-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: allow TLSSocket construction with a list of ALPNProtocols #16655
Conversation
I have some doubt over the var out = {};
tls.convertALPNProtocols(['h2', 'http/1.1'], out); I expect |
Ignore me. I understand now. |
lib/_tls_wrap.js
Outdated
if (this._tlsOptions.NPNProtocols) | ||
tls.convertNPNProtocols(this._tlsOptions.NPNProtocols, this._tlsOptions); | ||
if (this._tlsOptions.ALPNProtocols) | ||
tls.convertALPNProtocols(this._tlsOptions.ALPNProtocols, this._tlsOptions); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should be able to remove the calls from downstream functions now.
As well, can you make it so (and add a test to that effect) that the user's option object isn't modified? Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, that had been bothering me too.
new tls.TLSSocket(null, { | ||
ALPNProtocols: ['http/1.1'], | ||
NPNProtocols: ['http/1.1'] | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I mean is that options.ALPNProtocols
and options.NPNProtocols
should still be arrays-of-strings afterwards. Making a copy with Object.assign()
should do it.
Would it be possible to flesh out the test somewhat and verify that the options are present in the TLS handhake? You'll need to guard on process.features.tls_alpn
and process.features.tls_npn
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've got the skeleton of this, but I'm not sure where the TLS handshake itself happens (the docs have me tied in knots a bit). I think I should be looking at the secureConnection
event. If that's the case, I need to create a server via the TLSSocket
constructor and net.createServer
. Am I on the right track?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. If you grep for TLSSocket in test/parallel, you should find some existing examples.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup. That's where I am now (I'll move this test file to that directory too if you've no objections).
}); | ||
|
||
tlsSocket.on('secure', common.mustCall((...args) => { | ||
// TODO |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bnoordhuis It seems like this event is the one I should be listening for, but it's undocumented. Am I correct? If so, which object/properties do I check to complete the test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably want 'secureConnect'
, 'secure'
is an older, deprecated version.
Once the connection is established, verify the .alpnProtocol
and .npnProtocol
properties.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'secureConnect'
is only called when the socket is created using tls.connect
(and not using the TLSSocket
constructor directly), so that event will never be emitted. However, the code in tls.connect
appears to listen for 'secure'
and then do some unrelated synchronous work before emitting 'secureConnect'
.
Brings the ALPNProtocols option of TLSSocket into line with the documentation. i.e. a list of strings for protocols may be used, and not only a buffer. Fixes: #16643
@bnoordhuis I reckon this is good for another review now. I was unable to use the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM. CI: https://ci.nodejs.org/job/node-test-pull-request/11132/
new tls.TLSSocket(null, { | ||
ALPNProtocols: ['http/1.1'], | ||
NPNProtocols: ['http/1.1'] | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the idea here that the constructor call should work even if ALPN and NPN are disabled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was the original test I created for this PR. On master this’ll throw because the constructor expects a buffer (where each option is used). The particular usecase which led to me encountering this issue is a proxy which needs to avoid HTTP/2 (so these options are given without “h2”).
The CI link indicates a failure (I think), but I’m not sure how to interpret the output... |
Failures on the CI are unrelated.
|
As I understand it this’ll fit in a semver patch. Existing behaviour is preserved, and some cases which threw when they should not have will now behave as documented. In other words, this doesn’t break existing usage (which is also consistent with the documentation). |
@qubyte Knew I should've checked the signature for those convert functions... you're absolutely right, you can just ignore me. 😆 |
Upon clicking through, the checks below all appear to have passed, but the statuses have not been updated. A known quirk? |
Yeah, that's broken... If you're good with build & CI type of stuff, there's an issue and I think they're looking for help nodejs/build#790 :) |
Heh, after years of fighting Jenkins my solution was to not use Jenkins. ;) |
Is there anything remaining to do for this PR? |
Brings the ALPNProtocols & NPNProtocols options of TLSSocket in line with the documentation. i.e. an array of strings for protocols may be used, not only a buffer. PR-URL: #16655 Fixes: https://github.com/node/issues/16643 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
Sweet! Thank you. :) |
Brings the ALPNProtocols & NPNProtocols options of TLSSocket in line with the documentation. i.e. an array of strings for protocols may be used, not only a buffer. PR-URL: nodejs#16655 Fixes: https://github.com/node/issues/16643 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
Could someone backport this to v8.x-staging? Info is in the guide, you just raise a backport PR. |
Should this be backported to |
Brings the ALPNProtocols & NPNProtocols options of TLSSocket in line with the documentation. i.e. an array of strings for protocols may be used, not only a buffer. PR-URL: nodejs#16655 Fixes: https://github.com/node/issues/16643 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
Brings the ALPNProtocols & NPNProtocols options of TLSSocket in line with the documentation. i.e. an array of strings for protocols may be used, not only a buffer. Backport-PR-URL: #21721 PR-URL: #16655 Fixes: https://github.com/node/issues/16643 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
Brings the ALPNProtocols & NPNProtocols options of TLSSocket in line with the documentation. i.e. an array of strings for protocols may be used, not only a buffer. Backport-PR-URL: #21721 PR-URL: #16655 Fixes: https://github.com/node/issues/16643 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
Brings the ALPNProtocols option of TLSSocket into line with the
documentation. i.e. a list of strings for protocols may be used, and
not only a buffer.
Fixes: #16643
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesAffected core subsystem(s)