https: fix renegotation attack protection

bnoordhuis · bnoordhuis · commit 0ad005852c7b · 2012-10-09T16:38:00.000+02:00
Listen for the 'clientError' event that is emitted when a renegotation attack
is detected and close the connection.

Fixes test/pummel/test-https-ci-reneg-attack.js
diff --git a/doc/api/http.markdown b/doc/api/http.markdown
@@ -127,10 +127,13 @@ sent to the server on that socket.
 
 ### Event: 'clientError'
 
-`function (exception) { }`
+`function (exception, socket) { }`
 
 If a client connection emits an 'error' event - it will forwarded here.
 
+`socket` is the `net.Socket` object that the error originated from.
+
+
 ### server.listen(port, [hostname], [backlog], [callback])
 
 Begin accepting connections on the specified port and hostname.  If the
diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
@@ -367,11 +367,13 @@ SNI.
 
 ### Event: 'clientError'
 
-`function (exception) { }`
+`function (exception, securePair) { }`
 
 When a client connection emits an 'error' event before secure connection is
 established - it will be forwarded here.
 
+`securePair` is the `tls.SecurePair` that the error originated from.
+
 
 ### Event: 'newSession'
 
diff --git a/lib/http.js b/lib/http.js
@@ -1647,6 +1647,10 @@ function Server(requestListener) {
   this.httpAllowHalfOpen = false;
 
   this.addListener('connection', connectionListener);
+
+  this.addListener('clientError', function(err, conn) {
+    conn.destroy(err);
+  });
 }
 util.inherits(Server, net.Server);
 
@@ -1705,7 +1709,7 @@ function connectionListener(socket) {
   }
 
   socket.addListener('error', function(e) {
-    self.emit('clientError', e);
+    self.emit('clientError', e, this);
   });
 
   socket.ondata = function(d, start, end) {
diff --git a/lib/https.js b/lib/https.js
@@ -39,6 +39,10 @@ function Server(opts, requestListener) {
   if (requestListener) {
     this.addListener('request', requestListener);
   }
+
+  this.addListener('clientError', function(err, conn) {
+    conn.destroy(err);
+  });
 }
 inherits(Server, tls.Server);
 
diff --git a/lib/tls.js b/lib/tls.js
@@ -1155,7 +1155,7 @@ function Server(/* [options], listener */) {
       }
     });
     pair.on('error', function(err) {
-      self.emit('clientError', err);
+      self.emit('clientError', err, this);
     });
   });
 

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,10 @@ function Server(opts, requestListener) {`
`39`	`39`	`if (requestListener) {`
`40`	`40`	`this.addListener('request', requestListener);`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ this.addListener('clientError', function(err, conn) {`
	`44`	`+ conn.destroy(err);`
	`45`	`+ });`
`42`	`46`	`}`
`43`	`47`	`inherits(Server, tls.Server);`
`44`	`48`
Original file line number	Diff line number	Diff line change
`@@ -1155,7 +1155,7 @@ function Server(/* [options], listener */) {`
`1155`	`1155`	`}`
`1156`	`1156`	`});`
`1157`	`1157`	`pair.on('error', function(err) {`
`1158`		`- self.emit('clientError', err);`
	`1158`	`+ self.emit('clientError', err, this);`
`1159`	`1159`	`});`
`1160`	`1160`	`});`
`1161`	`1161`