nodejs/test/parallel/test-tls-sni-server-client.js

'use strict';
const common = require('../common');
if (!process.features.tls_sni) {
  common.skip('node compiled without OpenSSL or ' +
              'with old OpenSSL version.');
  return;
}

const assert = require('assert');
const fs = require('fs');

if (!common.hasCrypto) {
  common.skip('missing crypto');
  return;
}
var tls = require('tls');

function filenamePEM(n) {
  return require('path').join(common.fixturesDir, 'keys', n + '.pem');
}

function loadPEM(n) {
  return fs.readFileSync(filenamePEM(n));
}

var serverOptions = {
  key: loadPEM('agent2-key'),
  cert: loadPEM('agent2-cert')
};

var SNIContexts = {
  'a.example.com': {
    key: loadPEM('agent1-key'),
    cert: loadPEM('agent1-cert')
  },
  'asterisk.test.com': {
    key: loadPEM('agent3-key'),
    cert: loadPEM('agent3-cert')
  },
  'chain.example.com': {
    key: loadPEM('agent6-key'),
    // NOTE: Contains ca3 chain cert
    cert: loadPEM('agent6-cert')
  }
};

var clientsOptions = [{
  port: undefined,
  ca: [loadPEM('ca1-cert')],
  servername: 'a.example.com',
  rejectUnauthorized: false
}, {
  port: undefined,
  ca: [loadPEM('ca2-cert')],
  servername: 'b.test.com',
  rejectUnauthorized: false
}, {
  port: undefined,
  ca: [loadPEM('ca2-cert')],
  servername: 'a.b.test.com',
  rejectUnauthorized: false
}, {
  port: undefined,
  ca: [loadPEM('ca1-cert')],
  servername: 'c.wrong.com',
  rejectUnauthorized: false
}, {
  port: undefined,
  ca: [loadPEM('ca1-cert')],
  servername: 'chain.example.com',
  rejectUnauthorized: false
}];

const serverResults = [];
const clientResults = [];

var server = tls.createServer(serverOptions, function(c) {
  serverResults.push(c.servername);
});

server.addContext('a.example.com', SNIContexts['a.example.com']);
server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
server.addContext('chain.example.com', SNIContexts['chain.example.com']);

server.listen(0, startTest);

function startTest() {
  var i = 0;
  function start() {
    // No options left
    if (i === clientsOptions.length)
      return server.close();

    var options = clientsOptions[i++];
    options.port = server.address().port;
    var client = tls.connect(options, function() {
      clientResults.push(
        client.authorizationError &&
        /Hostname\/IP doesn't/.test(client.authorizationError));
      client.destroy();

      // Continue
      start();
    });
  }

  start();
}

process.on('exit', function() {
  assert.deepStrictEqual(serverResults, [
    'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
    'chain.example.com'
  ]);
  assert.deepStrictEqual(clientResults, [true, true, false, false, true]);
});
test: enable linting for tests Enable linting for the test directory. A number of changes was made so all tests conform the current rules used by lib and src directories. The only exception for tests is that unreachable (dead) code is allowed. test-fs-non-number-arguments-throw had to be excluded from the changes because of a weird issue on Windows CI. PR-URL: https://github.com/nodejs/io.js/pull/1721 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> 2015-05-19 13:00:06 +02:00			`'use strict';`
test: fix tests for non-crypto builds Fix running the tests when node was compiled without crypto support. Some of these are cleanup after 52bae222a3a8480b2, where common was used before it was required. PR-URL: https://github.com/nodejs/node/pull/7056 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2016-05-30 01:45:20 +02:00			`const common = require('../common');`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`if (!process.features.tls_sni) {`
test: abstract skip functionality to common The tap skipping output is so prevalent yet obscure in nature that we ought to move it into it's own function in test/common.js PR-URL: https://github.com/nodejs/node/pull/6697 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> 2016-05-11 21:34:52 +02:00			`common.skip('node compiled without OpenSSL or ' +`
test: formatting skip messages for TAP parsing This patch makes the skip messages consistent so that the TAP plugin in CI can parse the messages properly. The format will be 1..0 # Skipped: [Actual reason why the test is skipped] PR-URL: https://github.com/nodejs/io.js/pull/2109 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> 2015-07-06 05:24:12 +02:00			`'with old OpenSSL version.');`
test: fix messages and use return to skip tests This is a followup of https://github.com/nodejs/io.js/pull/2109. The tests which didn't make it in #2109, are included in this patch. The skip messages are supposed to follow the format 1..0 # Skipped: [Actual reason why the test is skipped] and the tests should be skipped with the return statement. PR-URL: https://github.com/nodejs/io.js/pull/2290 Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> 2015-08-02 16:06:43 +02:00			`return;`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`}`

test: fix style issues after eslint update Replace var keyword with const or let. PR-URL: https://github.com/nodejs/io.js/pull/2286 Reviewed-By: Roman Reiss <me@silverwind.io> 2016-01-13 21:42:45 +01:00			`const assert = require('assert');`
			`const fs = require('fs');`
test: refactor all tests that depends on crypto we had a few ways versions of looking for support before executing a test. this commit unifies them as well as add the check for all tests that previously lacked them. found by running `./configure --without-ssl && make test`. also, produce tap skip output if the test is skipped. PR-URL: https://github.com/iojs/io.js/pull/1049 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-03-04 02:11:21 +01:00
			`if (!common.hasCrypto) {`
test: abstract skip functionality to common The tap skipping output is so prevalent yet obscure in nature that we ought to move it into it's own function in test/common.js PR-URL: https://github.com/nodejs/node/pull/6697 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> 2016-05-11 21:34:52 +02:00			`common.skip('missing crypto');`
test: changing process.exit to return while skipping tests This patch uses `return` statement to skip the test instead of using `process.exit` call. PR-URL: https://github.com/nodejs/io.js/pull/2109 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Johan Bergström <bugs@bergstroem.nu> 2015-07-07 17:25:55 +02:00			`return;`
test: refactor all tests that depends on crypto we had a few ways versions of looking for support before executing a test. this commit unifies them as well as add the check for all tests that previously lacked them. found by running `./configure --without-ssl && make test`. also, produce tap skip output if the test is skipped. PR-URL: https://github.com/iojs/io.js/pull/1049 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-03-04 02:11:21 +01:00			`}`
			`var tls = require('tls');`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00
			`function filenamePEM(n) {`
Fixed a lot of jslint errors. Fixes #1831 2011-10-05 00:08:18 +02:00			`return require('path').join(common.fixturesDir, 'keys', n + '.pem');`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`}`

			`function loadPEM(n) {`
			`return fs.readFileSync(filenamePEM(n));`
			`}`

			`var serverOptions = {`
			`key: loadPEM('agent2-key'),`
			`cert: loadPEM('agent2-cert')`
			`};`

			`var SNIContexts = {`
			`'a.example.com': {`
			`key: loadPEM('agent1-key'),`
			`cert: loadPEM('agent1-cert')`
			`},`
			`'asterisk.test.com': {`
			`key: loadPEM('agent3-key'),`
			`cert: loadPEM('agent3-cert')`
tls: use `SSL_set_cert_cb` for async SNI/OCSP Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: https://github.com/iojs/io.js/issues/1423 PR-URL: https://github.com/iojs/io.js/pull/1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-04-18 10:19:23 +02:00			`},`
			`'chain.example.com': {`
			`key: loadPEM('agent6-key'),`
			`// NOTE: Contains ca3 chain cert`
			`cert: loadPEM('agent6-cert')`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`}`
			`};`

			`var clientsOptions = [{`
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`port: undefined,`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`ca: [loadPEM('ca1-cert')],`
test: set rejectUnauthorized in tls/https tests Update the tls and https tests to explicitly set rejectUnauthorized instead of relying on the NODE_TLS_REJECT_UNAUTHORIZED environment variable getting set. 2012-08-30 16:43:20 +02:00			`servername: 'a.example.com',`
			`rejectUnauthorized: false`
tls: fix handling of asterisk in SNI context Wildcard server names should not match subdomains. Quote from RFC2818: ...Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com. fix #6610 2013-12-05 16:16:01 +01:00			`}, {`
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`port: undefined,`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`ca: [loadPEM('ca2-cert')],`
test: set rejectUnauthorized in tls/https tests Update the tls and https tests to explicitly set rejectUnauthorized instead of relying on the NODE_TLS_REJECT_UNAUTHORIZED environment variable getting set. 2012-08-30 16:43:20 +02:00			`servername: 'b.test.com',`
			`rejectUnauthorized: false`
tls: fix handling of asterisk in SNI context Wildcard server names should not match subdomains. Quote from RFC2818: ...Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com. fix #6610 2013-12-05 16:16:01 +01:00			`}, {`
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`port: undefined,`
tls: fix handling of asterisk in SNI context Wildcard server names should not match subdomains. Quote from RFC2818: ...Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com. fix #6610 2013-12-05 16:16:01 +01:00			`ca: [loadPEM('ca2-cert')],`
			`servername: 'a.b.test.com',`
			`rejectUnauthorized: false`
			`}, {`
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`port: undefined,`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`ca: [loadPEM('ca1-cert')],`
test: set rejectUnauthorized in tls/https tests Update the tls and https tests to explicitly set rejectUnauthorized instead of relying on the NODE_TLS_REJECT_UNAUTHORIZED environment variable getting set. 2012-08-30 16:43:20 +02:00			`servername: 'c.wrong.com',`
			`rejectUnauthorized: false`
tls: use `SSL_set_cert_cb` for async SNI/OCSP Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: https://github.com/iojs/io.js/issues/1423 PR-URL: https://github.com/iojs/io.js/pull/1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-04-18 10:19:23 +02:00			`}, {`
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`port: undefined,`
tls: use `SSL_set_cert_cb` for async SNI/OCSP Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: https://github.com/iojs/io.js/issues/1423 PR-URL: https://github.com/iojs/io.js/pull/1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-04-18 10:19:23 +02:00			`ca: [loadPEM('ca1-cert')],`
			`servername: 'chain.example.com',`
			`rejectUnauthorized: false`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`}];`

test: fix style issues after eslint update Replace var keyword with const or let. PR-URL: https://github.com/nodejs/io.js/pull/2286 Reviewed-By: Roman Reiss <me@silverwind.io> 2016-01-13 21:42:45 +01:00			`const serverResults = [];`
			`const clientResults = [];`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00
			`var server = tls.createServer(serverOptions, function(c) {`
			`serverResults.push(c.servername);`
			`});`

			`server.addContext('a.example.com', SNIContexts['a.example.com']);`
			`server.addContext('*.test.com', SNIContexts['asterisk.test.com']);`
tls: use `SSL_set_cert_cb` for async SNI/OCSP Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: https://github.com/iojs/io.js/issues/1423 PR-URL: https://github.com/iojs/io.js/pull/1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-04-18 10:19:23 +02:00			`server.addContext('chain.example.com', SNIContexts['chain.example.com']);`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`server.listen(0, startTest);`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00
			`function startTest() {`
tls: fix handling of asterisk in SNI context Wildcard server names should not match subdomains. Quote from RFC2818: ...Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com. fix #6610 2013-12-05 16:16:01 +01:00			`var i = 0;`
			`function start() {`
			`// No options left`
			`if (i === clientsOptions.length)`
			`return server.close();`

			`var options = clientsOptions[i++];`
test: use random ports where possible This helps to prevent issues where a failed test can keep a bound socket open long enough to cause other tests to fail with EADDRINUSE because the same port number is used. PR-URL: https://github.com/nodejs/node/pull/7045 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 2016-05-29 09:06:56 +02:00			`options.port = server.address().port;`
test tls: make tests use new `tls.connect` API Refs #1983. 2011-11-01 16:28:04 +01:00			`var client = tls.connect(options, function() {`
tls: revert accidental API change socket.authorizationError should always be string. Also make sni test pass. 2012-07-20 19:10:23 +02:00			`clientResults.push(`
			`client.authorizationError &&`
			`/Hostname\/IP doesn't/.test(client.authorizationError));`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`client.destroy();`

tls: fix handling of asterisk in SNI context Wildcard server names should not match subdomains. Quote from RFC2818: ...Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com. fix #6610 2013-12-05 16:16:01 +01:00			`// Continue`
			`start();`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`});`
lib,test: remove extra semicolons PR-URL: https://github.com/nodejs/node/pull/2205 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Roman Reiss <me@silverwind.io> 2016-01-15 09:53:11 +01:00			`}`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00
tls: fix handling of asterisk in SNI context Wildcard server names should not match subdomains. Quote from RFC2818: ...Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com. fix #6610 2013-12-05 16:16:01 +01:00			`start();`
Fixed a lot of jslint errors. Fixes #1831 2011-10-05 00:08:18 +02:00			`}`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00
			`process.on('exit', function() {`
test,benchmark: use deepStrictEqual() In preparation for a lint rule that will enforce assert.deepStrictEqual() over assert.deepEqual(), change tests and benchmarks accordingly. For tests and benchmarks that are testing or benchmarking assert.deepEqual() itself, apply a comment to ignore the upcoming rule. PR-URL: https://github.com/nodejs/node/pull/6213 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2016-04-20 00:37:45 +02:00			`assert.deepStrictEqual(serverResults, [`
tls: use `SSL_set_cert_cb` for async SNI/OCSP Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: https://github.com/iojs/io.js/issues/1423 PR-URL: https://github.com/iojs/io.js/pull/1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> 2015-04-18 10:19:23 +02:00			`'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',`
			`'chain.example.com'`
			`]);`
test,benchmark: use deepStrictEqual() In preparation for a lint rule that will enforce assert.deepStrictEqual() over assert.deepEqual(), change tests and benchmarks accordingly. For tests and benchmarks that are testing or benchmarking assert.deepEqual() itself, apply a comment to ignore the upcoming rule. PR-URL: https://github.com/nodejs/node/pull/6213 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 2016-04-20 00:37:45 +02:00			`assert.deepStrictEqual(clientResults, [true, true, false, false, true]);`
Add support for TLS SNI Fixes #1411 2011-07-28 17:52:04 +02:00			`});`