.

2026-02-09 10:28:47 +00:00 · 2025-06-02 16:01:43 -07:00
parent 9d40c62901
commit b3cf2df234
3 changed files with 106 additions and 1 deletions
--- a/categories.txt
+++ b/categories.txt
@@ -54,4 +54,5 @@ that to `localhost:${port}localhost:${port}` which is an invalid url
 passes on mac:
 - test-tls-junk-closes-server
 - test-tls-onread-static-buffer
- test-tls-lookup
+- test-tls-lookup
+- test-tls-wrap-econnreset-pipe
--- a/test/js/node/test/parallel/test-tls-cnnic-whitelist.js
+++ b/test/js/node/test/parallel/test-tls-cnnic-whitelist.js
@@ -0,0 +1,56 @@
+// Flags: --use-bundled-ca
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fixtures = require('../common/fixtures');
+
+function loadPEM(n) {
+  return fixtures.readKey(`${n}.pem`);
+}
+
+const testCases = [
+  // Test 1: for the fix of node#2061
+  // agent6-cert.pem is signed by intermediate cert of ca3.
+  // The server has a cert chain of agent6->ca3->ca1(root) but
+  // tls.connect should be failed with an error of
+  // UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
+  // installed locally.
+  {
+    serverOpts: {
+      ca: loadPEM('ca3-key'),
+      key: loadPEM('agent6-key'),
+      cert: loadPEM('agent6-cert')
+    },
+    clientOpts: {
+      port: undefined,
+      rejectUnauthorized: true
+    },
+    errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+  },
+];
+
+function runTest(tindex) {
+  const tcase = testCases[tindex];
+
+  if (!tcase) return;
+
+  const server = tls.createServer(tcase.serverOpts, (s) => {
+    s.resume();
+  }).listen(0, common.mustCall(function() {
+    tcase.clientOpts.port = this.address().port;
+    const client = tls.connect(tcase.clientOpts);
+    client.on('error', common.mustCall((e) => {
+      assert.strictEqual(e.code, tcase.errorCode);
+      server.close(common.mustCall(() => {
+        runTest(tindex + 1);
+      }));
+    }));
+  }));
+}
+
+runTest(0);
--- a/test/js/node/test/parallel/test-tls-wrap-econnreset-pipe.js
+++ b/test/js/node/test/parallel/test-tls-wrap-econnreset-pipe.js
@@ -0,0 +1,48 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const net = require('net');
+const { fork } = require('child_process');
+
+const tmpdir = require('../common/tmpdir');
+
+// Run in a child process because the PIPE file descriptor stays open until
+// Node.js completes, blocking the tmpdir and preventing cleanup.
+
+if (process.argv[2] !== 'child') {
+  // Parent
+  tmpdir.refresh();
+
+  // Run test
+  const child = fork(__filename, ['child'], { stdio: 'inherit' });
+  child.on('exit', common.mustCall(function(code) {
+    assert.strictEqual(code, 0);
+  }));
+
+  return;
+}
+
+// Child
+const server = net.createServer((c) => {
+  c.end();
+}).listen(common.PIPE, common.mustCall(() => {
+  let errored = false;
+  tls.connect({ path: common.PIPE })
+    .once('error', common.mustCall((e) => {
+      assert.strictEqual(e.code, 'ECONNRESET');
+      assert.strictEqual(e.path, common.PIPE);
+      assert.strictEqual(e.port, undefined);
+      assert.strictEqual(e.host, undefined);
+      assert.strictEqual(e.localAddress, undefined);
+      server.close();
+      errored = true;
+    }))
+    .on('close', common.mustCall(() => {
+      assert.strictEqual(errored, true);
+    }));
+}));