Skip to content

[v8.x backport] Support both OpenSSL 1.1.0 and 1.0.2 #18622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
MylesBorins wants to merge 25 commits into from
Closed

[v8.x backport] Support both OpenSSL 1.1.0 and 1.0.2 #18622

Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
585e5ec
crypto: use X509_STORE_CTX_new
davidben Sep 16, 2017
0e8157c
crypto: make node_crypto_bio compat w/ OpenSSL 1.1
davidben Sep 14, 2017
125d448
crypto: estimate kExternalSize
davidben Sep 16, 2017
f407551
crypto: remove unnecessary SSLerr calls
davidben Sep 16, 2017
5d4d7ef
crypto: account for new 1.1.0 SSL APIs
davidben Sep 17, 2017
3397696
crypto: test DH keys work without a public half
davidben Sep 17, 2017
7e55235
crypto: use RSA and DH accessors
davidben Sep 17, 2017
aad2416
crypto: remove locking callbacks for OpenSSL 1.1.0
davidben Sep 18, 2017
43394e1
crypto: make CipherBase 1.1.0-compatible
davidben Sep 20, 2017
1df22a1
crypto: make Hash 1.1.0-compatible
davidben Sep 22, 2017
9bce4db
crypto: make SignBase compatible with OpenSSL 1.1.0
davidben Sep 22, 2017
827f3f0
crypto: Make Hmac 1.1.0-compatible
davidben Sep 22, 2017
21fb3d0
crypto: add compat logic for "DSS1" and "dss1"
davidben Sep 23, 2017
5520305
crypto: hard-code tlsSocket.getCipher().version
davidben Sep 23, 2017
7a3cb8a
test: update test expectations for OpenSSL 1.1.0
davidben Sep 17, 2017
38b15a7
test: remove sha from test expectations
davidben Sep 23, 2017
ba1e140
crypto: emulate OpenSSL 1.0 ticket scheme in 1.1
davidben Sep 23, 2017
47116e3
test: test with a larger RSA key
davidben Sep 23, 2017
edbf1b8
test: revise test-tls-econnreset for OpenSSL 1.1.0
davidben Sep 23, 2017
18ca4e9
crypto: remove deprecated ECDH calls w/ OpenSSL 1.1
davidben Sep 23, 2017
b94a158
test: configure certs in tests
davidben Sep 23, 2017
68f415d
test: fix test-https-agent-session-eviction for 1.1
davidben Sep 23, 2017
3dad5ad
crypto: make ALPN the same for OpenSSL 1.0.2 & 1.1.0
davidben Sep 23, 2017
c0bd411
crypto: clear some SSL_METHOD deprecation warnings
davidben Sep 18, 2017
42e073e
crypto: remove leftover initialization
MylesBorins Jan 23, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
test: revise test-tls-econnreset for OpenSSL 1.1.0 
This test is testing what happens to the server if the client shuts off
the connection (so the server sees ECONNRESET), but the way it does it
is convoluted. It uses a static RSA key exchange with a tiny (384-bit)
RSA key. The server doesn't notice (since it is static RSA, the client
acts on the key first), so the client tries to encrypt a premaster and
fails:

  rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size
  SSL routines:ssl3_send_client_key_exchange:bad rsa encrypt

OpenSSL happens not to send an alert in this case, so we get ECONNRESET
with no alert. This is quite fragile and, notably, breaks in OpenSSL
1.1.0 now that small RSA keys are rejected by libssl. Instead, test by
just connecting a TCP socket and immediately closing it.

PR-URL: #16130
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
  • Loading branch information
@davidben @MylesBorins
davidben authored and MylesBorins committed Feb 7, 2018
commit edbf1b811e01d89d864054f4d6ae52780f958f39
64 changes: 10 additions & 54 deletions test/parallel/test-tls-econnreset.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,72 +25,28 @@ if (!common.hasCrypto)
common.skip('missing crypto');

const assert = require('assert');
const fixtures = require('../common/fixtures');
const net = require('net');
const tls = require('tls');

const cacert =
`-----BEGIN CERTIFICATE-----
MIIBxTCCAX8CAnXnMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n
TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv
bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMH0xCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
MBcGA1UEChMQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRow
GAYDVQQDExFjYS5zdHJvbmdsb29wLmNvbTBMMA0GCSqGSIb3DQEBAQUAAzsAMDgC
MQDKbQ6rIR5t1q1v4Ha36jrq0IkyUohy9EYNvLnXUly1PGqxby0ILlAVJ8JawpY9
AVkCAwEAATANBgkqhkiG9w0BAQUFAAMxALA1uS4CqQXRSAyYTfio5oyLGz71a+NM
+0AFLBwh5AQjhGd0FcenU4OfHxyDEOJT/Q==
-----END CERTIFICATE-----`;

const cert =
`-----BEGIN CERTIFICATE-----
MIIBfDCCATYCAgQaMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n
TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv
bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMBkxFzAV
BgNVBAMTDnN0cm9uZ2xvb3AuY29tMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMfk
I0LWU15pPUwIQNMnRVhhOibi0TQmAau8FBtgwEfGK01WpfGUaJr1a41K8Uq7xwID
AQABoxkwFzAVBgNVHREEDjAMhwQAAAAAhwR/AAABMA0GCSqGSIb3DQEBBQUAAzEA
cGpYrhkrb7mIh9DNhV0qp7pGjqBzlHqB7KQXw2luLDp//6dyHBMexDCQznkhZKRU
-----END CERTIFICATE-----`;

const key =
`-----BEGIN RSA PRIVATE KEY-----
MIH0AgEAAjEAx+QjQtZTXmk9TAhA0ydFWGE6JuLRNCYBq7wUG2DAR8YrTVal8ZRo
mvVrjUrxSrvHAgMBAAECMBCGccvSwC2r8Z9Zh1JtirQVxaL1WWpAQfmVwLe0bAgg
/JWMU/6hS36TsYyZMxwswQIZAPTAfht/zDLb7Hwgu2twsS1Ra9w/yyvtlwIZANET
26votwJAHK1yUrZGA5nnp5qcmQ/JUQIZAII5YV/UUZvF9D/fUplJ7puENPWNY9bN
pQIZAMMwxuS3XiO7two2sQF6W+JTYyX1DPCwAQIZAOYg1TvEGT38k8e8jygv8E8w
YqrWTeQFNQ==
-----END RSA PRIVATE KEY-----`;

const ca = [ cert, cacert ];

let clientError = null;
let connectError = null;

const server = tls.createServer({ ca: ca, cert: cert, key: key }, () => {
assert.fail('should be unreachable');
}).on('tlsClientError', function(err, conn) {
const server = tls.createServer({
cert: fixtures.readKey('agent1-cert.pem'),
key: fixtures.readKey('agent1-key.pem'),
}, common.mustNotCall()).on('tlsClientError', function(err, conn) {
assert(!clientError && conn);
clientError = err;
server.close();
}).listen(0, function() {
const options = {
ciphers: 'AES128-GCM-SHA256',
port: this.address().port,
ca: ca
};
tls.connect(options).on('error', function(err) {
assert(!connectError);

connectError = err;
net.connect(this.address().port, function() {
// Destroy the socket once it is connected, so the server sees ECONNRESET.
this.destroy();
server.close();
}).write('123');
}).on('error', common.mustNotCall());
});

process.on('exit', function() {
assert(clientError);
assert(connectError);
assert(/socket hang up/.test(clientError.message));
assert(/ECONNRESET/.test(clientError.code));
});