From 68cc173c6d2cde4f1869b24ec3bc690ef34da7ad Mon Sep 17 00:00:00 2001 From: koichik Date: Sat, 15 Oct 2011 19:27:21 +0900 Subject: [PATCH] tls: The TLS API is inconsistent with the TCP API Add 'secureConnect' event to tls.CleartextStream. Fixes #1467. --- doc/api/tls.markdown | 25 +++++++---- lib/tls.js | 5 ++- test/simple/test-tls-connect-simple.js | 57 ++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 10 deletions(-) create mode 100644 test/simple/test-tls-connect-simple.js diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 1d6d6f8b257..4c678fcfcb5 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -27,7 +27,7 @@ Alternatively you can send the CSR to a Certificate Authority for signing. `test/fixtures/keys/Makefile` in the Node source code) -### s = tls.connect(port, [host], [options], callback) +### s = tls.connect(port, [host], [options], secureConnectListener) Creates a new client connection to the given `port` and `host`. (If `host` defaults to `localhost`.) `options` should be an object which specifies @@ -49,14 +49,10 @@ defaults to `localhost`.) `options` should be an object which specifies - `servername`: Servername for SNI (Server Name Indication) TLS extension. -`tls.connect()` returns a [CleartextStream](#tls.CleartextStream) object. +The `secureConnectListener` parameter will be added as a listener for the +['secureConnect'](#event_secureConnect_) event. -After the TLS/SSL handshake the `callback` is called. The `callback` will be -called no matter if the server's certificate was authorized or not. It is up -to the user to test `s.authorized` to see if the server certificate was signed -by one of the specified CAs. If `s.authorized === false` then the error -can be found in `s.authorizationError`. Also if NPN was used - you can check -`s.npnProtocol` for negotiated protocol. +`tls.connect()` returns a [CleartextStream](#tls.CleartextStream) object. ### STARTTLS @@ -237,6 +233,18 @@ read/write an encrypted data as a cleartext data. This instance implements a duplex [Stream](streams.html#streams) interfaces. It has all the common stream methods and events. +#### Event: 'secureConnect' + +`function () {}` + +This event is emitted after a new connection has been successfully handshaked. +The listener will be called no matter if the server's certificate was +authorized or not. It is up to the user to test `cleartextStream.authorized` +to see if the server certificate was signed by one of the specified CAs. +If `cleartextStream.authorized === false` then the error can be found in +`cleartextStream.authorizationError`. Also if NPN was used - you can check +`cleartextStream.npnProtocol` for negotiated protocol. + #### cleartextStream.authorized A boolean that is `true` if the peer certificate was signed by one of the @@ -274,4 +282,3 @@ Example: If the peer does not provide a certificate, it returns `null` or an empty object. - diff --git a/lib/tls.js b/lib/tls.js index 7e6c5b1d97f..2dd8f16d076 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -981,6 +981,9 @@ exports.connect = function(port /* host, options, cb */) { } var cleartext = pipe(pair, socket); + if (cb) { + cleartext.on('secureConnect', cb); + } socket.connect(port, host); @@ -996,7 +999,7 @@ exports.connect = function(port /* host, options, cb */) { cleartext.authorized = true; } - if (cb) cb(); + cleartext.emit('secureConnect'); }); cleartext._controlReleased = true; diff --git a/test/simple/test-tls-connect-simple.js b/test/simple/test-tls-connect-simple.js new file mode 100644 index 00000000000..538efd69310 --- /dev/null +++ b/test/simple/test-tls-connect-simple.js @@ -0,0 +1,57 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +var common = require('../common'); +var assert = require('assert'); +var tls = require('tls'); +var fs = require('fs'); + +var clientConnected = 0; +var serverConnected = 0; + +var options = { + key: fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'), + cert: fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem') +}; + +var server = tls.Server(options, function(socket) { + if (++serverConnected === 2) { + server.close(); + } +}); + +server.listen(common.PORT, function() { + var client1 = tls.connect(common.PORT, function() { + ++clientConnected; + client1.end(); + }); + + var client2 = tls.connect(common.PORT); + client2.on('secureConnect', function() { + ++clientConnected; + client2.end(); + }); +}); + +process.on('exit', function() { + assert.equal(clientConnected, 2); + assert.equal(serverConnected, 2); +});