Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

https: fix renegotation attack protection

Listen for the 'clientError' event that is emitted when a renegotation attack
is detected and close the connection.
  • Loading branch information...
commit aebd7cd873cbeb135b886af9c4aa102251b7d230 1 parent 16a9dac
@bnoordhuis authored
View
5 doc/api/http.markdown
@@ -127,10 +127,13 @@ sent to the server on that socket.
### Event: 'clientError'
-`function (exception) { }`
+`function (exception, reserved) { }`
If a client connection emits an 'error' event - it will forwarded here.
+The `reserved` argument must be ignored.
@isaacs
isaacs added a note

Why not just leave it out of the docs?

@isaacs
isaacs added a note

Or better yet, call it "socket" in the docs, and say what it is :)

@bnoordhuis Owner

I wanted to keep some wiggle room in case I changed my mind about this fix. But I guess having the socket (or SecurePair object in the https case) is a good thing, regardless of what it fixes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
+
### server.listen(port, [hostname], [backlog], [callback])
Begin accepting connections on the specified port and hostname. If the
View
4 doc/api/tls.markdown
@@ -367,11 +367,13 @@ SNI.
### Event: 'clientError'
-`function (exception) { }`
+`function (exception, reserved) { }`
When a client connection emits an 'error' event before secure connection is
established - it will be forwarded here.
+The `reserved` argument must be ignored.
+
### Event: 'newSession'
View
6 lib/http.js
@@ -1647,6 +1647,10 @@ function Server(requestListener) {
this.httpAllowHalfOpen = false;
this.addListener('connection', connectionListener);
+
+ this.addListener('clientError', function(err, conn) {
+ conn.destroy(err);
+ });
}
util.inherits(Server, net.Server);
@@ -1705,7 +1709,7 @@ function connectionListener(socket) {
}
socket.addListener('error', function(e) {
- self.emit('clientError', e);
+ self.emit('clientError', e, this);
});
socket.ondata = function(d, start, end) {
View
4 lib/https.js
@@ -39,6 +39,10 @@ function Server(opts, requestListener) {
if (requestListener) {
this.addListener('request', requestListener);
}
+
+ this.addListener('clientError', function(err, conn) {
+ conn.destroy(err);
+ });
}
inherits(Server, tls.Server);
View
2  lib/tls.js
@@ -1155,7 +1155,7 @@ function Server(/* [options], listener */) {
}
});
pair.on('error', function(err) {
- self.emit('clientError', err);
+ self.emit('clientError', err, this);
});
});
@isaacs

Why not just leave it out of the docs?

@isaacs

Or better yet, call it "socket" in the docs, and say what it is :)

@bnoordhuis

I wanted to keep some wiggle room in case I changed my mind about this fix. But I guess having the socket (or SecurePair object in the https case) is a good thing, regardless of what it fixes.

Please sign in to comment.
Something went wrong with that request. Please try again.