From ebbbba0fa68a61fbb2c7ff57cfc6a2e0c5304ca6 Mon Sep 17 00:00:00 2001 From: pfg Date: Mon, 9 Jun 2025 15:43:07 -0700 Subject: [PATCH] notes --- categories.txt | 50 +++++++++++-------- .../tls-check-extra-ca-certificates.js | 17 +++++++ ...st-tls-client-allow-partial-trust-chain.js | 9 ++++ .../test/parallel/test-tls-client-resume.js | 33 +++++++++--- .../test-tls-connect-timeout-option.js | 3 ++ .../test/parallel/test-tls-env-extra-ca.js | 8 +++ .../parallel/test-tls-getcertificate-x509.js | 1 + .../node/test/parallel/test-tls-no-sslv23.js | 8 +++ .../test-tls-retain-handle-no-abort.js | 11 +++- .../test-tls-socket-default-options.js | 28 +++++++++-- .../test/parallel/test-tls-timeout-server.js | 4 ++ 11 files changed, 139 insertions(+), 33 deletions(-) create mode 100644 test/js/node/test/fixtures/tls-check-extra-ca-certificates.js diff --git a/categories.txt b/categories.txt index edb5e14279..c9e167ba01 100644 --- a/categories.txt +++ b/categories.txt @@ -19,17 +19,22 @@ t.style.color = "black"; # TODO CHECK: -# max version env vars +# max version env vars, not investigated. parallel/test-tls-client-reject-12.js parallel/test-tls-ticket-12.js parallel/test-tls-client-resume-12.js +parallel/test-tls-destroy-stream-12.js +parallel/test-tls-net-socket-keepalive-12.js +parallel/test-tls-keylog-tlsv13.js +parallel/test-tls-cli-min-max-conflict.js # trivial parallel/test-tls-external-accessor.js - we don't support `_external`, but we pass the spirit of the test. trivial 'fix' parallel/test-tls-destroy-stream.js +parallel/test-double-tls-client.js (this one maybe not as easy, but it is somewhat related) - the test calls `.emit("connection")` on the tlsServer. In node, this calls the connection handler but in bun it does not. Switch tls to use emit("connection") rather than calling the connection listener directly, and add .on('connection') in the constructor @@ -70,13 +75,15 @@ parallel/test-tls-basic-validations.js - 12 mismatched errors parallel/test-tls-error-servername.js - 2 mismatched errors - -# categorize - +parallel/test-tls-client-allow-partial-trust-chain.js +- support allowPartialTrustChain parallel/test-tls-env-bad-extra-ca.js - emit a warning when the value in NODE_EXTRA_CA_CERTS is ignored because it fails to load - this is a little bit hard to do because currently we handle that in us_internal_init_root_certs with getenv, but we can't emit a warning from there. we would have to have it call out to bun code to emit the warning + +# categorize + parallel/test-tls-connect-allow-half-open-option.js - with allowHalfOpen, if the server ends its socket, it should still be able to receive a message parallel/test-tls-server-parent-constructor-options.js @@ -85,6 +92,11 @@ parallel/test-tls-get-ca-certificates-system.js parallel/test-tls-get-ca-certificates-default.js parallel/test-tls-get-ca-certificates-error.js parallel/test-tls-get-ca-certificates-extra-empty.js +parallel/test-tls-get-ca-certificates-bundled.js +parallel/test-tls-get-ca-certificates-extra-subset.js +parallel/test-tls-get-ca-certificates-system-without-flag.js +parallel/test-tls-get-ca-certificates-bundled-subset.js +parallel/test-tls-get-ca-certificates-extra.js - tls.getCACertificates is not implemented parallel/test-tls-server-setkeycert.js - some kind of problem with getPeerX509Certificate? @@ -94,28 +106,19 @@ parallel/test-tls-cert-chains-concat.js - issuerCertificate is not defined? parallel/test-tls-streamwrap-buffersize.js - bufferSize is wrong. also it is deprecated. - -parallel/test-tls-pause.js -parallel/test-tls-connect-memleak.js -parallel/test-tls-get-ca-certificates-bundled.js parallel/test-tls-clientcertengine-invalid-arg-type.js -parallel/test-tls-timeout-server.js -parallel/test-tls-destroy-stream-12.js -parallel/test-tls-net-socket-keepalive-12.js parallel/test-tls-socket-default-options.js -parallel/test-tls-get-ca-certificates-extra-subset.js -parallel/test-double-tls-client.js +- createSecureContext (kai) +parallel/test-tls-timeout-server.js +- handshakeTimeout is not implemented parallel/test-tls-retain-handle-no-abort.js -parallel/test-tls-keylog-tlsv13.js +- unable to verify the first certificate? UNABLE_TO_VERIFY_LEAF_SIGNATURE parallel/test-tls-client-resume.js -parallel/test-tls-no-sslv23.js +- done https://github.com/oven-sh/bun/pull/20197 parallel/test-tls-connect-timeout-option.js -parallel/test-tls-client-allow-partial-trust-chain.js -parallel/test-tls-cli-min-max-conflict.js -parallel/test-tls-get-ca-certificates-system-without-flag.js -parallel/test-tls-get-ca-certificates-bundled-subset.js +- support tls connect timeout option parallel/test-tls-getcertificate-x509.js -parallel/test-tls-get-ca-certificates-extra.js +- error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE parallel/test-tls-env-extra-ca.js parallel/test-tls-socket-destroy.js parallel/test-tls-socket-close.js @@ -131,6 +134,11 @@ parallel/test-tls-client-default-ciphers.js parallel/test-tls-socket-constructor-alpn-options-parsing.js sequential/test-tls-session-timeout.js +# skipped (wontfix) + +parallel/test-tls-no-sslv23.js +- skipped + # Key [ES] = skipped by electron @@ -194,6 +202,8 @@ These tests are removed in new node versions: (createSecurePair is deprecated) - test-tls-onread-static-buffer - test-tls-lookup - test-tls-wrap-econnreset-pipe +- parallel/test-tls-pause.js +- parallel/test-tls-connect-memleak.js # Attempted diff --git a/test/js/node/test/fixtures/tls-check-extra-ca-certificates.js b/test/js/node/test/fixtures/tls-check-extra-ca-certificates.js new file mode 100644 index 0000000000..ee12992604 --- /dev/null +++ b/test/js/node/test/fixtures/tls-check-extra-ca-certificates.js @@ -0,0 +1,17 @@ +'use strict'; + +const tls = require('tls'); +const assert = require('assert'); + +const defaultSet = new Set(tls.getCACertificates('default')); +const extraSet = new Set(tls.getCACertificates('extra')); +console.log(defaultSet.size, 'default certificates'); +console.log(extraSet.size, 'extra certificates') + +// Parent process is supposed to call this with +// NODE_EXTRA_CA_CERTS set to test/fixtures/keys/ca1-cert.pem. +assert.strictEqual(extraSet.size, 1); + +// Check that default set is a super set of extra set. +assert.deepStrictEqual(defaultSet.intersection(extraSet), + extraSet); diff --git a/test/js/node/test/parallel/test-tls-client-allow-partial-trust-chain.js b/test/js/node/test/parallel/test-tls-client-allow-partial-trust-chain.js index ffa6b2b167..9de1390156 100644 --- a/test/js/node/test/parallel/test-tls-client-allow-partial-trust-chain.js +++ b/test/js/node/test/parallel/test-tls-client-allow-partial-trust-chain.js @@ -18,6 +18,7 @@ describe('allowPartialTrustChain', { skip: !common.hasCrypto }, function() { let opts; beforeEach(async function() { + console.log('Setting up server and options...'); server = tls.createServer({ ca: fixtures.readKey('ca3-cert.pem'), key: fixtures.readKey('agent6-key.pem'), @@ -25,29 +26,37 @@ describe('allowPartialTrustChain', { skip: !common.hasCrypto }, function() { }, (socket) => socket.resume()); server.listen(0); await once(server, 'listening'); + console.log('Server listening on port:', server.address().port); opts = { port: server.address().port, ca: fixtures.readKey('ca3-cert.pem'), checkServerIdentity() {} }; + console.log('Options configured:', opts); }); afterEach(async function() { + console.log('Cleaning up client and server...'); client?.destroy(); server?.close(); }); it('can connect successfully with allowPartialTrustChain: true', async function() { + console.log('Testing connection with allowPartialTrustChain: true'); client = tls.connect({ ...opts, allowPartialTrustChain: true }); await once(client, 'secureConnect'); // Should not throw + console.log('Successfully connected with allowPartialTrustChain: true'); }); it('fails without with allowPartialTrustChain: true for an intermediate cert in the CA', async function() { + console.log('Testing connection without allowPartialTrustChain'); // Consistency check: Connecting fails without allowPartialTrustChain: true await assert.rejects(async () => { + console.log('Attempting connection without allowPartialTrustChain...'); const client = tls.connect(opts); await once(client, 'secureConnect'); }, { code: 'UNABLE_TO_GET_ISSUER_CERT' }); + console.log('Connection failed as expected without allowPartialTrustChain'); }); }); diff --git a/test/js/node/test/parallel/test-tls-client-resume.js b/test/js/node/test/parallel/test-tls-client-resume.js index b9d7fd828b..ad433e6ef7 100644 --- a/test/js/node/test/parallel/test-tls-client-resume.js +++ b/test/js/node/test/parallel/test-tls-client-resume.js @@ -32,18 +32,24 @@ const assert = require('assert'); const tls = require('tls'); const fixtures = require('../common/fixtures'); +console.log('Starting TLS client resume test'); + const options = { key: fixtures.readKey('agent2-key.pem'), cert: fixtures.readKey('agent2-cert.pem') }; +console.log('Server options:', options); + // create server const server = tls.Server(options, common.mustCall((socket) => { + console.log('Server received connection'); socket.end('Goodbye'); }, 2)); // start listening server.listen(0, common.mustCall(function() { + console.log('Server listening on port:', this.address().port); let sessionx = null; // From right after connect, invalid for TLS1.3 let session1 = null; // Delivered by the session event, always valid. let sessions = 0; @@ -52,45 +58,55 @@ server.listen(0, common.mustCall(function() { port: this.address().port, rejectUnauthorized: false }, common.mustCall(() => { + console.log('Client1 connected'); tls13 = client1.getProtocol() === 'TLSv1.3'; + console.log('TLS version:', client1.getProtocol()); assert.strictEqual(client1.isSessionReused(), false); sessionx = client1.getSession(); + console.log('SessionX obtained:', !!sessionx); assert(sessionx); if (session1) reconnect(); })); - client1.on('data', common.mustCall()); + client1.on('data', common.mustCall((data) => { + console.log('Client1 received data:', data.toString()); + })); client1.once('session', common.mustCall((session) => { - console.log('session1'); + console.log('Session1 event received'); session1 = session; + console.log('Session1 obtained:', !!session1); assert(session1); if (sessionx) reconnect(); })); client1.on('session', () => { - console.log('client1 session#', ++sessions); + console.log('Client1 session event #', ++sessions); }); client1.on('close', () => { - console.log('client1 close'); + console.log('Client1 closed'); assert.strictEqual(sessions, tls13 ? 2 : 1); }); function reconnect() { + console.log('Starting reconnect'); assert(sessionx); assert(session1); - if (tls13) + if (tls13) { + console.log('TLS1.3 session comparison'); // For TLS1.3, the session immediately after handshake is a dummy, // unresumable session. The one delivered later in session event is // resumable. assert.notStrictEqual(sessionx.compare(session1), 0); - else + } else { + console.log('TLS1.2 session comparison'); // For TLS1.2, they are identical. assert.strictEqual(sessionx.compare(session1), 0); + } const opts = { port: server.address().port, @@ -98,13 +114,14 @@ server.listen(0, common.mustCall(function() { session: session1, }; + console.log('Connecting client2 with session'); const client2 = tls.connect(opts, common.mustCall(() => { - console.log('connect2'); + console.log('Client2 connected'); assert.strictEqual(client2.isSessionReused(), true); })); client2.on('close', common.mustCall(() => { - console.log('close2'); + console.log('Client2 closed'); server.close(); })); diff --git a/test/js/node/test/parallel/test-tls-connect-timeout-option.js b/test/js/node/test/parallel/test-tls-connect-timeout-option.js index 3c4328d94d..f37e8373aa 100644 --- a/test/js/node/test/parallel/test-tls-connect-timeout-option.js +++ b/test/js/node/test/parallel/test-tls-connect-timeout-option.js @@ -11,10 +11,13 @@ if (!common.hasCrypto) const assert = require('assert'); const tls = require('tls'); +console.log('Creating TLS socket with timeout option...'); const socket = tls.connect({ port: 42, lookup: () => {}, timeout: 1000 }); +console.log('Socket timeout value:', socket.timeout); assert.strictEqual(socket.timeout, 1000); +console.log('Timeout assertion passed'); diff --git a/test/js/node/test/parallel/test-tls-env-extra-ca.js b/test/js/node/test/parallel/test-tls-env-extra-ca.js index 7ac5ca3c86..d3d321a423 100644 --- a/test/js/node/test/parallel/test-tls-env-extra-ca.js +++ b/test/js/node/test/parallel/test-tls-env-extra-ca.js @@ -13,11 +13,14 @@ const fixtures = require('../common/fixtures'); const { fork } = require('child_process'); if (process.env.CHILD) { + console.log('Child process started'); const copts = { port: process.env.PORT, checkServerIdentity: common.mustCall(), }; + console.log('Client options:', copts); const client = tls.connect(copts, common.mustCall(function() { + console.log('Client connected successfully'); client.end('hi'); })); return; @@ -27,19 +30,24 @@ const options = { key: fixtures.readKey('agent1-key.pem'), cert: fixtures.readKey('agent1-cert.pem'), }; +console.log('Server options:', options); const server = tls.createServer(options, common.mustCall(function(s) { + console.log('Server received connection'); s.end('bye'); server.close(); })).listen(0, common.mustCall(function() { + console.log('Server listening on port:', this.address().port); const env = { ...process.env, CHILD: 'yes', PORT: this.address().port, NODE_EXTRA_CA_CERTS: fixtures.path('keys', 'ca1-cert.pem') }; + console.log('Environment variables:', env); fork(__filename, { env }).on('exit', common.mustCall(function(status) { + console.log('Child process exited with status:', status); // Client did not succeed in connecting assert.strictEqual(status, 0); })); diff --git a/test/js/node/test/parallel/test-tls-getcertificate-x509.js b/test/js/node/test/parallel/test-tls-getcertificate-x509.js index 704aa33e6e..962521fbc7 100644 --- a/test/js/node/test/parallel/test-tls-getcertificate-x509.js +++ b/test/js/node/test/parallel/test-tls-getcertificate-x509.js @@ -8,6 +8,7 @@ const tls = require('tls'); const fixtures = require('../common/fixtures'); const { X509Certificate } = require('crypto'); +console.log(fixtures.readKey('agent6-key.pem')); const options = { key: fixtures.readKey('agent6-key.pem'), cert: fixtures.readKey('agent6-cert.pem') diff --git a/test/js/node/test/parallel/test-tls-no-sslv23.js b/test/js/node/test/parallel/test-tls-no-sslv23.js index f1ba670ff0..0445de6548 100644 --- a/test/js/node/test/parallel/test-tls-no-sslv23.js +++ b/test/js/node/test/parallel/test-tls-no-sslv23.js @@ -6,6 +6,7 @@ if (!common.hasCrypto) const assert = require('assert'); const tls = require('tls'); +console.log('Testing invalid protocol method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'blargh' }); }, { @@ -15,28 +16,34 @@ assert.throws(function() { const errMessageSSLv2 = /SSLv2 methods disabled/; +console.log('Testing SSLv2 method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'SSLv2_method' }); }, errMessageSSLv2); +console.log('Testing SSLv2 client method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' }); }, errMessageSSLv2); +console.log('Testing SSLv2 server method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' }); }, errMessageSSLv2); const errMessageSSLv3 = /SSLv3 methods disabled/; +console.log('Testing SSLv3 method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'SSLv3_method' }); }, errMessageSSLv3); +console.log('Testing SSLv3 client method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' }); }, errMessageSSLv3); +console.log('Testing SSLv3 server method'); assert.throws(function() { tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' }); }, errMessageSSLv3); @@ -44,6 +51,7 @@ assert.throws(function() { // Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are // still accepted. They are OpenSSL's way of saying that all known protocols // are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.) +console.log('Testing allowed protocol methods'); tls.createSecureContext({ secureProtocol: 'SSLv23_method' }); tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' }); tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' }); diff --git a/test/js/node/test/parallel/test-tls-retain-handle-no-abort.js b/test/js/node/test/parallel/test-tls-retain-handle-no-abort.js index 6571aab3a9..520d0d978c 100644 --- a/test/js/node/test/parallel/test-tls-retain-handle-no-abort.js +++ b/test/js/node/test/parallel/test-tls-retain-handle-no-abort.js @@ -19,22 +19,31 @@ const serverOptions = { let ssl = null; process.on('exit', function() { + console.log('Exit handler called'); assert.ok(ssl !== null); // If the internal pointer to stream_ isn't cleared properly then this // will abort. + console.log('About to inspect ssl'); util.inspect(ssl); }); const server = tls.createServer(serverOptions, function(s) { - s.on('data', function() { }); + console.log('Server connection received'); + s.on('data', function() { + console.log('Server received data'); + }); s.on('end', function() { + console.log('Server connection ended'); server.close(); s.destroy(); }); }).listen(0, function() { + console.log('Server listening on port:', this.address().port); const c = new tls.TLSSocket(); ssl = c.ssl; + console.log('Created TLSSocket with ssl'); c.connect(this.address().port, function() { + console.log('Client connected'); c.end(sent); }); }); diff --git a/test/js/node/test/parallel/test-tls-socket-default-options.js b/test/js/node/test/parallel/test-tls-socket-default-options.js index bcd32c55df..51cd2fa64c 100644 --- a/test/js/node/test/parallel/test-tls-socket-default-options.js +++ b/test/js/node/test/parallel/test-tls-socket-default-options.js @@ -10,31 +10,41 @@ const { } = require(fixtures.path('tls-connect')); test(undefined, (err) => { + console.log('Test 1 - Error code:', err.code); assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'); }); test({}, (err) => { + console.log('Test 2 - Error code:', err.code); assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'); }); test( { secureContext: tls.createSecureContext({ ca: keys.agent1.ca }) }, - (err) => { assert.ifError(err); }); + (err) => { + console.log('Test 3 - Error:', err); + assert.ifError(err); + }); test( { ca: keys.agent1.ca }, - (err) => { assert.ifError(err); }); + (err) => { + console.log('Test 4 - Error:', err); + assert.ifError(err); + }); // Secure context options, like ca, are ignored if a sec ctx is explicitly // provided. test( { secureContext: tls.createSecureContext(), ca: keys.agent1.ca }, (err) => { + console.log('Test 5 - Error code:', err.code); assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'); }); function test(client, callback) { + console.log('Starting test with client options:', client); callback = common.mustCall(callback); connect({ server: { @@ -42,11 +52,17 @@ function test(client, callback) { cert: keys.agent1.cert, }, }, function(err, pair, cleanup) { + console.log('Connection error:', err); assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'); let recv = ''; pair.server.server.once('secureConnection', common.mustCall((conn) => { - conn.on('data', (data) => recv += data); + console.log('Secure connection established'); + conn.on('data', (data) => { + console.log('Received data:', data.toString()); + recv += data; + }); conn.on('end', common.mustCall(() => { + console.log('Connection ended, received:', recv); // Server sees nothing wrong with connection, even though the client's // authentication of the server cert failed. assert.strictEqual(recv, 'hello'); @@ -57,11 +73,15 @@ function test(client, callback) { // `new TLSSocket` doesn't support the 'secureConnect' event on client side, // and doesn't error if authentication failed. Caller must explicitly check // for failure. - (new tls.TLSSocket(null, client)).connect(pair.server.server.address().port) + const socket = new tls.TLSSocket(null, client); + console.log('Created new TLSSocket'); + socket.connect(pair.server.server.address().port) .on('connect', common.mustCall(function() { + console.log('Socket connected'); this.end('hello'); })) .on('secure', common.mustCall(function() { + console.log('Socket secure, verify error:', this.ssl.verifyError()); callback(this.ssl.verifyError()); })); }); diff --git a/test/js/node/test/parallel/test-tls-timeout-server.js b/test/js/node/test/parallel/test-tls-timeout-server.js index 7ca85f14d7..ac4f422a15 100644 --- a/test/js/node/test/parallel/test-tls-timeout-server.js +++ b/test/js/node/test/parallel/test-tls-timeout-server.js @@ -35,13 +35,17 @@ const options = { handshakeTimeout: 50 }; +console.log('Creating TLS server with options:', options); + const server = tls.createServer(options, common.mustNotCall()); server.on('tlsClientError', common.mustCall(function(err, conn) { + console.log('TLS client error occurred:', err.message); conn.destroy(); server.close(); })); server.listen(0, common.mustCall(function() { + console.log('Server listening on port:', this.address().port); net.connect({ host: '127.0.0.1', port: this.address().port }); }));