1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tls: requestCert unusable with Firefox and Chrome

Browse Source 
Fixes #1516.
This commit is contained in:
koichik 2011-09-21 13:19:22 +09:00
parent a09b747f30
commit 19a855382c
6 changed files with 129 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/api/tls.markdown
View File

@ -171,6 +171,9 @@ has these possibilities:
SecureContext). If `SNICallback` wasn't provided - default callback with SecureContext). If `SNICallback` wasn't provided - default callback with
high-level API will be used (see below). high-level API will be used (see below).
- `sessionIdContext`: A string containing a opaque identifier for session
resumption. If `requestCert` is `true`, the default is MD5 hash value
generated from command-line. Otherwise, the default is not provided.
#### Event: 'secureConnection' #### Event: 'secureConnection'

4
lib/crypto.js
View File

@ -104,6 +104,10 @@ exports.createCredentials = function(options, context) {
} }
} }
if (options.sessionIdContext) {
c.context.setSessionIdContext(options.sessionIdContext);
}
return c; return c;
}; };

10
lib/tls.js
View File

@ -803,7 +803,8 @@ function Server(/* [options], listener */) {
ciphers: self.ciphers, ciphers: self.ciphers,
secureProtocol: self.secureProtocol, secureProtocol: self.secureProtocol,
secureOptions: self.secureOptions, secureOptions: self.secureOptions,
crl: self.crl crl: self.crl,
sessionIdContext: self.sessionIdContext
}); });
sharedCreds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); sharedCreds.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
@ -892,6 +893,13 @@ Server.prototype.setOptions = function(options) {
} else { } else {
this.SNICallback = this.SNICallback.bind(this); this.SNICallback = this.SNICallback.bind(this);
} }
if (options.sessionIdContext) {
this.sessionIdContext = options.sessionIdContext;
} else if (this.requestCert) {
this.sessionIdContext = crypto.createHash('md5')
.update(process.argv.join(' '))
.digest('hex');
}
}; };
// SNI Contexts High-Level API // SNI Contexts High-Level API

34
src/node_crypto.cc
View File

@ -93,6 +93,8 @@ void SecureContext::Initialize(Handle<Object> target) {
NODE_SET_PROTOTYPE_METHOD(t, "addRootCerts", SecureContext::AddRootCerts); NODE_SET_PROTOTYPE_METHOD(t, "addRootCerts", SecureContext::AddRootCerts);
NODE_SET_PROTOTYPE_METHOD(t, "setCiphers", SecureContext::SetCiphers); NODE_SET_PROTOTYPE_METHOD(t, "setCiphers", SecureContext::SetCiphers);
NODE_SET_PROTOTYPE_METHOD(t, "setOptions", SecureContext::SetOptions); NODE_SET_PROTOTYPE_METHOD(t, "setOptions", SecureContext::SetOptions);
NODE_SET_PROTOTYPE_METHOD(t, "setSessionIdContext",
SecureContext::SetSessionIdContext);
NODE_SET_PROTOTYPE_METHOD(t, "close", SecureContext::Close); NODE_SET_PROTOTYPE_METHOD(t, "close", SecureContext::Close);
target->Set(String::NewSymbol("SecureContext"), t->GetFunction()); target->Set(String::NewSymbol("SecureContext"), t->GetFunction());
@ -474,6 +476,38 @@ Handle<Value> SecureContext::SetOptions(const Arguments& args) {
return True(); return True();
} }
Handle<Value> SecureContext::SetSessionIdContext(const Arguments& args) {
HandleScope scope;
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
if (args.Length() != 1 || !args[0]->IsString()) {
return ThrowException(Exception::TypeError(String::New("Bad parameter")));
}
String::Utf8Value sessionIdContext(args[0]->ToString());
const unsigned char* sid_ctx = (const unsigned char*) *sessionIdContext;
unsigned int sid_ctx_len = sessionIdContext.length();
int r = SSL_CTX_set_session_id_context(sc->ctx_, sid_ctx, sid_ctx_len);
if (r != 1) {
Local<String> message;
BIO* bio;
BUF_MEM* mem;
if ((bio = BIO_new(BIO_s_mem()))) {
ERR_print_errors(bio);
BIO_get_mem_ptr(bio, &mem);
message = String::New(mem->data, mem->length);
BIO_free(bio);
} else {
message = String::New("SSL_CTX_set_session_id_context error");
}
return ThrowException(Exception::TypeError(message));
}
return True();
}
Handle<Value> SecureContext::Close(const Arguments& args) { Handle<Value> SecureContext::Close(const Arguments& args) {
HandleScope scope; HandleScope scope;
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder()); SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());

1
src/node_crypto.h
View File

@ -66,6 +66,7 @@ class SecureContext : ObjectWrap {
static v8::Handle<v8::Value> AddRootCerts(const v8::Arguments& args); static v8::Handle<v8::Value> AddRootCerts(const v8::Arguments& args);
static v8::Handle<v8::Value> SetCiphers(const v8::Arguments& args); static v8::Handle<v8::Value> SetCiphers(const v8::Arguments& args);
static v8::Handle<v8::Value> SetOptions(const v8::Arguments& args); static v8::Handle<v8::Value> SetOptions(const v8::Arguments& args);
static v8::Handle<v8::Value> SetSessionIdContext(const v8::Arguments& args);
static v8::Handle<v8::Value> Close(const v8::Arguments& args); static v8::Handle<v8::Value> Close(const v8::Arguments& args);
SecureContext() : ObjectWrap() { SecureContext() : ObjectWrap() {

78
test/simple/test-tls-session-cache.js Normal file
View File

@ -0,0 +1,78 @@
// Copyright Joyent, Inc. and other Node contributors.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to permit
// persons to whom the Software is furnished to do so, subject to the
// following conditions:
//
// The above copyright notice and this permission notice shall be included
// in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
if (!process.versions.openssl) {
console.error("Skipping because node compiled without OpenSSL.");
process.exit(0);
}
require('child_process').exec('openssl version', function(err) {
if (err !== null) {
console.error("Skipping because openssl command is not available.");
process.exit(0);
}
doTest();
});
function doTest() {
var common = require('../common');
var assert = require('assert');
var tls = require('tls');
var fs = require('fs');
var join = require('path').join;
var spawn = require('child_process').spawn;
var keyFile = join(common.fixturesDir, 'agent.key');
var certFile = join(common.fixturesDir, 'agent.crt');
var key = fs.readFileSync(keyFile);
var cert = fs.readFileSync(certFile);
var options = {
key: key,
cert: cert,
ca: [ cert ],
requestCert: true
};
var requestCount = 0;
var server = tls.createServer(options, function(cleartext) {
++requestCount;
cleartext.end();
});
server.listen(common.PORT, function() {
var client = spawn('openssl', [
's_client',
'-connect', 'localhost:' + common.PORT,
'-key', join(common.fixturesDir, 'agent.key'),
'-cert', join(common.fixturesDir, 'agent.crt'),
'-reconnect'
], {
customFds: [0, 1, 2]
});
client.on('exit', function(code) {
assert.equal(code, 0);
server.close();
});
});
process.on('exit', function() {
// initial request + reconnect requests (5 times)
assert.equal(requestCount, 6);
});
}