crypto: use SSL_get_servername. #9347

agl · 2016-10-28T20:32:42Z

Checklist

make -j8 test (UNIX), or vcbuild test nosign (Windows) passes
tests and/or benchmarks are included
documentation is changed or added
commit message follows commit guidelines

Affected core subsystem(s)

crypto

Description of change

(Patch by David Benjamin.)

Rather than reach into the SSL_SESSION, use the intended API,
SSL_get_servername. This will also help the transition to OpenSSL 1.1.0.

Also don't fill in the tlsTicket field here. This is never read by
oncertcb and was always false anyway; that field is maintained by
clients and tracks whether the server issued a ticket or a session ID.

(Note this is distinct from the copy passed to onclienthello which is
used and is not a no-op.)

(Patch by David Benjamin.) Rather than reach into the SSL_SESSION, use the intended API, SSL_get_servername. This will also help the transition to OpenSSL 1.1.0. Also don't fill in the tlsTicket field here. This is never read by oncertcb and was always false anyway; that field is maintained by clients and tracks whether the server issued a ticket or a session ID. (Note this is distinct from the copy passed to onclienthello which is used and is not a no-op.)

mscdex · 2016-10-28T22:44:33Z

/cc @nodejs/crypto

indutny

LGTM. I've overlooked this during initial commit. Good catch! I guess it is more relevant in 1.1.0

indutny

Sorry, one nit before landing.

indutny · 2016-10-29T00:53:06Z

src/node_crypto.cc

-                                               strlen(sess->tlsext_hostname));
-      info->Set(env->servername_string(), servername);
-    }
-    info->Set(env->tls_ticket_string(),


On a second thought, we need to remove tls_ticket_string from env.h too, since it is not used anywhere else.

tls_ticket_string is still used in SSLWrap<Base>::OnClientHello. I believe at that point it is meaningful.

The reference to tlsTicket in _tls_wrap.js is to the one set in OnClientHello and should continue to work.

Ah, gosh. You are right.

indutny · 2016-10-29T01:02:08Z

One more nit, it looks like tlsTicket is set in some cases after all. This test fails after removing it from _tls_wrap.js:

test/parallel/test-tls-session-cache.js

indutny · 2016-10-29T05:48:29Z

Just to state it clearly, I withdraw my LGTM for now. Sorry!

indutny

LGTM

indutny · 2016-10-30T18:43:15Z

src/node_crypto.cc

-                                               strlen(sess->tlsext_hostname));
-      info->Set(env->servername_string(), servername);
-    }
-    info->Set(env->tls_ticket_string(),


Ah, gosh. You are right.

davidben · 2016-11-09T01:38:03Z

Is there anything else left to be done for this PR?

indutny · 2016-11-09T02:11:52Z

Merging it 😉

@nodejs/crypto any comments before I'll land it?

shigeki

LGTM after CI is green.

shigeki · 2016-11-09T02:17:47Z

Running on https://ci.nodejs.org/job/node-test-pull-request/4811/

(Patch by David Benjamin.) Rather than reach into the SSL_SESSION, use the intended API, SSL_get_servername. This will also help the transition to OpenSSL 1.1.0. Also don't fill in the tlsTicket field here. This is never read by oncertcb and was always false anyway; that field is maintained by clients and tracks whether the server issued a ticket or a session ID. (Note this is distinct from the copy passed to onclienthello which is used and is not a no-op.) PR-URL: #9347 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>

shigeki · 2016-11-09T09:39:47Z

CI is green except unstable timeout in smartos. Landed in 305f75a. Thanks.

(Patch by David Benjamin.) Rather than reach into the SSL_SESSION, use the intended API, SSL_get_servername. This will also help the transition to OpenSSL 1.1.0. Also don't fill in the tlsTicket field here. This is never read by oncertcb and was always false anyway; that field is maintained by clients and tracks whether the server issued a ticket or a session ID. (Note this is distinct from the copy passed to onclienthello which is used and is not a no-op.) PR-URL: #9347 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>

MylesBorins · 2016-12-13T20:01:04Z

should this be backported?

bnoordhuis · 2016-12-19T12:31:57Z

@thealphanerd If it cherry-picks cleanly, sure, why not? If it doesn't, it's fine to leave it out.

(Patch by David Benjamin.) Rather than reach into the SSL_SESSION, use the intended API, SSL_get_servername. This will also help the transition to OpenSSL 1.1.0. Also don't fill in the tlsTicket field here. This is never read by oncertcb and was always false anyway; that field is maintained by clients and tracks whether the server issued a ticket or a session ID. (Note this is distinct from the copy passed to onclienthello which is used and is not a no-op.) PR-URL: #9347 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>

nodejs-github-bot added the c++ Issues and PRs that require attention from people who are familiar with C++. label Oct 28, 2016

mscdex added the tls Issues and PRs related to the tls subsystem. label Oct 28, 2016

indutny approved these changes Oct 29, 2016

View reviewed changes

indutny suggested changes Oct 29, 2016

View reviewed changes

indutny approved these changes Oct 30, 2016

View reviewed changes

shigeki approved these changes Nov 9, 2016

View reviewed changes

bnoordhuis approved these changes Nov 9, 2016

View reviewed changes

shigeki closed this Nov 9, 2016

MylesBorins added lts-watch-v4.x labels Dec 13, 2016

MylesBorins added land-on-v4.x and removed lts-watch-v4.x labels Dec 21, 2016

This was referenced Dec 21, 2016

V6.9.3 proposal #10394

Merged

V4.7.1 proposal #10395

Merged

davidben mentioned this pull request Aug 14, 2017

crypto: account for OpenSSL 1.1.0 function signature change. #14761

Closed

2 tasks

Uh oh!

crypto: use SSL_get_servername. #9347

crypto: use SSL_get_servername. #9347

Conversation

agl commented Oct 28, 2016

Checklist

Affected core subsystem(s)

Description of change

Uh oh!

mscdex commented Oct 28, 2016

Uh oh!

indutny left a comment

Choose a reason for hiding this comment

Uh oh!

indutny left a comment

Choose a reason for hiding this comment

Uh oh!

indutny Oct 29, 2016

Choose a reason for hiding this comment

Uh oh!

agl Oct 30, 2016

Choose a reason for hiding this comment

Uh oh!

indutny Oct 30, 2016

Choose a reason for hiding this comment

Uh oh!

indutny commented Oct 29, 2016

Uh oh!

indutny commented Oct 29, 2016

Uh oh!

indutny left a comment

Choose a reason for hiding this comment

Uh oh!

indutny Oct 30, 2016

Choose a reason for hiding this comment

Uh oh!

davidben commented Nov 9, 2016

Uh oh!

indutny commented Nov 9, 2016

Uh oh!

shigeki left a comment

Choose a reason for hiding this comment

Uh oh!

shigeki commented Nov 9, 2016

Uh oh!

shigeki commented Nov 9, 2016

Uh oh!

MylesBorins commented Dec 13, 2016

Uh oh!

bnoordhuis commented Dec 19, 2016

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants