New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test/document TLS authentication, then add support for TRUSTED CERTIFICATE pem headers #24733

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
5 participants
@sam-github
Copy link
Member

sam-github commented Nov 29, 2018

TLS client authentication should be tested, including failure scenarios.

There were tests for a couple success scenarios as side-effects of testing other things, but little coverage for the various ways intermediate and root CAs can be configured.

Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines
@Trott

This comment has been minimized.


const {
assert, connect, keys
} = require(fixtures.path('tls-connect'));

This comment has been minimized.

@addaleax

addaleax Nov 30, 2018

Member

Should this module maybe rather be in test/common/?

This comment has been minimized.

@sam-github

sam-github Nov 30, 2018

Member

I don't know. It predates test/common, AFAICT, but perhaps it should have been moved there when test/common was created? Moving it would be a good code-n-learn activity.

@addaleax addaleax added the tls label Nov 30, 2018

@sam-github sam-github force-pushed the sam-github:test-client-auth branch from 479d168 to 2934a3d Nov 30, 2018

@sam-github sam-github force-pushed the sam-github:test-client-auth branch from 2934a3d to 4b48cf9 Nov 30, 2018

@sam-github sam-github changed the title test: test TLS client authentication test/document TLS authentication, then add support for TRUSTED CERTIFICATE pem headers Nov 30, 2018

@sam-github sam-github force-pushed the sam-github:test-client-auth branch 2 times, most recently from 3674751 to 61380b3 Nov 30, 2018

@sam-github sam-github requested a review from bnoordhuis Nov 30, 2018

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Nov 30, 2018

While I was doing some support yesterday for people banging their head against node's tls, I found that node wasn't working with "TRUSTED CERATIFICATE", and @bnoordhuis pointed me towards the root cause.

I pushed the fix onto this PR so I can use the tests to prove it did not used to work, and now it does.

x = PEM_read_bio_X509_AUX(in, NULL, NULL, "");
is what openssl's -CAfile option eventually leads to, so I believe calling PEM_read_bio_X509_AUX() is the right thing for Node.js to do as well.

@addaleax @bnoordhuis PTAL

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Nov 30, 2018

Travis failed to find the first commit, as it often does.

ci: https://ci.nodejs.org/job/node-test-pull-request/19097/

@Trott

This comment has been minimized.

Copy link
Member

Trott commented Dec 2, 2018

ca: client.ca,
requestCert: true,
},
}, function(err, pair, cleanup) {

This comment has been minimized.

@bnoordhuis

bnoordhuis Dec 2, 2018

Member

Wrap in common.mustCall(...) here and below?

This comment has been minimized.

@sam-github

sam-github Dec 3, 2018

Member

The common connect() function does that already.

@bnoordhuis

This comment has been minimized.

Copy link
Member

bnoordhuis commented Dec 2, 2018

The linux failures look unrelated but the windows failures do. As to why the connection is being established when it shouldn't, I have no idea.

@sam-github

This comment has been minimized.

@sam-github sam-github force-pushed the sam-github:test-client-auth branch from 61380b3 to a75dd8e Dec 3, 2018

@sam-github

This comment has been minimized.

@addaleax

This comment has been minimized.

Copy link
Member

addaleax commented Dec 4, 2018

@Trott

This comment has been minimized.

Copy link
Member

Trott commented Dec 4, 2018

Windows failures on CI are relevant:

https://ci.nodejs.org/job/node-test-binary-windows/22179/COMPILED_BY=vs2017,RUNNER=win10,RUN_SUBSET=3/console

03:11:38 not ok 456 parallel/test-tls-client-auth
03:11:38   ---
03:11:38   duration_ms: 0.239
03:11:38   severity: fail
03:11:38   exitcode: 1
03:11:38   stack: |-
03:11:38     c:\workspace\node-test-binary-windows\test\parallel\test-tls-client-auth.js:152
03:11:38       assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
03:11:38                              ^
03:11:38     
03:11:38     TypeError: Cannot read property 'code' of undefined
03:11:38         at c:\workspace\node-test-binary-windows\test\parallel\test-tls-client-auth.js:152:26
03:11:38         at c:\workspace\node-test-binary-windows\test\common\index.js:346:15
03:11:38         at maybeCallback (c:\workspace\node-test-binary-windows\test\fixtures\tls-connect.js:97:7)
03:11:38         at TLSSocket.<anonymous> (c:\workspace\node-test-binary-windows\test\fixtures\tls-connect.js:68:13)
03:11:38         at TLSSocket.emit (events.js:189:13)
03:11:38         at TLSSocket.onConnectSecure (_tls_wrap.js:1168:10)
03:11:38         at TLSSocket.emit (events.js:189:13)
03:11:38         at TLSSocket._finishInit (_tls_wrap.js:629:8)
03:11:38   ...

@sam-github sam-github force-pushed the sam-github:test-client-auth branch 2 times, most recently from f838013 to 62e0408 Dec 7, 2018

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 7, 2018

Ah, Windows CRLF... I do not love thee.

ci: https://ci.nodejs.org/job/node-test-pull-request/19314/

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 7, 2018

linux failures: https://ci.nodejs.org/job/node-test-commit-linux/23842/

Look like exit code test failures, not related to TLS.

re-ci: https://ci.nodejs.org/job/node-test-commit-linux/23845/

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 10, 2018

more aix & linux exit code and CLI syntax failures, retry: https://ci.nodejs.org/job/node-test-commit/24172/

@sam-github sam-github force-pushed the sam-github:test-client-auth branch from 62e0408 to 298b2c9 Dec 10, 2018

sam-github added some commits Oct 12, 2017

test: test TLS client authentication
TLS client authentication should be tested, including failure scenarios.
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

@sam-github sam-github force-pushed the sam-github:test-client-auth branch 2 times, most recently from a94ba7e to c9afb3c Dec 11, 2018

@sam-github

This comment has been minimized.

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 11, 2018

The only failures were test-cli-syntax.js, which is flaky. I'm re-running ci, but I think this is landable.

re-ci: https://ci.nodejs.org/job/node-test-commit/24210/

@sam-github

This comment has been minimized.

Copy link
Member

sam-github commented Dec 11, 2018

Landed in 83ec33b...2e4a163

@sam-github sam-github closed this Dec 11, 2018

@sam-github sam-github deleted the sam-github:test-client-auth branch Dec 11, 2018

sam-github added a commit that referenced this pull request Dec 11, 2018

test: test TLS client authentication
TLS client authentication should be tested, including failure scenarios.

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

sam-github added a commit that referenced this pull request Dec 11, 2018

tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

BethGriggs added a commit that referenced this pull request Dec 17, 2018

test: test TLS client authentication
TLS client authentication should be tested, including failure scenarios.

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

BethGriggs added a commit that referenced this pull request Dec 17, 2018

tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: #24761

PR-URL: #24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

BethGriggs added a commit that referenced this pull request Dec 18, 2018

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **test**:
  * test TLS client authentication (Sam Roberts)
    [#24733](#24733)
* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](#24733)
* **tools**:
  * update ESLint to 5.10.0 (cjihrig)
    [#24903](#24903)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](#24852)

@BethGriggs BethGriggs referenced this pull request Dec 18, 2018

Merged

V11.5.0 proposal #25102

BethGriggs added a commit that referenced this pull request Dec 18, 2018

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **test**:
  * test TLS client authentication (Sam Roberts)
    [#24733](#24733)
* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](#24733)
* **tools**:
  * update ESLint to 5.10.0 (cjihrig)
    [#24903](#24903)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](#24852)

PR-URL: #25102

MylesBorins added a commit that referenced this pull request Dec 18, 2018

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **test**:
  * test TLS client authentication (Sam Roberts)
    [#24733](#24733)
* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](#24733)
* **tools**:
  * update ESLint to 5.10.0 (cjihrig)
    [#24903](#24903)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](#24852)

PR-URL: #25102

BethGriggs added a commit that referenced this pull request Dec 18, 2018

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](#24733)
* **tools**:
  * update ESLint to 5.10.0 (cjihrig)
    [#24903](#24903)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](#24852)

PR-URL: #25102

BethGriggs added a commit that referenced this pull request Dec 18, 2018

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](#24733)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](#24852)

PR-URL: #25102

BethGriggs added a commit that referenced this pull request Dec 18, 2018

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](#24733)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](#24852)

PR-URL: #25102

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

test: test TLS client authentication
TLS client authentication should be tested, including failure scenarios.

PR-URL: nodejs#24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to
tls.createSecureContext() that are supported by openssl when loading a
CAfile.

Fixes: nodejs#24761

PR-URL: nodejs#24733
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>

refack added a commit to refack/node that referenced this pull request Jan 14, 2019

2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [nodejs#24733](nodejs#24733)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [nodejs#24852](nodejs#24852)

PR-URL: nodejs#25102
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment