of Node.js from both the old and the new behavior. Hence, reject any
negative values by throwing an error from within createSecureContext.

Refs: openssl/openssl#19082
PR-URL: #53002
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Tim Perry <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. review wanted PRs that need reviews. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants