tls: do not crash on STARTTLS when OCSP requested

indutny · addaleax · commit f37ab7968e21 · 2017-02-22T21:05:21.000+01:00
`TLSSocket` should not have a hard dependency on `tls.Server`, since it may be running without it in cases like `STARTTLS`. Fix: #10704 PR-URL: #10706 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
@@ -110,6 +110,13 @@ function requestOCSP(self, hello, ctx, cb) {
 
   if (!ctx)
     ctx = self.server._sharedCreds;
+
+  // TLS socket is using a `net.Server` instead of a tls.TLSServer.
+  // Some TLS properties like `server._sharedCreds` will not be present
+  if (!ctx)
+    return cb(null);
+
+  // TODO(indutny): eventually disallow raw `SecureContext`
   if (ctx.context)
     ctx = ctx.context;
 
diff --git a/test/parallel/test-tls-starttls-server.js b/test/parallel/test-tls-starttls-server.js
@@ -0,0 +1,53 @@
+'use strict';
+
+// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to
+// `net.Server` instead of `tls.Server`
+
+const common = require('../common');
+
+if (!common.hasCrypto) {
+  common.skip('missing crypto');
+  return;
+}
+
+const assert = require('assert');
+const fs = require('fs');
+const net = require('net');
+const tls = require('tls');
+
+const key = fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem');
+const cert = fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem');
+
+const server = net.createServer(common.mustCall((s) => {
+  const tlsSocket = new tls.TLSSocket(s, {
+    isServer: true,
+    server: server,
+
+    secureContext: tls.createSecureContext({
+      key: key,
+      cert: cert
+    }),
+
+    SNICallback: common.mustCall((hostname, callback) => {
+      assert.strictEqual(hostname, 'test.test');
+
+      callback(null, null);
+    })
+  });
+
+  tlsSocket.on('secure', common.mustCall(() => {
+    tlsSocket.end();
+    server.close();
+  }));
+})).listen(0, () => {
+  const opts = {
+    servername: 'test.test',
+    port: server.address().port,
+    rejectUnauthorized: false,
+    requestOCSP: true
+  };
+
+  tls.connect(opts, function() {
+    this.end();
+  });
+});
