Permalink
Browse files

https: fix renegotation attack protection

Listen for the 'clientError' event that is emitted when a renegotation attack
is detected and close the connection.
  • Loading branch information...
bnoordhuis committed Oct 7, 2012
1 parent 16a9dac commit aebd7cd873cbeb135b886af9c4aa102251b7d230
Showing with 17 additions and 4 deletions.
  1. +4 −1 doc/api/http.markdown
  2. +3 −1 doc/api/tls.markdown
  3. +5 −1 lib/http.js
  4. +4 −0 lib/https.js
  5. +1 −1 lib/tls.js
View
@@ -127,10 +127,13 @@ sent to the server on that socket.
### Event: 'clientError'
-`function (exception) { }`
+`function (exception, reserved) { }`
If a client connection emits an 'error' event - it will forwarded here.
+The `reserved` argument must be ignored.

This comment has been minimized.

Show comment Hide comment
@isaacs

isaacs Oct 9, 2012

Why not just leave it out of the docs?

@isaacs

isaacs Oct 9, 2012

Why not just leave it out of the docs?

This comment has been minimized.

Show comment Hide comment
@isaacs

isaacs Oct 9, 2012

Or better yet, call it "socket" in the docs, and say what it is :)

@isaacs

isaacs Oct 9, 2012

Or better yet, call it "socket" in the docs, and say what it is :)

This comment has been minimized.

Show comment Hide comment
@bnoordhuis

bnoordhuis Oct 9, 2012

Owner

I wanted to keep some wiggle room in case I changed my mind about this fix. But I guess having the socket (or SecurePair object in the https case) is a good thing, regardless of what it fixes.

@bnoordhuis

bnoordhuis Oct 9, 2012

Owner

I wanted to keep some wiggle room in case I changed my mind about this fix. But I guess having the socket (or SecurePair object in the https case) is a good thing, regardless of what it fixes.

+
+
### server.listen(port, [hostname], [backlog], [callback])
Begin accepting connections on the specified port and hostname. If the
View
@@ -367,11 +367,13 @@ SNI.
### Event: 'clientError'
-`function (exception) { }`
+`function (exception, reserved) { }`
When a client connection emits an 'error' event before secure connection is
established - it will be forwarded here.
+The `reserved` argument must be ignored.
+
### Event: 'newSession'
View
@@ -1647,6 +1647,10 @@ function Server(requestListener) {
this.httpAllowHalfOpen = false;
this.addListener('connection', connectionListener);
+
+ this.addListener('clientError', function(err, conn) {
+ conn.destroy(err);
+ });
}
util.inherits(Server, net.Server);
@@ -1705,7 +1709,7 @@ function connectionListener(socket) {
}
socket.addListener('error', function(e) {
- self.emit('clientError', e);
+ self.emit('clientError', e, this);
});
socket.ondata = function(d, start, end) {
View
@@ -39,6 +39,10 @@ function Server(opts, requestListener) {
if (requestListener) {
this.addListener('request', requestListener);
}
+
+ this.addListener('clientError', function(err, conn) {
+ conn.destroy(err);
+ });
}
inherits(Server, tls.Server);
View
@@ -1155,7 +1155,7 @@ function Server(/* [options], listener */) {
}
});
pair.on('error', function(err) {
- self.emit('clientError', err);
+ self.emit('clientError', err, this);
});
});

0 comments on commit aebd7cd

Please sign in to comment.