tls,cli: add --trace-tls command-line flag

This commit adds a --trace-tls command-line flag. The purpose is to enable tracing of TLS connections without the need to modify existing application code. PR-URL: https://github.com/nodejs/node/pull/27497 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
2019-04-30 12:19:10 -04:00 · 2019-04-30 12:19:10 -04:00 · 495822f544
commit 495822f544
parent c6a2fdf3aa
6 changed files with 89 additions and 2 deletions
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@ -632,6 +632,14 @@ added: v2.1.0
 Prints a stack trace whenever synchronous I/O is detected after the first turn
 of the event loop.

+### `--trace-tls`
+<!-- YAML
+added: REPLACEME
+-->
+
+Prints TLS packet trace information to `stderr`. This can be used to debug TLS
+connection problems.
+
 ### `--trace-warnings`
 <!-- YAML
 added: v6.0.0
@ -889,6 +897,7 @@ Node.js options that are allowed are:
 - `--trace-event-file-pattern`
 - `--trace-events-enabled`
 - `--trace-sync-io`
+- `--trace-tls`
 - `--trace-warnings`
 - `--track-heap-objects`
 - `--unhandled-rejections`
--- a/doc/node.1
+++ b/doc/node.1
@ -302,6 +302,9 @@ Enable the collection of trace event tracing information.
 .It Fl -trace-sync-io
 Print a stack trace whenever synchronous I/O is detected after the first turn of the event loop.
 .
+.It Fl -trace-tls
+Prints TLS packet trace information to stderr.
+.
 .It Fl -trace-warnings
 Print stack traces for process warnings (including deprecations).
 .
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@ -56,7 +56,9 @@ const {
  ERR_TLS_SESSION_ATTACK,
  ERR_TLS_SNI_FROM_SERVER
 } = require('internal/errors').codes;
+const { getOptionValue } = require('internal/options');
 const { validateString } = require('internal/validators');
+const traceTls = getOptionValue('--trace-tls');
 const kConnectOptions = Symbol('connect-options');
 const kDisableRenegotiation = Symbol('disable-renegotiation');
 const kErrorEmitted = Symbol('error-emitted');
@ -68,6 +70,7 @@ const kEnableTrace = Symbol('enableTrace');
 const noop = () => {};

 let ipServernameWarned = false;
+let tlsTracingWarned = false;

 // Server side times how long a handshake is taking to protect against slow
 // handshakes being used for DoS.
@ -343,9 +346,17 @@ function initRead(tlsSocket, socket) {

 function TLSSocket(socket, opts) {
  const tlsOptions = { ...opts };
-  const enableTrace = tlsOptions.enableTrace;
+  let enableTrace = tlsOptions.enableTrace;

-  if (typeof enableTrace !== 'boolean' && enableTrace != null) {
+  if (enableTrace == null) {
+    enableTrace = traceTls;
+
+    if (enableTrace && !tlsTracingWarned) {
+      tlsTracingWarned = true;
+      process.emitWarning('Enabling --trace-tls can expose sensitive data in ' +
+                          'the resulting log.');
+    }
+  } else if (typeof enableTrace !== 'boolean') {
    throw new ERR_INVALID_ARG_TYPE(
      'options.enableTrace', 'boolean', enableTrace);
  }
--- a/src/node_options.cc
+++ b/src/node_options.cc
@ -373,6 +373,10 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
            "first tick",
            &EnvironmentOptions::trace_sync_io,
            kAllowedInEnvironment);
+  AddOption("--trace-tls",
+            "prints TLS packet trace information to stderr",
+            &EnvironmentOptions::trace_tls,
+            kAllowedInEnvironment);
  AddOption("--trace-warnings",
            "show stack traces on process warnings",
            &EnvironmentOptions::trace_warnings,
--- a/src/node_options.h
+++ b/src/node_options.h
@ -118,6 +118,7 @@ class EnvironmentOptions : public Options {
  bool throw_deprecation = false;
  bool trace_deprecation = false;
  bool trace_sync_io = false;
+  bool trace_tls = false;
  bool trace_warnings = false;
  std::string unhandled_rejections;
  std::string userland_loader;
--- a/test/parallel/test-tls-enable-trace-cli.js
+++ b/test/parallel/test-tls-enable-trace-cli.js
@ -0,0 +1,59 @@
+// Flags: --expose-internals
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+const fixtures = require('../common/fixtures');
+
+// Test --trace-tls CLI flag.
+
+const assert = require('assert');
+const { fork } = require('child_process');
+
+if (process.argv[2] === 'test')
+  return test();
+
+const binding = require('internal/test/binding').internalBinding;
+
+if (!binding('tls_wrap').HAVE_SSL_TRACE)
+  return common.skip('no SSL_trace() compiled into openssl');
+
+const child = fork(__filename, ['test'], {
+  silent: true,
+  execArgv: ['--trace-tls']
+});
+
+let stderr = '';
+child.stderr.setEncoding('utf8');
+child.stderr.on('data', (data) => stderr += data);
+child.on('close', common.mustCall(() => {
+  assert(/Warning: Enabling --trace-tls can expose sensitive/.test(stderr));
+  assert(/Received Record/.test(stderr));
+  assert(/ClientHello/.test(stderr));
+}));
+
+// For debugging and observation of actual trace output.
+child.stderr.pipe(process.stderr);
+child.stdout.pipe(process.stdout);
+
+child.on('exit', common.mustCall((code) => {
+  assert.strictEqual(code, 0);
+}));
+
+function test() {
+  const {
+    connect, keys
+  } = require(fixtures.path('tls-connect'));
+
+  connect({
+    client: {
+      checkServerIdentity: (servername, cert) => { },
+      ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
+    },
+    server: {
+      cert: keys.agent6.cert,
+      key: keys.agent6.key
+    },
+  }, common.mustCall((err, pair, cleanup) => {
+    return cleanup();
+  }));
+}