Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: prevent multiple connection errors #23636

Merged
merged 1 commit into from
Oct 17, 2018
Merged

Conversation

cjihrig
Copy link
Contributor

@cjihrig cjihrig commented Oct 13, 2018

onConnectEnd(), which is called by TLSSocket, has a guard to prevent being called multiple times, but it does not prevent the OpenSSL error handler from being called, leading to multiple error events. This commit adds that piece of missing logic.

Fixes: #23631

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • commit message follows commit guidelines

CI: https://ci.nodejs.org/job/node-test-pull-request/17937/

@nodejs-github-bot nodejs-github-bot added the tls Issues and PRs related to the tls subsystem. label Oct 13, 2018
@addaleax
Copy link
Member

Can you explain why this fixes the issue, or maybe add a regression test? It seems odd to change streams state if this is specific to TLS…

@cjihrig
Copy link
Contributor Author

cjihrig commented Oct 13, 2018

The problem is that two errors are emitted - one from JS and one from OpenSSL. The stream state thing is already used throughout the latter code path.

As for the test, I modified the code from #23631 as a regression test, but hitting 127.0.0.1 didn't reproduce the error. I'd have to take a closer look at 104.27.165.195, which does reproduce the issue.

EDIT: Although, instead of modifying owner._writableState.errorEmitted, I could probably update the code to use this._hadError, which is local to that file.

@addaleax
Copy link
Member

I see … I guess this doesn’t make things worse, but it also looks like something we should definitely clean up at some point, I don’t think we should be using owner._writableState.errorEmitted – and for that a regression test would be very useful…

@cjihrig
Copy link
Contributor Author

cjihrig commented Oct 13, 2018

@addaleax pushed a second commit as an alternative to the first. It gets rid of the owner._writableState accesses, so you might like that one better.

Copy link
Member

@addaleax addaleax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do like this a lot better :)

@cjihrig
Copy link
Contributor Author

cjihrig commented Oct 16, 2018

I've tried a couple things but haven't had any luck porting the one liner from #23631 to a runnable test case. Maybe someone who knows more about OpenSSL (@bnoordhuis, @tniessen ?) has some pointers on creating a bad Node server that generates:

[Error: 139716102896512:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 40
]

@cjihrig cjihrig force-pushed the 23631 branch 2 times, most recently from 487d81b to ef41ba3 Compare October 17, 2018 16:50
onConnectEnd(), which is called by TLSSocket, has a guard to
prevent being called multiple times, but it does not prevent the
OpenSSL error handler from being called, leading to multiple
error events. This commit adds that piece of missing logic.

PR-URL: nodejs#23636
Fixes: nodejs#23631
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Wyatt Preul <[email protected]>
Reviewed-By: James M Snell <[email protected]>
@cjihrig cjihrig merged commit b94ce57 into nodejs:master Oct 17, 2018
@cjihrig cjihrig deleted the 23631 branch October 17, 2018 16:52
jasnell pushed a commit that referenced this pull request Oct 17, 2018
onConnectEnd(), which is called by TLSSocket, has a guard to
prevent being called multiple times, but it does not prevent the
OpenSSL error handler from being called, leading to multiple
error events. This commit adds that piece of missing logic.

PR-URL: #23636
Fixes: #23631
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Wyatt Preul <[email protected]>
Reviewed-By: James M Snell <[email protected]>
addaleax pushed a commit that referenced this pull request Oct 20, 2018
onConnectEnd(), which is called by TLSSocket, has a guard to
prevent being called multiple times, but it does not prevent the
OpenSSL error handler from being called, leading to multiple
error events. This commit adds that piece of missing logic.

PR-URL: #23636
Fixes: #23631
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Wyatt Preul <[email protected]>
Reviewed-By: James M Snell <[email protected]>
MylesBorins pushed a commit that referenced this pull request Oct 30, 2018
onConnectEnd(), which is called by TLSSocket, has a guard to
prevent being called multiple times, but it does not prevent the
OpenSSL error handler from being called, leading to multiple
error events. This commit adds that piece of missing logic.

PR-URL: #23636
Fixes: #23631
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Wyatt Preul <[email protected]>
Reviewed-By: James M Snell <[email protected]>
@codebytere codebytere mentioned this pull request Nov 27, 2018
rvagg pushed a commit that referenced this pull request Nov 28, 2018
onConnectEnd(), which is called by TLSSocket, has a guard to
prevent being called multiple times, but it does not prevent the
OpenSSL error handler from being called, leading to multiple
error events. This commit adds that piece of missing logic.

PR-URL: #23636
Fixes: #23631
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Wyatt Preul <[email protected]>
Reviewed-By: James M Snell <[email protected]>
MylesBorins pushed a commit that referenced this pull request Nov 29, 2018
onConnectEnd(), which is called by TLSSocket, has a guard to
prevent being called multiple times, but it does not prevent the
OpenSSL error handler from being called, leading to multiple
error events. This commit adds that piece of missing logic.

PR-URL: #23636
Fixes: #23631
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Wyatt Preul <[email protected]>
Reviewed-By: James M Snell <[email protected]>
@codebytere codebytere mentioned this pull request Nov 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants