From 1895d2e604d3ebff5524365a0700a21a6db406dc Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Thu, 7 Sep 2017 11:18:11 +0000
Subject: [PATCH 1/2] Disable crypto tests
---
test/disabled/test-crypto-dh.js | 319 ++++++++++++
test/disabled/test-crypto-fips.js | 235 +++++++++
test/disabled/test-tls-0-dns-altname.js | 33 ++
test/disabled/test-tls-addca.js | 50 ++
test/disabled/test-tls-alert-handling.js | 78 +++
test/disabled/test-tls-alert.js | 50 ++
test/disabled/test-tls-alpn-server-client.js | 538 +++++++++++++++++++++
.../disabled/test-tls-async-cb-after-socket-end.js | 70 +++
test/disabled/test-tls-basic-validations.js | 53 ++
test/disabled/test-tls-ca-concat.js | 24 +
test/disabled/test-tls-cert-chains-concat.js | 50 ++
test/disabled/test-tls-cert-chains-in-ca.js | 46 ++
test/disabled/test-tls-cert-regression.js | 45 ++
test/disabled/test-tls-check-server-identity.js | 260 ++++++++++
test/disabled/test-tls-cipher-list.js | 30 ++
test/disabled/test-tls-client-abort.js | 19 +
test/disabled/test-tls-client-abort2.js | 14 +
test/disabled/test-tls-client-default-ciphers.js | 26 +
test/disabled/test-tls-client-destroy-soon.js | 46 ++
.../test-tls-client-getephemeralkeyinfo.js | 96 ++++
test/disabled/test-tls-client-mindhsize.js | 92 ++++
test/disabled/test-tls-client-reject.js | 61 +++
test/disabled/test-tls-client-resume.js | 56 +++
test/disabled/test-tls-client-verify.js | 132 +++++
test/disabled/test-tls-close-error.js | 26 +
test/disabled/test-tls-close-notify.js | 27 ++
test/disabled/test-tls-cnnic-whitelist.js | 77 +++
test/disabled/test-tls-connect-address-family.js | 45 ++
test/disabled/test-tls-connect-given-socket.js | 65 +++
test/disabled/test-tls-connect-no-host.js | 34 ++
test/disabled/test-tls-connect-pipe.js | 26 +
test/disabled/test-tls-connect-secure-context.js | 25 +
test/disabled/test-tls-connect-simple.js | 42 ++
test/disabled/test-tls-connect-stream-writes.js | 63 +++
test/disabled/test-tls-connect.js | 39 ++
test/disabled/test-tls-delayed-attach-error.js | 36 ++
test/disabled/test-tls-delayed-attach.js | 45 ++
test/disabled/test-tls-destroy-whilst-write.js | 27 ++
test/disabled/test-tls-dhe.js | 96 ++++
test/disabled/test-tls-ecdh-disable.js | 37 ++
test/disabled/test-tls-ecdh.js | 42 ++
test/disabled/test-tls-econnreset.js | 76 +++
test/disabled/test-tls-empty-sni-context.js | 34 ++
test/disabled/test-tls-env-bad-extra-ca.js | 39 ++
test/disabled/test-tls-env-extra-ca.js | 44 ++
test/disabled/test-tls-external-accessor.js | 22 +
test/disabled/test-tls-fast-writing.js | 60 +++
test/disabled/test-tls-friendly-error-message.js | 23 +
test/disabled/test-tls-getcipher.js | 36 ++
test/disabled/test-tls-getprotocol.js | 40 ++
test/disabled/test-tls-handshake-error.js | 32 ++
test/disabled/test-tls-handshake-nohang.js | 11 +
test/disabled/test-tls-hello-parser-failure.js | 41 ++
test/disabled/test-tls-honorcipherorder.js | 97 ++++
test/disabled/test-tls-inception.js | 66 +++
test/disabled/test-tls-interleave.js | 55 +++
test/disabled/test-tls-invoke-queued.js | 37 ++
test/disabled/test-tls-js-stream.js | 73 +++
test/disabled/test-tls-junk-closes-server.js | 28 ++
test/disabled/test-tls-junk-server.js | 27 ++
test/disabled/test-tls-key-mismatch.js | 20 +
test/disabled/test-tls-legacy-onselect.js | 27 ++
test/disabled/test-tls-max-send-fragment.js | 42 ++
test/disabled/test-tls-multi-key.js | 51 ++
test/disabled/test-tls-no-cert-required.js | 29 ++
test/disabled/test-tls-no-rsa-key.js | 33 ++
test/disabled/test-tls-no-sslv23.js | 55 +++
test/disabled/test-tls-no-sslv3.js | 51 ++
test/disabled/test-tls-npn-server-client.js | 104 ++++
test/disabled/test-tls-ocsp-callback.js | 126 +++++
test/disabled/test-tls-on-empty-socket.js | 41 ++
test/disabled/test-tls-over-http-tunnel.js | 155 ++++++
test/disabled/test-tls-parse-cert-string.js | 36 ++
test/disabled/test-tls-passphrase.js | 275 +++++++++++
test/disabled/test-tls-pause.js | 70 +++
.../disabled/test-tls-peer-certificate-encoding.js | 33 ++
.../test-tls-peer-certificate-multi-keys.js | 34 ++
test/disabled/test-tls-peer-certificate.js | 39 ++
test/disabled/test-tls-pfx-gh-5100-regr.js | 38 ++
test/disabled/test-tls-regr-gh-5108.js | 40 ++
test/disabled/test-tls-request-timeout.js | 30 ++
test/disabled/test-tls-retain-handle-no-abort.js | 40 ++
test/disabled/test-tls-securepair-fiftharg.js | 27 ++
test/disabled/test-tls-securepair-server.js | 133 +++++
test/disabled/test-tls-server-connection-server.js | 32 ++
...ls-server-failed-handshake-emits-clienterror.js | 28 ++
test/disabled/test-tls-server-verify.js | 348 +++++++++++++
test/disabled/test-tls-session-cache.js | 127 +++++
test/disabled/test-tls-set-ciphers.js | 45 ++
test/disabled/test-tls-set-encoding.js | 58 +++
test/disabled/test-tls-sni-option.js | 168 +++++++
test/disabled/test-tls-sni-server-client.js | 113 +++++
test/disabled/test-tls-socket-close.js | 67 +++
test/disabled/test-tls-socket-default-options.js | 67 +++
test/disabled/test-tls-socket-destroy.js | 34 ++
...test-tls-socket-failed-handshake-emits-error.js | 37 ++
.../disabled/test-tls-startcom-wosign-whitelist.js | 89 ++++
test/disabled/test-tls-starttls-server.js | 51 ++
test/disabled/test-tls-ticket-cluster.js | 108 +++++
test/disabled/test-tls-ticket.js | 98 ++++
test/disabled/test-tls-timeout-server-2.js | 29 ++
test/disabled/test-tls-timeout-server.js | 26 +
test/disabled/test-tls-two-cas-one-string.js | 34 ++
test/disabled/test-tls-wrap-no-abort.js | 8 +
test/disabled/test-tls-wrap-timeout.js | 53 ++
test/disabled/test-tls-writewrap-leak.js | 24 +
test/disabled/test-tls-zero-clear-in.js | 41 ++
test/parallel/test-crypto-dh.js | 319 ------------
test/parallel/test-crypto-fips.js | 235 ---------
test/parallel/test-tls-0-dns-altname.js | 33 --
test/parallel/test-tls-addca.js | 50 --
test/parallel/test-tls-alert-handling.js | 78 ---
test/parallel/test-tls-alert.js | 50 --
test/parallel/test-tls-alpn-server-client.js | 538 ---------------------
.../parallel/test-tls-async-cb-after-socket-end.js | 70 ---
test/parallel/test-tls-basic-validations.js | 53 --
test/parallel/test-tls-ca-concat.js | 24 -
test/parallel/test-tls-cert-chains-concat.js | 50 --
test/parallel/test-tls-cert-chains-in-ca.js | 46 --
test/parallel/test-tls-cert-regression.js | 45 --
test/parallel/test-tls-check-server-identity.js | 260 ----------
test/parallel/test-tls-cipher-list.js | 30 --
test/parallel/test-tls-client-abort.js | 19 -
test/parallel/test-tls-client-abort2.js | 14 -
test/parallel/test-tls-client-default-ciphers.js | 26 -
test/parallel/test-tls-client-destroy-soon.js | 46 --
.../test-tls-client-getephemeralkeyinfo.js | 96 ----
test/parallel/test-tls-client-mindhsize.js | 92 ----
test/parallel/test-tls-client-reject.js | 61 ---
test/parallel/test-tls-client-resume.js | 56 ---
test/parallel/test-tls-client-verify.js | 132 -----
test/parallel/test-tls-close-error.js | 26 -
test/parallel/test-tls-close-notify.js | 27 --
test/parallel/test-tls-cnnic-whitelist.js | 77 ---
test/parallel/test-tls-connect-address-family.js | 45 --
test/parallel/test-tls-connect-given-socket.js | 65 ---
test/parallel/test-tls-connect-no-host.js | 34 --
test/parallel/test-tls-connect-pipe.js | 26 -
test/parallel/test-tls-connect-secure-context.js | 25 -
test/parallel/test-tls-connect-simple.js | 42 --
test/parallel/test-tls-connect-stream-writes.js | 63 ---
test/parallel/test-tls-connect.js | 39 --
test/parallel/test-tls-delayed-attach-error.js | 36 --
test/parallel/test-tls-delayed-attach.js | 45 --
test/parallel/test-tls-destroy-whilst-write.js | 27 --
test/parallel/test-tls-dhe.js | 96 ----
test/parallel/test-tls-ecdh-disable.js | 37 --
test/parallel/test-tls-ecdh.js | 42 --
test/parallel/test-tls-econnreset.js | 76 ---
test/parallel/test-tls-empty-sni-context.js | 34 --
test/parallel/test-tls-env-bad-extra-ca.js | 39 --
test/parallel/test-tls-env-extra-ca.js | 44 --
test/parallel/test-tls-external-accessor.js | 22 -
test/parallel/test-tls-fast-writing.js | 60 ---
test/parallel/test-tls-friendly-error-message.js | 23 -
test/parallel/test-tls-getcipher.js | 36 --
test/parallel/test-tls-getprotocol.js | 40 --
test/parallel/test-tls-handshake-error.js | 32 --
test/parallel/test-tls-handshake-nohang.js | 11 -
test/parallel/test-tls-hello-parser-failure.js | 41 --
test/parallel/test-tls-honorcipherorder.js | 97 ----
test/parallel/test-tls-inception.js | 66 ---
test/parallel/test-tls-interleave.js | 55 ---
test/parallel/test-tls-invoke-queued.js | 37 --
test/parallel/test-tls-js-stream.js | 73 ---
test/parallel/test-tls-junk-closes-server.js | 28 --
test/parallel/test-tls-junk-server.js | 27 --
test/parallel/test-tls-key-mismatch.js | 20 -
test/parallel/test-tls-legacy-onselect.js | 27 --
test/parallel/test-tls-max-send-fragment.js | 42 --
test/parallel/test-tls-multi-key.js | 51 --
test/parallel/test-tls-no-cert-required.js | 29 --
test/parallel/test-tls-no-rsa-key.js | 33 --
test/parallel/test-tls-no-sslv23.js | 55 ---
test/parallel/test-tls-no-sslv3.js | 51 --
test/parallel/test-tls-npn-server-client.js | 104 ----
test/parallel/test-tls-ocsp-callback.js | 126 -----
test/parallel/test-tls-on-empty-socket.js | 41 --
test/parallel/test-tls-over-http-tunnel.js | 155 ------
test/parallel/test-tls-parse-cert-string.js | 36 --
test/parallel/test-tls-passphrase.js | 275 -----------
test/parallel/test-tls-pause.js | 70 ---
.../parallel/test-tls-peer-certificate-encoding.js | 33 --
.../test-tls-peer-certificate-multi-keys.js | 34 --
test/parallel/test-tls-peer-certificate.js | 39 --
test/parallel/test-tls-pfx-gh-5100-regr.js | 38 --
test/parallel/test-tls-regr-gh-5108.js | 40 --
test/parallel/test-tls-request-timeout.js | 30 --
test/parallel/test-tls-retain-handle-no-abort.js | 40 --
test/parallel/test-tls-securepair-fiftharg.js | 27 --
test/parallel/test-tls-securepair-server.js | 133 -----
test/parallel/test-tls-server-connection-server.js | 32 --
...ls-server-failed-handshake-emits-clienterror.js | 28 --
test/parallel/test-tls-server-verify.js | 348 -------------
test/parallel/test-tls-session-cache.js | 127 -----
test/parallel/test-tls-set-ciphers.js | 45 --
test/parallel/test-tls-set-encoding.js | 58 ---
test/parallel/test-tls-sni-option.js | 168 -------
test/parallel/test-tls-sni-server-client.js | 113 -----
test/parallel/test-tls-socket-close.js | 67 ---
test/parallel/test-tls-socket-default-options.js | 67 ---
test/parallel/test-tls-socket-destroy.js | 34 --
...test-tls-socket-failed-handshake-emits-error.js | 37 --
.../parallel/test-tls-startcom-wosign-whitelist.js | 89 ----
test/parallel/test-tls-starttls-server.js | 51 --
test/parallel/test-tls-ticket-cluster.js | 108 -----
test/parallel/test-tls-ticket.js | 98 ----
test/parallel/test-tls-timeout-server-2.js | 29 --
test/parallel/test-tls-timeout-server.js | 26 -
test/parallel/test-tls-two-cas-one-string.js | 34 --
test/parallel/test-tls-wrap-no-abort.js | 8 -
test/parallel/test-tls-wrap-timeout.js | 53 --
test/parallel/test-tls-writewrap-leak.js | 24 -
test/parallel/test-tls-zero-clear-in.js | 41 --
214 files changed, 7230 insertions(+), 7230 deletions(-)
create mode 100644 test/disabled/test-crypto-dh.js
create mode 100644 test/disabled/test-crypto-fips.js
create mode 100644 test/disabled/test-tls-0-dns-altname.js
create mode 100644 test/disabled/test-tls-addca.js
create mode 100644 test/disabled/test-tls-alert-handling.js
create mode 100644 test/disabled/test-tls-alert.js
create mode 100644 test/disabled/test-tls-alpn-server-client.js
create mode 100644 test/disabled/test-tls-async-cb-after-socket-end.js
create mode 100644 test/disabled/test-tls-basic-validations.js
create mode 100644 test/disabled/test-tls-ca-concat.js
create mode 100644 test/disabled/test-tls-cert-chains-concat.js
create mode 100644 test/disabled/test-tls-cert-chains-in-ca.js
create mode 100644 test/disabled/test-tls-cert-regression.js
create mode 100644 test/disabled/test-tls-check-server-identity.js
create mode 100644 test/disabled/test-tls-cipher-list.js
create mode 100644 test/disabled/test-tls-client-abort.js
create mode 100644 test/disabled/test-tls-client-abort2.js
create mode 100644 test/disabled/test-tls-client-default-ciphers.js
create mode 100644 test/disabled/test-tls-client-destroy-soon.js
create mode 100644 test/disabled/test-tls-client-getephemeralkeyinfo.js
create mode 100644 test/disabled/test-tls-client-mindhsize.js
create mode 100644 test/disabled/test-tls-client-reject.js
create mode 100644 test/disabled/test-tls-client-resume.js
create mode 100644 test/disabled/test-tls-client-verify.js
create mode 100644 test/disabled/test-tls-close-error.js
create mode 100644 test/disabled/test-tls-close-notify.js
create mode 100644 test/disabled/test-tls-cnnic-whitelist.js
create mode 100644 test/disabled/test-tls-connect-address-family.js
create mode 100644 test/disabled/test-tls-connect-given-socket.js
create mode 100644 test/disabled/test-tls-connect-no-host.js
create mode 100644 test/disabled/test-tls-connect-pipe.js
create mode 100644 test/disabled/test-tls-connect-secure-context.js
create mode 100644 test/disabled/test-tls-connect-simple.js
create mode 100644 test/disabled/test-tls-connect-stream-writes.js
create mode 100644 test/disabled/test-tls-connect.js
create mode 100644 test/disabled/test-tls-delayed-attach-error.js
create mode 100644 test/disabled/test-tls-delayed-attach.js
create mode 100644 test/disabled/test-tls-destroy-whilst-write.js
create mode 100644 test/disabled/test-tls-dhe.js
create mode 100644 test/disabled/test-tls-ecdh-disable.js
create mode 100644 test/disabled/test-tls-ecdh.js
create mode 100644 test/disabled/test-tls-econnreset.js
create mode 100644 test/disabled/test-tls-empty-sni-context.js
create mode 100644 test/disabled/test-tls-env-bad-extra-ca.js
create mode 100644 test/disabled/test-tls-env-extra-ca.js
create mode 100644 test/disabled/test-tls-external-accessor.js
create mode 100644 test/disabled/test-tls-fast-writing.js
create mode 100644 test/disabled/test-tls-friendly-error-message.js
create mode 100644 test/disabled/test-tls-getcipher.js
create mode 100644 test/disabled/test-tls-getprotocol.js
create mode 100644 test/disabled/test-tls-handshake-error.js
create mode 100644 test/disabled/test-tls-handshake-nohang.js
create mode 100644 test/disabled/test-tls-hello-parser-failure.js
create mode 100644 test/disabled/test-tls-honorcipherorder.js
create mode 100644 test/disabled/test-tls-inception.js
create mode 100644 test/disabled/test-tls-interleave.js
create mode 100644 test/disabled/test-tls-invoke-queued.js
create mode 100644 test/disabled/test-tls-js-stream.js
create mode 100644 test/disabled/test-tls-junk-closes-server.js
create mode 100644 test/disabled/test-tls-junk-server.js
create mode 100644 test/disabled/test-tls-key-mismatch.js
create mode 100644 test/disabled/test-tls-legacy-onselect.js
create mode 100644 test/disabled/test-tls-max-send-fragment.js
create mode 100644 test/disabled/test-tls-multi-key.js
create mode 100644 test/disabled/test-tls-no-cert-required.js
create mode 100644 test/disabled/test-tls-no-rsa-key.js
create mode 100644 test/disabled/test-tls-no-sslv23.js
create mode 100644 test/disabled/test-tls-no-sslv3.js
create mode 100644 test/disabled/test-tls-npn-server-client.js
create mode 100644 test/disabled/test-tls-ocsp-callback.js
create mode 100644 test/disabled/test-tls-on-empty-socket.js
create mode 100644 test/disabled/test-tls-over-http-tunnel.js
create mode 100644 test/disabled/test-tls-parse-cert-string.js
create mode 100644 test/disabled/test-tls-passphrase.js
create mode 100644 test/disabled/test-tls-pause.js
create mode 100644 test/disabled/test-tls-peer-certificate-encoding.js
create mode 100644 test/disabled/test-tls-peer-certificate-multi-keys.js
create mode 100644 test/disabled/test-tls-peer-certificate.js
create mode 100644 test/disabled/test-tls-pfx-gh-5100-regr.js
create mode 100644 test/disabled/test-tls-regr-gh-5108.js
create mode 100644 test/disabled/test-tls-request-timeout.js
create mode 100644 test/disabled/test-tls-retain-handle-no-abort.js
create mode 100644 test/disabled/test-tls-securepair-fiftharg.js
create mode 100644 test/disabled/test-tls-securepair-server.js
create mode 100644 test/disabled/test-tls-server-connection-server.js
create mode 100644 test/disabled/test-tls-server-failed-handshake-emits-clienterror.js
create mode 100644 test/disabled/test-tls-server-verify.js
create mode 100644 test/disabled/test-tls-session-cache.js
create mode 100644 test/disabled/test-tls-set-ciphers.js
create mode 100644 test/disabled/test-tls-set-encoding.js
create mode 100644 test/disabled/test-tls-sni-option.js
create mode 100644 test/disabled/test-tls-sni-server-client.js
create mode 100644 test/disabled/test-tls-socket-close.js
create mode 100644 test/disabled/test-tls-socket-default-options.js
create mode 100644 test/disabled/test-tls-socket-destroy.js
create mode 100644 test/disabled/test-tls-socket-failed-handshake-emits-error.js
create mode 100644 test/disabled/test-tls-startcom-wosign-whitelist.js
create mode 100644 test/disabled/test-tls-starttls-server.js
create mode 100644 test/disabled/test-tls-ticket-cluster.js
create mode 100644 test/disabled/test-tls-ticket.js
create mode 100644 test/disabled/test-tls-timeout-server-2.js
create mode 100644 test/disabled/test-tls-timeout-server.js
create mode 100644 test/disabled/test-tls-two-cas-one-string.js
create mode 100644 test/disabled/test-tls-wrap-no-abort.js
create mode 100644 test/disabled/test-tls-wrap-timeout.js
create mode 100644 test/disabled/test-tls-writewrap-leak.js
create mode 100644 test/disabled/test-tls-zero-clear-in.js
delete mode 100644 test/parallel/test-crypto-dh.js
delete mode 100644 test/parallel/test-crypto-fips.js
delete mode 100644 test/parallel/test-tls-0-dns-altname.js
delete mode 100644 test/parallel/test-tls-addca.js
delete mode 100644 test/parallel/test-tls-alert-handling.js
delete mode 100644 test/parallel/test-tls-alert.js
delete mode 100644 test/parallel/test-tls-alpn-server-client.js
delete mode 100644 test/parallel/test-tls-async-cb-after-socket-end.js
delete mode 100644 test/parallel/test-tls-basic-validations.js
delete mode 100644 test/parallel/test-tls-ca-concat.js
delete mode 100644 test/parallel/test-tls-cert-chains-concat.js
delete mode 100644 test/parallel/test-tls-cert-chains-in-ca.js
delete mode 100644 test/parallel/test-tls-cert-regression.js
delete mode 100644 test/parallel/test-tls-check-server-identity.js
delete mode 100644 test/parallel/test-tls-cipher-list.js
delete mode 100644 test/parallel/test-tls-client-abort.js
delete mode 100644 test/parallel/test-tls-client-abort2.js
delete mode 100644 test/parallel/test-tls-client-default-ciphers.js
delete mode 100644 test/parallel/test-tls-client-destroy-soon.js
delete mode 100644 test/parallel/test-tls-client-getephemeralkeyinfo.js
delete mode 100644 test/parallel/test-tls-client-mindhsize.js
delete mode 100644 test/parallel/test-tls-client-reject.js
delete mode 100644 test/parallel/test-tls-client-resume.js
delete mode 100644 test/parallel/test-tls-client-verify.js
delete mode 100644 test/parallel/test-tls-close-error.js
delete mode 100644 test/parallel/test-tls-close-notify.js
delete mode 100644 test/parallel/test-tls-cnnic-whitelist.js
delete mode 100644 test/parallel/test-tls-connect-address-family.js
delete mode 100644 test/parallel/test-tls-connect-given-socket.js
delete mode 100644 test/parallel/test-tls-connect-no-host.js
delete mode 100644 test/parallel/test-tls-connect-pipe.js
delete mode 100644 test/parallel/test-tls-connect-secure-context.js
delete mode 100644 test/parallel/test-tls-connect-simple.js
delete mode 100644 test/parallel/test-tls-connect-stream-writes.js
delete mode 100644 test/parallel/test-tls-connect.js
delete mode 100644 test/parallel/test-tls-delayed-attach-error.js
delete mode 100644 test/parallel/test-tls-delayed-attach.js
delete mode 100644 test/parallel/test-tls-destroy-whilst-write.js
delete mode 100644 test/parallel/test-tls-dhe.js
delete mode 100644 test/parallel/test-tls-ecdh-disable.js
delete mode 100644 test/parallel/test-tls-ecdh.js
delete mode 100644 test/parallel/test-tls-econnreset.js
delete mode 100644 test/parallel/test-tls-empty-sni-context.js
delete mode 100644 test/parallel/test-tls-env-bad-extra-ca.js
delete mode 100644 test/parallel/test-tls-env-extra-ca.js
delete mode 100644 test/parallel/test-tls-external-accessor.js
delete mode 100644 test/parallel/test-tls-fast-writing.js
delete mode 100644 test/parallel/test-tls-friendly-error-message.js
delete mode 100644 test/parallel/test-tls-getcipher.js
delete mode 100644 test/parallel/test-tls-getprotocol.js
delete mode 100644 test/parallel/test-tls-handshake-error.js
delete mode 100644 test/parallel/test-tls-handshake-nohang.js
delete mode 100644 test/parallel/test-tls-hello-parser-failure.js
delete mode 100644 test/parallel/test-tls-honorcipherorder.js
delete mode 100644 test/parallel/test-tls-inception.js
delete mode 100644 test/parallel/test-tls-interleave.js
delete mode 100644 test/parallel/test-tls-invoke-queued.js
delete mode 100644 test/parallel/test-tls-js-stream.js
delete mode 100644 test/parallel/test-tls-junk-closes-server.js
delete mode 100644 test/parallel/test-tls-junk-server.js
delete mode 100644 test/parallel/test-tls-key-mismatch.js
delete mode 100644 test/parallel/test-tls-legacy-onselect.js
delete mode 100644 test/parallel/test-tls-max-send-fragment.js
delete mode 100644 test/parallel/test-tls-multi-key.js
delete mode 100644 test/parallel/test-tls-no-cert-required.js
delete mode 100644 test/parallel/test-tls-no-rsa-key.js
delete mode 100644 test/parallel/test-tls-no-sslv23.js
delete mode 100644 test/parallel/test-tls-no-sslv3.js
delete mode 100644 test/parallel/test-tls-npn-server-client.js
delete mode 100644 test/parallel/test-tls-ocsp-callback.js
delete mode 100644 test/parallel/test-tls-on-empty-socket.js
delete mode 100644 test/parallel/test-tls-over-http-tunnel.js
delete mode 100644 test/parallel/test-tls-parse-cert-string.js
delete mode 100644 test/parallel/test-tls-passphrase.js
delete mode 100644 test/parallel/test-tls-pause.js
delete mode 100644 test/parallel/test-tls-peer-certificate-encoding.js
delete mode 100644 test/parallel/test-tls-peer-certificate-multi-keys.js
delete mode 100644 test/parallel/test-tls-peer-certificate.js
delete mode 100644 test/parallel/test-tls-pfx-gh-5100-regr.js
delete mode 100644 test/parallel/test-tls-regr-gh-5108.js
delete mode 100644 test/parallel/test-tls-request-timeout.js
delete mode 100644 test/parallel/test-tls-retain-handle-no-abort.js
delete mode 100644 test/parallel/test-tls-securepair-fiftharg.js
delete mode 100644 test/parallel/test-tls-securepair-server.js
delete mode 100644 test/parallel/test-tls-server-connection-server.js
delete mode 100644 test/parallel/test-tls-server-failed-handshake-emits-clienterror.js
delete mode 100644 test/parallel/test-tls-server-verify.js
delete mode 100644 test/parallel/test-tls-session-cache.js
delete mode 100644 test/parallel/test-tls-set-ciphers.js
delete mode 100644 test/parallel/test-tls-set-encoding.js
delete mode 100644 test/parallel/test-tls-sni-option.js
delete mode 100644 test/parallel/test-tls-sni-server-client.js
delete mode 100644 test/parallel/test-tls-socket-close.js
delete mode 100644 test/parallel/test-tls-socket-default-options.js
delete mode 100644 test/parallel/test-tls-socket-destroy.js
delete mode 100644 test/parallel/test-tls-socket-failed-handshake-emits-error.js
delete mode 100644 test/parallel/test-tls-startcom-wosign-whitelist.js
delete mode 100644 test/parallel/test-tls-starttls-server.js
delete mode 100644 test/parallel/test-tls-ticket-cluster.js
delete mode 100644 test/parallel/test-tls-ticket.js
delete mode 100644 test/parallel/test-tls-timeout-server-2.js
delete mode 100644 test/parallel/test-tls-timeout-server.js
delete mode 100644 test/parallel/test-tls-two-cas-one-string.js
delete mode 100644 test/parallel/test-tls-wrap-no-abort.js
delete mode 100644 test/parallel/test-tls-wrap-timeout.js
delete mode 100644 test/parallel/test-tls-writewrap-leak.js
delete mode 100644 test/parallel/test-tls-zero-clear-in.js
diff --git a/test/disabled/test-crypto-dh.js b/test/disabled/test-crypto-dh.js
new file mode 100644
index 0000000..547629e
--- /dev/null
+++ b/test/disabled/test-crypto-dh.js
@@ -0,0 +1,319 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const crypto = require('crypto');
+
+const DH_NOT_SUITABLE_GENERATOR = crypto.constants.DH_NOT_SUITABLE_GENERATOR;
+
+// Test Diffie-Hellman with two parties sharing a secret,
+// using various encodings as we go along
+const dh1 = crypto.createDiffieHellman(common.hasFipsCrypto ? 1024 : 256);
+const p1 = dh1.getPrime('buffer');
+const dh2 = crypto.createDiffieHellman(p1, 'buffer');
+let key1 = dh1.generateKeys();
+let key2 = dh2.generateKeys('hex');
+let secret1 = dh1.computeSecret(key2, 'hex', 'base64');
+let secret2 = dh2.computeSecret(key1, 'latin1', 'buffer');
+
+assert.strictEqual(secret2.toString('base64'), secret1);
+assert.strictEqual(dh1.verifyError, 0);
+assert.strictEqual(dh2.verifyError, 0);
+
+const argumentsError =
+ /^TypeError: First argument should be number, string or Buffer$/;
+
+assert.throws(() => {
+ crypto.createDiffieHellman([0x1, 0x2]);
+}, argumentsError);
+
+assert.throws(() => {
+ crypto.createDiffieHellman(() => { });
+}, argumentsError);
+
+assert.throws(() => {
+ crypto.createDiffieHellman(/abc/);
+}, argumentsError);
+
+assert.throws(() => {
+ crypto.createDiffieHellman({});
+}, argumentsError);
+
+// Create "another dh1" using generated keys from dh1,
+// and compute secret again
+const dh3 = crypto.createDiffieHellman(p1, 'buffer');
+const privkey1 = dh1.getPrivateKey();
+dh3.setPublicKey(key1);
+dh3.setPrivateKey(privkey1);
+
+assert.deepStrictEqual(dh1.getPrime(), dh3.getPrime());
+assert.deepStrictEqual(dh1.getGenerator(), dh3.getGenerator());
+assert.deepStrictEqual(dh1.getPublicKey(), dh3.getPublicKey());
+assert.deepStrictEqual(dh1.getPrivateKey(), dh3.getPrivateKey());
+assert.strictEqual(dh3.verifyError, 0);
+
+const secret3 = dh3.computeSecret(key2, 'hex', 'base64');
+
+assert.strictEqual(secret1, secret3);
+
+const wrongBlockLength =
+ new RegExp('^Error: error:0606506D:digital envelope' +
+ ' routines:EVP_DecryptFinal_ex:wrong final block length$');
+
+// Run this one twice to make sure that the dh3 clears its error properly
+{
+ const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), '');
+ assert.throws(() => {
+ c.final('utf8');
+ }, wrongBlockLength);
+}
+
+{
+ const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), '');
+ assert.throws(() => {
+ c.final('utf8');
+ }, wrongBlockLength);
+}
+
+assert.throws(() => {
+ dh3.computeSecret('');
+}, /^Error: Supplied key is too small$/);
+
+// Create a shared using a DH group.
+const alice = crypto.createDiffieHellmanGroup('modp5');
+const bob = crypto.createDiffieHellmanGroup('modp5');
+alice.generateKeys();
+bob.generateKeys();
+const aSecret = alice.computeSecret(bob.getPublicKey()).toString('hex');
+const bSecret = bob.computeSecret(alice.getPublicKey()).toString('hex');
+assert.strictEqual(aSecret, bSecret);
+assert.strictEqual(alice.verifyError, DH_NOT_SUITABLE_GENERATOR);
+assert.strictEqual(bob.verifyError, DH_NOT_SUITABLE_GENERATOR);
+
+/* Ensure specific generator (buffer) works as expected.
+ * The values below (modp2/modp2buf) are for a 1024 bits long prime from
+ * RFC 2412 E.2, see https://tools.ietf.org/html/rfc2412. */
+const modp2 = crypto.createDiffieHellmanGroup('modp2');
+const modp2buf = Buffer.from([
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f,
+ 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b,
+ 0x80, 0xdc, 0x1c, 0xd1, 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67,
+ 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
+ 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, 0xef, 0x95,
+ 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
+ 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51,
+ 0xc2, 0x45, 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
+ 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff,
+ 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, 0xee, 0x38, 0x6b, 0xfb,
+ 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b,
+ 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+]);
+const exmodp2 = crypto.createDiffieHellman(modp2buf, Buffer.from([2]));
+modp2.generateKeys();
+exmodp2.generateKeys();
+let modp2Secret = modp2.computeSecret(exmodp2.getPublicKey()).toString('hex');
+const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey())
+ .toString('hex');
+assert.strictEqual(modp2Secret, exmodp2Secret);
+assert.strictEqual(modp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
+assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
+
+
+// Ensure specific generator (string with encoding) works as expected.
+const exmodp2_2 = crypto.createDiffieHellman(modp2buf, '02', 'hex');
+exmodp2_2.generateKeys();
+modp2Secret = modp2.computeSecret(exmodp2_2.getPublicKey()).toString('hex');
+const exmodp2_2Secret = exmodp2_2.computeSecret(modp2.getPublicKey())
+ .toString('hex');
+assert.strictEqual(modp2Secret, exmodp2_2Secret);
+assert.strictEqual(exmodp2_2.verifyError, DH_NOT_SUITABLE_GENERATOR);
+
+
+// Ensure specific generator (string without encoding) works as expected.
+const exmodp2_3 = crypto.createDiffieHellman(modp2buf, '\x02');
+exmodp2_3.generateKeys();
+modp2Secret = modp2.computeSecret(exmodp2_3.getPublicKey()).toString('hex');
+const exmodp2_3Secret = exmodp2_3.computeSecret(modp2.getPublicKey())
+ .toString('hex');
+assert.strictEqual(modp2Secret, exmodp2_3Secret);
+assert.strictEqual(exmodp2_3.verifyError, DH_NOT_SUITABLE_GENERATOR);
+
+
+// Ensure specific generator (numeric) works as expected.
+const exmodp2_4 = crypto.createDiffieHellman(modp2buf, 2);
+exmodp2_4.generateKeys();
+modp2Secret = modp2.computeSecret(exmodp2_4.getPublicKey()).toString('hex');
+const exmodp2_4Secret = exmodp2_4.computeSecret(modp2.getPublicKey())
+ .toString('hex');
+assert.strictEqual(modp2Secret, exmodp2_4Secret);
+assert.strictEqual(exmodp2_4.verifyError, DH_NOT_SUITABLE_GENERATOR);
+
+
+const p = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' +
+ '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' +
+ '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' +
+ 'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF';
+const bad_dh = crypto.createDiffieHellman(p, 'hex');
+assert.strictEqual(bad_dh.verifyError, DH_NOT_SUITABLE_GENERATOR);
+
+
+const availableCurves = new Set(crypto.getCurves());
+
+// Oakley curves do not clean up ERR stack, it was causing unexpected failure
+// when accessing other OpenSSL APIs afterwards.
+if (availableCurves.has('Oakley-EC2N-3')) {
+ crypto.createECDH('Oakley-EC2N-3');
+ crypto.createHash('sha256');
+}
+
+// Test ECDH
+if (availableCurves.has('prime256v1') && availableCurves.has('secp256k1')) {
+ const ecdh1 = crypto.createECDH('prime256v1');
+ const ecdh2 = crypto.createECDH('prime256v1');
+ key1 = ecdh1.generateKeys();
+ key2 = ecdh2.generateKeys('hex');
+ secret1 = ecdh1.computeSecret(key2, 'hex', 'base64');
+ secret2 = ecdh2.computeSecret(key1, 'latin1', 'buffer');
+
+ assert.strictEqual(secret1, secret2.toString('base64'));
+
+ // Point formats
+ assert.strictEqual(ecdh1.getPublicKey('buffer', 'uncompressed')[0], 4);
+ let firstByte = ecdh1.getPublicKey('buffer', 'compressed')[0];
+ assert(firstByte === 2 || firstByte === 3);
+ firstByte = ecdh1.getPublicKey('buffer', 'hybrid')[0];
+ assert(firstByte === 6 || firstByte === 7);
+ // format value should be string
+ assert.throws(() => {
+ ecdh1.getPublicKey('buffer', 10);
+ }, /^TypeError: Bad format: 10$/);
+
+ // ECDH should check that point is on curve
+ const ecdh3 = crypto.createECDH('secp256k1');
+ const key3 = ecdh3.generateKeys();
+
+ assert.throws(() => {
+ ecdh2.computeSecret(key3, 'latin1', 'buffer');
+ }, /^Error: Failed to translate Buffer to a EC_POINT$/);
+
+ // ECDH should allow .setPrivateKey()/.setPublicKey()
+ const ecdh4 = crypto.createECDH('prime256v1');
+
+ ecdh4.setPrivateKey(ecdh1.getPrivateKey());
+ ecdh4.setPublicKey(ecdh1.getPublicKey());
+
+ assert.throws(() => {
+ ecdh4.setPublicKey(ecdh3.getPublicKey());
+ }, /^Error: Failed to convert Buffer to EC_POINT$/);
+
+ // Verify that we can use ECDH without having to use newly generated keys.
+ const ecdh5 = crypto.createECDH('secp256k1');
+
+ // Verify errors are thrown when retrieving keys from an uninitialized object.
+ assert.throws(() => {
+ ecdh5.getPublicKey();
+ }, /^Error: Failed to get ECDH public key$/);
+
+ assert.throws(() => {
+ ecdh5.getPrivateKey();
+ }, /^Error: Failed to get ECDH private key$/);
+
+ // A valid private key for the secp256k1 curve.
+ const cafebabeKey = 'cafebabe'.repeat(8);
+ // Associated compressed and uncompressed public keys (points).
+ const cafebabePubPtComp =
+ '03672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3';
+ const cafebabePubPtUnComp =
+ '04672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3' +
+ '2e02c7f93d13dc2732b760ca377a5897b9dd41a1c1b29dc0442fdce6d0a04d1d';
+ ecdh5.setPrivateKey(cafebabeKey, 'hex');
+ assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey);
+ // Show that the public point (key) is generated while setting the
+ // private key.
+ assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
+
+ // Compressed and uncompressed public points/keys for other party's
+ // private key.
+ // 0xDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
+ const peerPubPtComp =
+ '02c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae';
+ const peerPubPtUnComp =
+ '04c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae' +
+ 'b651944a574a362082a77e3f2b5d9223eb54d7f2f76846522bf75f3bedb8178e';
+
+ const sharedSecret =
+ '1da220b5329bbe8bfd19ceef5a5898593f411a6f12ea40f2a8eead9a5cf59970';
+
+ assert.strictEqual(ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex'),
+ sharedSecret);
+ assert.strictEqual(ecdh5.computeSecret(peerPubPtUnComp, 'hex', 'hex'),
+ sharedSecret);
+
+ // Verify that we still have the same key pair as before the computation.
+ assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey);
+ assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
+
+ // Verify setting and getting compressed and non-compressed serializations.
+ ecdh5.setPublicKey(cafebabePubPtComp, 'hex');
+ assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
+ assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'),
+ cafebabePubPtComp);
+ ecdh5.setPublicKey(cafebabePubPtUnComp, 'hex');
+ assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
+ assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'),
+ cafebabePubPtComp);
+
+ // Show why allowing the public key to be set on this type
+ // does not make sense.
+ ecdh5.setPublicKey(peerPubPtComp, 'hex');
+ assert.strictEqual(ecdh5.getPublicKey('hex'), peerPubPtUnComp);
+ assert.throws(() => {
+ // Error because the public key does not match the private key anymore.
+ ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex');
+ }, /^Error: Invalid key pair$/);
+
+ // Set to a valid key to show that later attempts to set an invalid key are
+ // rejected.
+ ecdh5.setPrivateKey(cafebabeKey, 'hex');
+
+ // Some invalid private keys for the secp256k1 curve.
+ const errMessage = /^Error: Private key is not valid for specified curve.$/;
+ ['0000000000000000000000000000000000000000000000000000000000000000',
+ 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141',
+ 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
+ ].forEach((element) => {
+ assert.throws(() => {
+ ecdh5.setPrivateKey(element, 'hex');
+ }, errMessage);
+ // Verify object state did not change.
+ assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey);
+ });
+
+ // Use of invalid keys was not cleaning up ERR stack, and was causing
+ // unexpected failure in subsequent signing operations.
+ const ecdh6 = crypto.createECDH('prime256v1');
+ const invalidKey = Buffer.alloc(65);
+ invalidKey.fill('\0');
+ ecdh6.generateKeys();
+ assert.throws(() => {
+ ecdh6.computeSecret(invalidKey);
+ }, /^Error: Failed to translate Buffer to a EC_POINT$/);
+ // Check that signing operations are not impacted by the above error.
+ const ecPrivateKey =
+ '-----BEGIN EC PRIVATE KEY-----\n' +
+ 'MHcCAQEEIF+jnWY1D5kbVYDNvxxo/Y+ku2uJPDwS0r/VuPZQrjjVoAoGCCqGSM49\n' +
+ 'AwEHoUQDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNhB8i3mXyIMq704m2m52FdfKZ2\n' +
+ 'pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==\n' +
+ '-----END EC PRIVATE KEY-----';
+ assert.doesNotThrow(() => {
+ crypto.createSign('SHA256').sign(ecPrivateKey);
+ });
+}
+
+// invalid test: curve argument is undefined
+assert.throws(() => {
+ crypto.createECDH();
+}, /^TypeError: "curve" argument should be a string$/);
diff --git a/test/disabled/test-crypto-fips.js b/test/disabled/test-crypto-fips.js
new file mode 100644
index 0000000..e3f49e6
--- /dev/null
+++ b/test/disabled/test-crypto-fips.js
@@ -0,0 +1,235 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const spawnSync = require('child_process').spawnSync;
+const path = require('path');
+
+const FIPS_ENABLED = 1;
+const FIPS_DISABLED = 0;
+const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode';
+const OPTION_ERROR_STRING = 'bad option';
+const CNF_FIPS_ON = path.join(common.fixturesDir, 'openssl_fips_enabled.cnf');
+const CNF_FIPS_OFF = path.join(common.fixturesDir, 'openssl_fips_disabled.cnf');
+let num_children_ok = 0;
+
+function compiledWithFips() {
+ return process.config.variables.openssl_fips ? true : false;
+}
+
+function sharedOpenSSL() {
+ return process.config.variables.node_shared_openssl;
+}
+
+function addToEnv(newVar, value) {
+ const envCopy = {};
+ for (const e in process.env) {
+ envCopy[e] = process.env[e];
+ }
+ envCopy[newVar] = value;
+ return envCopy;
+}
+
+function testHelper(stream, args, expectedOutput, cmd, env) {
+ const fullArgs = args.concat(['-e', `console.log(${cmd})`]);
+ const child = spawnSync(process.execPath, fullArgs, {
+ cwd: path.dirname(process.execPath),
+ env: env
+ });
+
+ console.error(
+ `Spawned child [pid:${child.pid}] with cmd '${cmd}' expect %j with args '${
+ args}' OPENSSL_CONF=%j`, expectedOutput, env.OPENSSL_CONF);
+
+ function childOk(child) {
+ console.error(`Child #${++num_children_ok} [pid:${child.pid}] OK.`);
+ }
+
+ function responseHandler(buffer, expectedOutput) {
+ const response = buffer.toString();
+ assert.notStrictEqual(0, response.length);
+ if (FIPS_ENABLED !== expectedOutput && FIPS_DISABLED !== expectedOutput) {
+ // In the case of expected errors just look for a substring.
+ assert.notStrictEqual(-1, response.indexOf(expectedOutput));
+ } else {
+ // Normal path where we expect either FIPS enabled or disabled.
+ assert.strictEqual(expectedOutput, Number(response));
+ }
+ childOk(child);
+ }
+
+ responseHandler(child[stream], expectedOutput);
+}
+
+// By default FIPS should be off in both FIPS and non-FIPS builds.
+testHelper(
+ 'stdout',
+ [],
+ FIPS_DISABLED,
+ 'require("crypto").fips',
+ addToEnv('OPENSSL_CONF', ''));
+
+// --enable-fips should turn FIPS mode on
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--enable-fips'],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ 'require("crypto").fips',
+ process.env);
+
+//--force-fips should turn FIPS mode on
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--force-fips'],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ 'require("crypto").fips',
+ process.env);
+
+// If Node was configured using --shared-openssl fips support might be
+// available depending on how OpenSSL was built. If fips support is
+// available the tests that toggle the fips_mode on/off using the config
+// file option will succeed and return 1 instead of 0.
+//
+// Note that this case is different from when calling the fips setter as the
+// configuration file is handled by OpenSSL, so it is not possible for us
+// to try to call the fips setter, to try to detect this situation, as
+// that would throw an error:
+// ("Error: Cannot set FIPS mode in a non-FIPS build.").
+// Due to this uncertanty the following tests are skipped when configured
+// with --shared-openssl.
+if (!sharedOpenSSL()) {
+ // OpenSSL config file should be able to turn on FIPS mode
+ testHelper(
+ 'stdout',
+ [`--openssl-config=${CNF_FIPS_ON}`],
+ compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ 'require("crypto").fips',
+ process.env);
+
+ // OPENSSL_CONF should be able to turn on FIPS mode
+ testHelper(
+ 'stdout',
+ [],
+ compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ 'require("crypto").fips',
+ addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
+
+ // --openssl-config option should override OPENSSL_CONF
+ testHelper(
+ 'stdout',
+ [`--openssl-config=${CNF_FIPS_ON}`],
+ compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
+ 'require("crypto").fips',
+ addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
+}
+
+testHelper(
+ 'stdout',
+ [`--openssl-config=${CNF_FIPS_OFF}`],
+ FIPS_DISABLED,
+ 'require("crypto").fips',
+ addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
+
+// --enable-fips should take precedence over OpenSSL config file
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ 'require("crypto").fips',
+ process.env);
+
+// OPENSSL_CONF should _not_ make a difference to --enable-fips
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--enable-fips'],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ 'require("crypto").fips',
+ addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
+
+// --force-fips should take precedence over OpenSSL config file
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ 'require("crypto").fips',
+ process.env);
+
+// Using OPENSSL_CONF should not make a difference to --force-fips
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--force-fips'],
+ compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
+ 'require("crypto").fips',
+ addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
+
+// setFipsCrypto should be able to turn FIPS mode on
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ [],
+ compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
+ '(require("crypto").fips = true,' +
+ 'require("crypto").fips)',
+ process.env);
+
+// setFipsCrypto should be able to turn FIPS mode on and off
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ [],
+ compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
+ '(require("crypto").fips = true,' +
+ 'require("crypto").fips = false,' +
+ 'require("crypto").fips)',
+ process.env);
+
+// setFipsCrypto takes precedence over OpenSSL config file, FIPS on
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ [`--openssl-config=${CNF_FIPS_OFF}`],
+ compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
+ '(require("crypto").fips = true,' +
+ 'require("crypto").fips)',
+ process.env);
+
+// setFipsCrypto takes precedence over OpenSSL config file, FIPS off
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ [`--openssl-config=${CNF_FIPS_ON}`],
+ compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
+ '(require("crypto").fips = false,' +
+ 'require("crypto").fips)',
+ process.env);
+
+// --enable-fips does not prevent use of setFipsCrypto API
+testHelper(
+ compiledWithFips() ? 'stdout' : 'stderr',
+ ['--enable-fips'],
+ compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
+ '(require("crypto").fips = false,' +
+ 'require("crypto").fips)',
+ process.env);
+
+// --force-fips prevents use of setFipsCrypto API
+testHelper(
+ 'stderr',
+ ['--force-fips'],
+ compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
+ 'require("crypto").fips = false',
+ process.env);
+
+// --force-fips and --enable-fips order does not matter
+testHelper(
+ 'stderr',
+ ['--force-fips', '--enable-fips'],
+ compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
+ 'require("crypto").fips = false',
+ process.env);
+
+//--enable-fips and --force-fips order does not matter
+testHelper(
+ 'stderr',
+ ['--enable-fips', '--force-fips'],
+ compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
+ 'require("crypto").fips = false',
+ process.env);
diff --git a/test/disabled/test-tls-0-dns-altname.js b/test/disabled/test-tls-0-dns-altname.js
new file mode 100644
index 0000000..85ddb7d
--- /dev/null
+++ b/test/disabled/test-tls-0-dns-altname.js
@@ -0,0 +1,33 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-cert.pem`)
+}, function(c) {
+ c.once('data', function() {
+ c.destroy();
+ server.close();
+ });
+}).listen(0, common.mustCall(function() {
+ const c = tls.connect(this.address().port, {
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ const cert = c.getPeerCertificate();
+ assert.strictEqual(cert.subjectaltname,
+ 'DNS:good.example.org\0.evil.example.com, ' +
+ 'DNS:just-another.example.com, ' +
+ 'IP Address:8.8.8.8, ' +
+ 'IP Address:8.8.4.4, ' +
+ 'DNS:last.example.com');
+ c.write('ok');
+ }));
+}));
diff --git a/test/disabled/test-tls-addca.js b/test/disabled/test-tls-addca.js
new file mode 100644
index 0000000..7a6f9a7
--- /dev/null
+++ b/test/disabled/test-tls-addca.js
@@ -0,0 +1,50 @@
+'use strict';
+const common = require('../common');
+
+// Adding a CA certificate to contextWithCert should not also add it to
+// contextWithoutCert. This is tested by trying to connect to a server that
+// depends on that CA using contextWithoutCert.
+
+const join = require('path').join;
+const {
+ assert, connect, keys, tls
+} = require(join(common.fixturesDir, 'tls-connect'))();
+
+const contextWithoutCert = tls.createSecureContext({});
+const contextWithCert = tls.createSecureContext({});
+contextWithCert.context.addCACert(keys.agent1.ca);
+
+const serverOptions = {
+ key: keys.agent1.key,
+ cert: keys.agent1.cert,
+};
+
+const clientOptions = {
+ ca: [keys.agent1.ca],
+ servername: 'agent1',
+ rejectUnauthorized: true,
+};
+
+// This client should fail to connect because it doesn't trust the CA
+// certificate.
+clientOptions.secureContext = contextWithoutCert;
+
+connect({
+ client: clientOptions,
+ server: serverOptions,
+}, function(err, pair, cleanup) {
+ assert(err);
+ assert.strictEqual(err.message, 'unable to verify the first certificate');
+ cleanup();
+
+ // This time it should connect because contextWithCert includes the needed CA
+ // certificate.
+ clientOptions.secureContext = contextWithCert;
+ connect({
+ client: clientOptions,
+ server: serverOptions,
+ }, function(err, pair, cleanup) {
+ assert.ifError(err);
+ cleanup();
+ });
+});
diff --git a/test/disabled/test-tls-alert-handling.js b/test/disabled/test-tls-alert-handling.js
new file mode 100644
index 0000000..0b34472
--- /dev/null
+++ b/test/disabled/test-tls-alert-handling.js
@@ -0,0 +1,78 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('node compiled without OpenSSL CLI.');
+
+const fs = require('fs');
+const net = require('net');
+const path = require('path');
+const tls = require('tls');
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const opts = {
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert')
+};
+const max_iter = 20;
+let iter = 0;
+
+const server = tls.createServer(opts, function(s) {
+ s.pipe(s);
+ s.on('error', function() {
+ // ignore error
+ });
+});
+
+server.listen(0, function() {
+ sendClient();
+});
+
+
+function sendClient() {
+ const client = tls.connect(server.address().port, {
+ rejectUnauthorized: false
+ });
+ client.on('data', common.mustCall(function() {
+ if (iter++ === 2) sendBADTLSRecord();
+ if (iter < max_iter) {
+ client.write('a');
+ return;
+ }
+ client.end();
+ server.close();
+ }, max_iter));
+ client.write('a');
+ client.on('error', function() {
+ // ignore error
+ });
+ client.on('close', function() {
+ server.close();
+ });
+}
+
+
+function sendBADTLSRecord() {
+ const BAD_RECORD = Buffer.from([0xff, 0xff, 0xff, 0xff, 0xff, 0xff]);
+ const socket = net.connect(server.address().port);
+ const client = tls.connect({
+ socket: socket,
+ rejectUnauthorized: false
+ }, function() {
+ socket.write(BAD_RECORD);
+ socket.end();
+ });
+ client.on('error', function() {
+ // ignore error
+ });
+}
diff --git a/test/disabled/test-tls-alert.js b/test/disabled/test-tls-alert.js
new file mode 100644
index 0000000..a48002d
--- /dev/null
+++ b/test/disabled/test-tls-alert.js
@@ -0,0 +1,50 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('node compiled without OpenSSL CLI.');
+
+const assert = require('assert');
+const { spawn } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+let success = false;
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const server = tls.Server({
+ secureProtocol: 'TLSv1_2_server_method',
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert')
+}, null).listen(0, function() {
+ const args = ['s_client', '-quiet', '-tls1_1',
+ '-connect', `127.0.0.1:${this.address().port}`];
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ args.push('-no_rand_screen');
+
+ const client = spawn(common.opensslCli, args);
+ let out = '';
+ client.stderr.setEncoding('utf8');
+ client.stderr.on('data', function(d) {
+ out += d;
+ if (/SSL alert number 70/.test(out)) {
+ success = true;
+ server.close();
+ }
+ });
+});
+process.on('exit', function() {
+ assert(success);
+});
diff --git a/test/disabled/test-tls-alpn-server-client.js b/test/disabled/test-tls-alpn-server-client.js
new file mode 100644
index 0000000..56f925b
--- /dev/null
+++ b/test/disabled/test-tls-alpn-server-client.js
@@ -0,0 +1,538 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!process.features.tls_alpn || !process.features.tls_npn) {
+ common.skip(
+ 'Skipping because node compiled without NPN or ALPN feature of OpenSSL.');
+}
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const serverIP = common.localhostIPv4;
+
+function checkResults(result, expected) {
+ assert.strictEqual(result.server.ALPN, expected.server.ALPN);
+ assert.strictEqual(result.server.NPN, expected.server.NPN);
+ assert.strictEqual(result.client.ALPN, expected.client.ALPN);
+ assert.strictEqual(result.client.NPN, expected.client.NPN);
+}
+
+function runTest(clientsOptions, serverOptions, cb) {
+ serverOptions.key = loadPEM('agent2-key');
+ serverOptions.cert = loadPEM('agent2-cert');
+ const results = [];
+ let index = 0;
+ const server = tls.createServer(serverOptions, function(c) {
+ results[index].server = {ALPN: c.alpnProtocol, NPN: c.npnProtocol};
+ });
+
+ server.listen(0, serverIP, function() {
+ connectClient(clientsOptions);
+ });
+
+ function connectClient(options) {
+ const opt = options.shift();
+ opt.port = server.address().port;
+ opt.host = serverIP;
+ opt.rejectUnauthorized = false;
+
+ results[index] = {};
+ const client = tls.connect(opt, function() {
+ results[index].client = {ALPN: client.alpnProtocol,
+ NPN: client.npnProtocol};
+ client.destroy();
+ if (options.length) {
+ index++;
+ connectClient(options);
+ } else {
+ server.close();
+ cb(results);
+ }
+ });
+ }
+
+}
+
+// Server: ALPN/NPN, Client: ALPN/NPN
+function Test1() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ ALPNProtocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e'],
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by ALPN
+ checkResults(results[0],
+ {server: {ALPN: 'a', NPN: false},
+ client: {ALPN: 'a', NPN: undefined}});
+ // 'b' is selected by ALPN
+ checkResults(results[1],
+ {server: {ALPN: 'b', NPN: false},
+ client: {ALPN: 'b', NPN: undefined}});
+ // nothing is selected by ALPN
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test2();
+ });
+}
+
+// Server: ALPN/NPN, Client: ALPN
+function Test2() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ ALPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by ALPN
+ checkResults(results[0],
+ {server: {ALPN: 'a', NPN: false},
+ client: {ALPN: 'a', NPN: undefined}});
+ // 'b' is selected by ALPN
+ checkResults(results[1],
+ {server: {ALPN: 'b', NPN: false},
+ client: {ALPN: 'b', NPN: undefined}});
+ // nothing is selected by ALPN
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test3();
+ });
+}
+
+// Server: ALPN/NPN, Client: NPN
+function Test3() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ NPPNProtocols: ['c', 'b', 'e']
+ }, {
+ NPPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by NPN
+ checkResults(results[0],
+ {server: {ALPN: false, NPN: 'a'},
+ client: {ALPN: false, NPN: 'a'}});
+ // nothing is selected by ALPN
+ checkResults(results[1],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test4();
+ });
+}
+
+// Server: ALPN/NPN, Client: Nothing
+function Test4() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{}, {}, {}];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected by ALPN
+ checkResults(results[0],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[1],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test5();
+ });
+}
+
+// Server: ALPN, Client: ALPN/NPN
+function Test5() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ ALPNProtocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e'],
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by ALPN
+ checkResults(results[0], {server: {ALPN: 'a', NPN: false},
+ client: {ALPN: 'a', NPN: undefined}});
+ // 'b' is selected by ALPN
+ checkResults(results[1], {server: {ALPN: 'b', NPN: false},
+ client: {ALPN: 'b', NPN: undefined}});
+ // nothing is selected by ALPN
+ checkResults(results[2], {server: {ALPN: false,
+ NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test6();
+ });
+}
+
+// Server: ALPN, Client: ALPN
+function Test6() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ ALPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by ALPN
+ checkResults(results[0], {server: {ALPN: 'a', NPN: false},
+ client: {ALPN: 'a', NPN: undefined}});
+ // 'b' is selected by ALPN
+ checkResults(results[1], {server: {ALPN: 'b', NPN: false},
+ client: {ALPN: 'b', NPN: undefined}});
+ // nothing is selected by ALPN
+ checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test7();
+ });
+}
+
+// Server: ALPN, Client: NPN
+function Test7() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected by ALPN
+ checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[1], {server: {ALPN: false, NPN: 'c'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test8();
+ });
+}
+
+// Server: ALPN, Client: Nothing
+function Test8() {
+ const serverOptions = {
+ ALPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{}, {}, {}];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected by ALPN
+ checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected by ALPN
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test9();
+ });
+}
+
+// Server: NPN, Client: ALPN/NPN
+function Test9() {
+ const serverOptions = {
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ ALPNrotocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e'],
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by NPN
+ checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
+ client: {ALPN: false, NPN: 'a'}});
+ // 'b' is selected by NPN
+ checkResults(results[1], {server: {ALPN: false, NPN: 'b'},
+ client: {ALPN: false, NPN: 'b'}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test10();
+ });
+}
+
+// Server: NPN, Client: ALPN
+function Test10() {
+ const serverOptions = {
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ ALPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected
+ checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test11();
+ });
+}
+
+// Server: NPN, Client: NPN
+function Test11() {
+ const serverOptions = {
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // 'a' is selected by NPN
+ checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
+ client: {ALPN: false, NPN: 'a'}});
+ // 'b' is selected by NPN
+ checkResults(results[1], {server: {ALPN: false, NPN: 'b'},
+ client: {ALPN: false, NPN: 'b'}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test12();
+ });
+}
+
+// Server: NPN, Client: Nothing
+function Test12() {
+ const serverOptions = {
+ NPNProtocols: ['a', 'b', 'c']
+ };
+
+ const clientsOptions = [{}, {}, {}];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected
+ checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test13();
+ });
+}
+
+// Server: Nothing, Client: ALPN/NPN
+function Test13() {
+ const serverOptions = {};
+
+ const clientsOptions = [{
+ ALPNrotocols: ['a', 'b', 'c'],
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e'],
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected
+ checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[1], {server: {ALPN: false, NPN: 'c'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test14();
+ });
+}
+
+// Server: Nothing, Client: ALPN
+function Test14() {
+ const serverOptions = {};
+
+ const clientsOptions = [{
+ ALPNrotocols: ['a', 'b', 'c']
+ }, {
+ ALPNProtocols: ['c', 'b', 'e']
+ }, {
+ ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected
+ checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test15();
+ });
+}
+
+// Server: Nothing, Client: NPN
+function Test15() {
+ const serverOptions = {};
+
+ const clientsOptions = [{
+ NPNProtocols: ['a', 'b', 'c']
+ }, {
+ NPNProtocols: ['c', 'b', 'e']
+ }, {
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y']
+ }];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected
+ checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[1], {server: {ALPN: false, NPN: 'c'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'first-priority-unsupported'},
+ client: {ALPN: false, NPN: false}});
+ // execute next test
+ Test16();
+ });
+}
+
+// Server: Nothing, Client: Nothing
+function Test16() {
+ const serverOptions = {};
+
+ const clientsOptions = [{}, {}, {}];
+
+ runTest(clientsOptions, serverOptions, function(results) {
+ // nothing is selected
+ checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ // nothing is selected
+ checkResults(results[2],
+ {server: {ALPN: false, NPN: 'http/1.1'},
+ client: {ALPN: false, NPN: false}});
+ });
+}
+
+Test1();
diff --git a/test/disabled/test-tls-async-cb-after-socket-end.js b/test/disabled/test-tls-async-cb-after-socket-end.js
new file mode 100644
index 0000000..a49b44d
--- /dev/null
+++ b/test/disabled/test-tls-async-cb-after-socket-end.js
@@ -0,0 +1,70 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const path = require('path');
+const fs = require('fs');
+const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET;
+
+const tls = require('tls');
+
+const options = {
+ secureOptions: SSL_OP_NO_TICKET,
+ key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
+ cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
+};
+
+const server = tls.createServer(options, function(c) {
+});
+
+let sessionCb = null;
+let client = null;
+
+server.on('newSession', function(key, session, done) {
+ done();
+});
+
+server.on('resumeSession', function(id, cb) {
+ sessionCb = cb;
+
+ next();
+});
+
+server.listen(0, function() {
+ const clientOpts = {
+ port: this.address().port,
+ rejectUnauthorized: false,
+ session: false
+ };
+
+ const s1 = tls.connect(clientOpts, function() {
+ clientOpts.session = s1.getSession();
+ console.log('1st secure');
+
+ s1.destroy();
+ const s2 = tls.connect(clientOpts, function(s) {
+ console.log('2nd secure');
+
+ s2.destroy();
+ }).on('connect', function() {
+ console.log('2nd connected');
+ client = s2;
+
+ next();
+ });
+ });
+});
+
+function next() {
+ if (!client || !sessionCb)
+ return;
+
+ client.destroy();
+ setTimeout(function() {
+ sessionCb();
+ server.close();
+ }, 100);
+}
diff --git a/test/disabled/test-tls-basic-validations.js b/test/disabled/test-tls-basic-validations.js
new file mode 100644
index 0000000..d6c20ea
--- /dev/null
+++ b/test/disabled/test-tls-basic-validations.js
@@ -0,0 +1,53 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+const tls = require('tls');
+
+assert.throws(() => tls.createSecureContext({ciphers: 1}),
+ /TypeError: Ciphers must be a string/);
+
+assert.throws(() => tls.createServer({ciphers: 1}),
+ /TypeError: Ciphers must be a string/);
+
+assert.throws(() => tls.createSecureContext({key: 'dummykey', passphrase: 1}),
+ /TypeError: Pass phrase must be a string/);
+
+assert.throws(() => tls.createServer({key: 'dummykey', passphrase: 1}),
+ /TypeError: Pass phrase must be a string/);
+
+assert.throws(() => tls.createServer({ecdhCurve: 1}),
+ /TypeError: ECDH curve name must be a string/);
+
+assert.throws(() => tls.createServer({handshakeTimeout: 'abcd'}),
+ /TypeError: handshakeTimeout must be a number/);
+
+assert.throws(() => tls.createServer({sessionTimeout: 'abcd'}),
+ /TypeError: Session timeout must be a 32-bit integer/);
+
+assert.throws(() => tls.createServer({ticketKeys: 'abcd'}),
+ /TypeError: Ticket keys must be a buffer/);
+
+assert.throws(() => tls.createServer({ticketKeys: Buffer.alloc(0)}),
+ /TypeError: Ticket keys length must be 48 bytes/);
+
+assert.throws(() => tls.createSecurePair({}),
+ /Error: First argument must be a tls module SecureContext/);
+
+{
+ const buffer = Buffer.from('abcd');
+ const out = {};
+ tls.convertALPNProtocols(buffer, out);
+ out.ALPNProtocols.write('efgh');
+ assert(buffer.equals(Buffer.from('abcd')));
+ assert(out.ALPNProtocols.equals(Buffer.from('efgh')));
+}
+
+{
+ const buffer = Buffer.from('abcd');
+ const out = {};
+ tls.convertNPNProtocols(buffer, out);
+ out.NPNProtocols.write('efgh');
+ assert(buffer.equals(Buffer.from('abcd')));
+ assert(out.NPNProtocols.equals(Buffer.from('efgh')));
+}
diff --git a/test/disabled/test-tls-ca-concat.js b/test/disabled/test-tls-ca-concat.js
new file mode 100644
index 0000000..8fa83a4
--- /dev/null
+++ b/test/disabled/test-tls-ca-concat.js
@@ -0,0 +1,24 @@
+'use strict';
+const common = require('../common');
+
+// Check ca option can contain concatenated certs by prepending an unrelated
+// non-CA cert and showing that agent6's CA root is still found.
+
+const join = require('path').join;
+const {
+ assert, connect, keys
+} = require(join(common.fixturesDir, 'tls-connect'))();
+
+connect({
+ client: {
+ checkServerIdentity: (servername, cert) => { },
+ ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
+ },
+ server: {
+ cert: keys.agent6.cert,
+ key: keys.agent6.key,
+ },
+}, function(err, pair, cleanup) {
+ assert.ifError(err);
+ return cleanup();
+});
diff --git a/test/disabled/test-tls-cert-chains-concat.js b/test/disabled/test-tls-cert-chains-concat.js
new file mode 100644
index 0000000..d53edef
--- /dev/null
+++ b/test/disabled/test-tls-cert-chains-concat.js
@@ -0,0 +1,50 @@
+'use strict';
+const common = require('../common');
+
+// Check cert chain is received by client, and is completed with the ca cert
+// known to the client.
+
+const join = require('path').join;
+const {
+ assert, connect, debug, keys
+} = require(join(common.fixturesDir, 'tls-connect'))();
+
+// agent6-cert.pem includes cert for agent6 and ca3
+connect({
+ client: {
+ checkServerIdentity: (servername, cert) => { },
+ ca: keys.agent6.ca,
+ },
+ server: {
+ cert: keys.agent6.cert,
+ key: keys.agent6.key,
+ },
+}, function(err, pair, cleanup) {
+ assert.ifError(err);
+
+ const peer = pair.client.conn.getPeerCertificate();
+ debug('peer:\n', peer);
+ assert.strictEqual(peer.subject.emailAddress, 'adam.lippai@tresorit.com');
+ assert.strictEqual(peer.subject.CN, 'Ádám Lippai'),
+ assert.strictEqual(peer.issuer.CN, 'ca3');
+ assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC');
+
+ const next = pair.client.conn.getPeerCertificate(true).issuerCertificate;
+ const root = next.issuerCertificate;
+ delete next.issuerCertificate;
+ debug('next:\n', next);
+ assert.strictEqual(next.subject.CN, 'ca3');
+ assert.strictEqual(next.issuer.CN, 'ca1');
+ assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF');
+
+ debug('root:\n', root);
+ assert.strictEqual(root.subject.CN, 'ca1');
+ assert.strictEqual(root.issuer.CN, 'ca1');
+ assert.strictEqual(root.serialNumber, '8DF21C01468AF393');
+
+ // No client cert, so empty object returned.
+ assert.deepStrictEqual(pair.server.conn.getPeerCertificate(), {});
+ assert.deepStrictEqual(pair.server.conn.getPeerCertificate(true), {});
+
+ return cleanup();
+});
diff --git a/test/disabled/test-tls-cert-chains-in-ca.js b/test/disabled/test-tls-cert-chains-in-ca.js
new file mode 100644
index 0000000..69f62c3
--- /dev/null
+++ b/test/disabled/test-tls-cert-chains-in-ca.js
@@ -0,0 +1,46 @@
+'use strict';
+const common = require('../common');
+
+// Check cert chain is received by client, and is completed with the ca cert
+// known to the client.
+
+const join = require('path').join;
+const {
+ assert, connect, debug, keys
+} = require(join(common.fixturesDir, 'tls-connect'))();
+
+
+// agent6-cert.pem includes cert for agent6 and ca3, split it apart and
+// provide ca3 in the .ca property.
+const agent6Chain = keys.agent6.cert.split('-----END CERTIFICATE-----')
+ .map((c) => { return c + '-----END CERTIFICATE-----'; });
+const agent6End = agent6Chain[0];
+const agent6Middle = agent6Chain[1];
+connect({
+ client: {
+ checkServerIdentity: (servername, cert) => { },
+ ca: keys.agent6.ca,
+ },
+ server: {
+ cert: agent6End,
+ key: keys.agent6.key,
+ ca: agent6Middle,
+ },
+}, function(err, pair, cleanup) {
+ assert.ifError(err);
+
+ const peer = pair.client.conn.getPeerCertificate();
+ debug('peer:\n', peer);
+ assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC');
+
+ const next = pair.client.conn.getPeerCertificate(true).issuerCertificate;
+ const root = next.issuerCertificate;
+ delete next.issuerCertificate;
+ debug('next:\n', next);
+ assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF');
+
+ debug('root:\n', root);
+ assert.strictEqual(root.serialNumber, '8DF21C01468AF393');
+
+ return cleanup();
+});
diff --git a/test/disabled/test-tls-cert-regression.js b/test/disabled/test-tls-cert-regression.js
new file mode 100644
index 0000000..20cfff5
--- /dev/null
+++ b/test/disabled/test-tls-cert-regression.js
@@ -0,0 +1,45 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+
+const cert =
+`-----BEGIN CERTIFICATE-----
+MIIBfjCCASgCCQDmmNjAojbDQjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
+VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
+cyBQdHkgTHRkMCAXDTE0MDExNjE3NTMxM1oYDzIyODcxMDMxMTc1MzEzWjBFMQsw
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
+ZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKwlfMX
+6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+wsU1O9FzRIVmpeIjDXhbp
+Mjsa1HtzSiccPXsCAwEAATANBgkqhkiG9w0BAQUFAANBAHOoKy0NkyfiYH7Ne5ka
+uvCyndyeB4d24FlfqEUlkfaWCZlNKRaV9YhLDiEg3BcIreFo4brtKQfZzTRs0GVm
+KHg=
+-----END CERTIFICATE-----`;
+
+const key =
+`-----BEGIN RSA PRIVATE KEY-----
+MIIBPQIBAAJBAPKwlfMX6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+w
+sU1O9FzRIVmpeIjDXhbpMjsa1HtzSiccPXsCAwEAAQJBAM4uU9aJE0OfdE1p/X+K
+LrCT3XMdFCJ24GgmHyOURtwDy18upQJecDVdcZp16fjtOPmaW95GoYRyifB3R4I5
+RxECIQD7jRM9slCSVV8xp9kOJQNpHjhRQYVGBn+pyllS2sb+RQIhAPb7Y+BIccri
+NWnuhwCW8hA7Fkj/kaBdAwyW7L3Tvui/AiEAiqLCovMecre4Yi6GcsQ1b/6mvSmm
+IOS+AT6zIfXPTB0CIQCJKGR3ymN/Qw5crL1GQ41cHCQtF9ickOq/lBUW+j976wIh
+AOaJnkQrmurlRdePX6LvN/LgGAQoxwovfjcOYNnZsIVY
+-----END RSA PRIVATE KEY-----`;
+
+function test(cert, key, cb) {
+ const server = tls.createServer({
+ cert: cert,
+ key: key
+ }).listen(0, function() {
+ server.close(cb);
+ });
+}
+
+test(cert, key, common.mustCall(function() {
+ test(Buffer.from(cert), Buffer.from(key), common.mustCall());
+}));
diff --git a/test/disabled/test-tls-check-server-identity.js b/test/disabled/test-tls-check-server-identity.js
new file mode 100644
index 0000000..0cc55d6
--- /dev/null
+++ b/test/disabled/test-tls-check-server-identity.js
@@ -0,0 +1,260 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const util = require('util');
+
+const tls = require('tls');
+
+const tests = [
+ // False-y values.
+ {
+ host: false,
+ cert: { subject: { CN: 'a.com' } },
+ error: 'Host: false. is not cert\'s CN: a.com'
+ },
+ {
+ host: null,
+ cert: { subject: { CN: 'a.com' } },
+ error: 'Host: null. is not cert\'s CN: a.com'
+ },
+ {
+ host: undefined,
+ cert: { subject: { CN: 'a.com' } },
+ error: 'Host: undefined. is not cert\'s CN: a.com'
+ },
+
+ // Basic CN handling
+ { host: 'a.com', cert: { subject: { CN: 'a.com' } } },
+ { host: 'a.com', cert: { subject: { CN: 'A.COM' } } },
+ {
+ host: 'a.com',
+ cert: { subject: { CN: 'b.com' } },
+ error: 'Host: a.com. is not cert\'s CN: b.com'
+ },
+ { host: 'a.com', cert: { subject: { CN: 'a.com.' } } },
+ {
+ host: 'a.com',
+ cert: { subject: { CN: '.a.com' } },
+ error: 'Host: a.com. is not cert\'s CN: .a.com'
+ },
+
+ // Wildcards in CN
+ { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
+ {
+ host: 'ba.com',
+ cert: { subject: { CN: '*.a.com' } },
+ error: 'Host: ba.com. is not cert\'s CN: *.a.com'
+ },
+ {
+ host: '\n.b.com',
+ cert: { subject: { CN: '*n.b.com' } },
+ error: 'Host: \n.b.com. is not cert\'s CN: *n.b.com'
+ },
+ { host: 'b.a.com', cert: {
+ subjectaltname: 'DNS:omg.com',
+ subject: { CN: '*.a.com' } },
+ error: 'Host: b.a.com. is not in the cert\'s altnames: ' +
+ 'DNS:omg.com'
+ },
+ {
+ host: 'b.a.com',
+ cert: { subject: { CN: 'b*b.a.com' } },
+ error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com'
+ },
+
+ // Empty Cert
+ {
+ host: 'a.com',
+ cert: { },
+ error: 'Cert is empty'
+ },
+
+ // Multiple CN fields
+ {
+ host: 'foo.com', cert: {
+ subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com;
+ }
+ },
+
+ // DNS names and CN
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:*',
+ subject: { CN: 'b.com' }
+ },
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*'
+ },
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:*.com',
+ subject: { CN: 'b.com' }
+ },
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.com'
+ },
+ {
+ host: 'a.co.uk', cert: {
+ subjectaltname: 'DNS:*.co.uk',
+ subject: { CN: 'b.com' }
+ }
+ },
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:*.a.com',
+ subject: { CN: 'a.com' }
+ },
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
+ },
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:*.a.com',
+ subject: { CN: 'b.com' }
+ },
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
+ },
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:a.com',
+ subject: { CN: 'b.com' }
+ }
+ },
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:A.COM',
+ subject: { CN: 'b.com' }
+ }
+ },
+
+ // DNS names
+ {
+ host: 'a.com', cert: {
+ subjectaltname: 'DNS:*.a.com',
+ subject: {}
+ },
+ error: 'Host: a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
+ },
+ {
+ host: 'b.a.com', cert: {
+ subjectaltname: 'DNS:*.a.com',
+ subject: {}
+ }
+ },
+ {
+ host: 'c.b.a.com', cert: {
+ subjectaltname: 'DNS:*.a.com',
+ subject: {}
+ },
+ error: 'Host: c.b.a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*.a.com'
+ },
+ {
+ host: 'b.a.com', cert: {
+ subjectaltname: 'DNS:*b.a.com',
+ subject: {}
+ }
+ },
+ {
+ host: 'a-cb.a.com', cert: {
+ subjectaltname: 'DNS:*b.a.com',
+ subject: {}
+ }
+ },
+ {
+ host: 'a.b.a.com', cert: {
+ subjectaltname: 'DNS:*b.a.com',
+ subject: {}
+ },
+ error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
+ 'DNS:*b.a.com'
+ },
+ // Mutliple DNS names
+ {
+ host: 'a.b.a.com', cert: {
+ subjectaltname: 'DNS:*b.a.com, DNS:a.b.a.com',
+ subject: {}
+ }
+ },
+ // URI names
+ {
+ host: 'a.b.a.com', cert: {
+ subjectaltname: 'URI:http://a.b.a.com/',
+ subject: {}
+ }
+ },
+ {
+ host: 'a.b.a.com', cert: {
+ subjectaltname: 'URI:http://*.b.a.com/',
+ subject: {}
+ },
+ error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
+ 'URI:http://*.b.a.com/'
+ },
+ // IP addresses
+ {
+ host: 'a.b.a.com', cert: {
+ subjectaltname: 'IP Address:127.0.0.1',
+ subject: {}
+ },
+ error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
+ 'IP Address:127.0.0.1'
+ },
+ {
+ host: '127.0.0.1', cert: {
+ subjectaltname: 'IP Address:127.0.0.1',
+ subject: {}
+ }
+ },
+ {
+ host: '127.0.0.2', cert: {
+ subjectaltname: 'IP Address:127.0.0.1',
+ subject: {}
+ },
+ error: 'IP: 127.0.0.2 is not in the cert\'s list: ' +
+ '127.0.0.1'
+ },
+ {
+ host: '127.0.0.1', cert: {
+ subjectaltname: 'DNS:a.com',
+ subject: {}
+ },
+ error: 'IP: 127.0.0.1 is not in the cert\'s list: '
+ },
+ {
+ host: 'localhost', cert: {
+ subjectaltname: 'DNS:a.com',
+ subject: { CN: 'localhost' }
+ },
+ error: 'Host: localhost. is not in the cert\'s altnames: ' +
+ 'DNS:a.com'
+ },
+ // IDNA
+ {
+ host: 'xn--bcher-kva.example.com',
+ cert: { subject: { CN: '*.example.com' } },
+ },
+ // RFC 6125, section 6.4.3: "[...] the client SHOULD NOT attempt to match
+ // a presented identifier where the wildcard character is embedded within
+ // an A-label [...]"
+ {
+ host: 'xn--bcher-kva.example.com',
+ cert: { subject: { CN: 'xn--*.example.com' } },
+ error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' +
+ 'xn--*.example.com',
+ },
+];
+
+tests.forEach(function(test, i) {
+ const err = tls.checkServerIdentity(test.host, test.cert);
+ assert.strictEqual(err && err.reason,
+ test.error,
+ `Test# ${i} failed: ${util.inspect(test)} \n` +
+ `${test.error} != ${(err && err.reason)}`);
+});
diff --git a/test/disabled/test-tls-cipher-list.js b/test/disabled/test-tls-cipher-list.js
new file mode 100644
index 0000000..4a39ee9
--- /dev/null
+++ b/test/disabled/test-tls-cipher-list.js
@@ -0,0 +1,30 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const spawn = require('child_process').spawn;
+const defaultCoreList = require('crypto').constants.defaultCoreCipherList;
+
+function doCheck(arg, check) {
+ let out = '';
+ arg = arg.concat([
+ '-pe',
+ 'require("crypto").constants.defaultCipherList'
+ ]);
+ spawn(process.execPath, arg, {})
+ .on('error', common.mustNotCall())
+ .stdout.on('data', function(chunk) {
+ out += chunk;
+ }).on('end', function() {
+ assert.strictEqual(out.trim(), check);
+ }).on('error', common.mustNotCall());
+}
+
+// test the default unmodified version
+doCheck([], defaultCoreList);
+
+// test the command line switch by itself
+doCheck(['--tls-cipher-list=ABC'], 'ABC');
diff --git a/test/disabled/test-tls-client-abort.js b/test/disabled/test-tls-client-abort.js
new file mode 100644
index 0000000..4216e34
--- /dev/null
+++ b/test/disabled/test-tls-client-abort.js
@@ -0,0 +1,19 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+
+const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+const conn = tls.connect({cert, key, port: 0}, common.mustNotCall());
+conn.on('error', function() {
+});
+assert.doesNotThrow(function() {
+ conn.destroy();
+});
diff --git a/test/disabled/test-tls-client-abort2.js b/test/disabled/test-tls-client-abort2.js
new file mode 100644
index 0000000..f3d84a5
--- /dev/null
+++ b/test/disabled/test-tls-client-abort2.js
@@ -0,0 +1,14 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const conn = tls.connect(0, common.mustNotCall());
+conn.on('error', common.mustCall(function() {
+ assert.doesNotThrow(function() {
+ conn.destroy();
+ });
+}));
diff --git a/test/disabled/test-tls-client-default-ciphers.js b/test/disabled/test-tls-client-default-ciphers.js
new file mode 100644
index 0000000..91a0a86
--- /dev/null
+++ b/test/disabled/test-tls-client-default-ciphers.js
@@ -0,0 +1,26 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+function Done() {}
+
+function test1() {
+ let ciphers = '';
+
+ tls.createSecureContext = function(options) {
+ ciphers = options.ciphers;
+ throw new Done();
+ };
+
+ try {
+ tls.connect(common.PORT);
+ } catch (e) {
+ assert(e instanceof Done);
+ }
+ assert.strictEqual(ciphers, tls.DEFAULT_CIPHERS);
+}
+test1();
diff --git a/test/disabled/test-tls-client-destroy-soon.js b/test/disabled/test-tls-client-destroy-soon.js
new file mode 100644
index 0000000..94a4956
--- /dev/null
+++ b/test/disabled/test-tls-client-destroy-soon.js
@@ -0,0 +1,46 @@
+'use strict';
+// Create an ssl server. First connection, validate that not resume.
+// Cache session and close connection. Use session on second connection.
+// ASSERT resumption.
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
+};
+
+const big = Buffer.alloc(2 * 1024 * 1024, 'Y');
+
+// create server
+const server = tls.createServer(options, common.mustCall(function(socket) {
+ socket.end(big);
+ socket.destroySoon();
+}));
+
+// start listening
+server.listen(0, common.mustCall(function() {
+ const client = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ let bytesRead = 0;
+
+ client.on('readable', function() {
+ const d = client.read();
+ if (d)
+ bytesRead += d.length;
+ });
+
+ client.on('end', common.mustCall(function() {
+ server.close();
+ assert.strictEqual(big.length, bytesRead);
+ }));
+ }));
+}));
diff --git a/test/disabled/test-tls-client-getephemeralkeyinfo.js b/test/disabled/test-tls-client-getephemeralkeyinfo.js
new file mode 100644
index 0000000..7d93dcb
--- /dev/null
+++ b/test/disabled/test-tls-client-getephemeralkeyinfo.js
@@ -0,0 +1,96 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
+
+let ntests = 0;
+let nsuccess = 0;
+
+function loadDHParam(n) {
+ let path = common.fixturesDir;
+ if (n !== 'error') path += '/keys';
+ return fs.readFileSync(`${path}/dh${n}.pem`);
+}
+
+const cipherlist = {
+ 'NOT_PFS': 'AES128-SHA256',
+ 'DH': 'DHE-RSA-AES128-GCM-SHA256',
+ 'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256'
+};
+
+function test(size, type, name, next) {
+ const cipher = type ? cipherlist[type] : cipherlist['NOT_PFS'];
+
+ if (name) tls.DEFAULT_ECDH_CURVE = name;
+
+ const options = {
+ key: key,
+ cert: cert,
+ ciphers: cipher
+ };
+
+ if (type === 'DH') options.dhparam = loadDHParam(size);
+
+ const server = tls.createServer(options, function(conn) {
+ assert.strictEqual(conn.getEphemeralKeyInfo(), null);
+ conn.end();
+ });
+
+ server.on('close', common.mustCall(function(err) {
+ assert(!err);
+ if (next) next();
+ }));
+
+ server.listen(0, '127.0.0.1', common.mustCall(function() {
+ const client = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, function() {
+ const ekeyinfo = client.getEphemeralKeyInfo();
+ assert.strictEqual(ekeyinfo.type, type);
+ assert.strictEqual(ekeyinfo.size, size);
+ assert.strictEqual(ekeyinfo.name, name);
+ nsuccess++;
+ server.close();
+ });
+ }));
+}
+
+function testNOT_PFS() {
+ test(undefined, undefined, undefined, testDHE1024);
+ ntests++;
+}
+
+function testDHE1024() {
+ test(1024, 'DH', undefined, testDHE2048);
+ ntests++;
+}
+
+function testDHE2048() {
+ test(2048, 'DH', undefined, testECDHE256);
+ ntests++;
+}
+
+function testECDHE256() {
+ test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512);
+ ntests++;
+}
+
+function testECDHE512() {
+ test(521, 'ECDH', 'secp521r1', null);
+ ntests++;
+}
+
+testNOT_PFS();
+
+process.on('exit', function() {
+ assert.strictEqual(ntests, nsuccess);
+ assert.strictEqual(ntests, 5);
+});
diff --git a/test/disabled/test-tls-client-mindhsize.js b/test/disabled/test-tls-client-mindhsize.js
new file mode 100644
index 0000000..685d790
--- /dev/null
+++ b/test/disabled/test-tls-client-mindhsize.js
@@ -0,0 +1,92 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
+
+let nsuccess = 0;
+let nerror = 0;
+
+function loadDHParam(n) {
+ let path = common.fixturesDir;
+ if (n !== 'error') path += '/keys';
+ return fs.readFileSync(`${path}/dh${n}.pem`);
+}
+
+function test(size, err, next) {
+ const options = {
+ key: key,
+ cert: cert,
+ dhparam: loadDHParam(size),
+ ciphers: 'DHE-RSA-AES128-GCM-SHA256'
+ };
+
+ const server = tls.createServer(options, function(conn) {
+ conn.end();
+ });
+
+ server.on('close', function(isException) {
+ assert(!isException);
+ if (next) next();
+ });
+
+ server.listen(0, '127.0.0.1', function() {
+ // client set minimum DH parameter size to 2048 bits so that
+ // it fails when it make a connection to the tls server where
+ // dhparams is 1024 bits
+ const client = tls.connect({
+ minDHSize: 2048,
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, function() {
+ nsuccess++;
+ server.close();
+ });
+ if (err) {
+ client.on('error', function(e) {
+ nerror++;
+ assert.strictEqual(e.message,
+ 'DH parameter size 1024 is less than 2048');
+ server.close();
+ });
+ }
+ });
+}
+
+// A client connection fails with an error when a client has an
+// 2048 bits minDHSize option and a server has 1024 bits dhparam
+function testDHE1024() {
+ test(1024, true, testDHE2048);
+}
+
+// A client connection successes when a client has an
+// 2048 bits minDHSize option and a server has 2048 bits dhparam
+function testDHE2048() {
+ test(2048, false, null);
+}
+
+testDHE1024();
+
+assert.throws(() => test(512, true, common.mustNotCall()),
+ /DH parameter is less than 1024 bits/);
+
+let errMessage = /minDHSize is not a positive number/;
+[0, -1, -Infinity, NaN].forEach((minDHSize) => {
+ assert.throws(() => tls.connect({ minDHSize }), errMessage);
+});
+
+errMessage = /minDHSize is not a number/;
+[true, false, null, undefined, {}, [], '', '1'].forEach((minDHSize) => {
+ assert.throws(() => tls.connect({ minDHSize }), errMessage);
+});
+
+process.on('exit', function() {
+ assert.strictEqual(nsuccess, 1);
+ assert.strictEqual(nerror, 1);
+});
diff --git a/test/disabled/test-tls-client-reject.js b/test/disabled/test-tls-client-reject.js
new file mode 100644
index 0000000..be3233d
--- /dev/null
+++ b/test/disabled/test-tls-client-reject.js
@@ -0,0 +1,61 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+
+const options = {
+ key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
+ cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
+};
+
+const server = tls.createServer(options, common.mustCall(function(socket) {
+ socket.on('data', function(data) {
+ console.error(data.toString());
+ assert.strictEqual(data.toString(), 'ok');
+ });
+}, 3)).listen(0, function() {
+ unauthorized();
+});
+
+function unauthorized() {
+ const socket = tls.connect({
+ port: server.address().port,
+ servername: 'localhost',
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ assert(!socket.authorized);
+ socket.end();
+ rejectUnauthorized();
+ }));
+ socket.on('error', common.mustNotCall());
+ socket.write('ok');
+}
+
+function rejectUnauthorized() {
+ const socket = tls.connect(server.address().port, {
+ servername: 'localhost'
+ }, common.mustNotCall());
+ socket.on('error', common.mustCall(function(err) {
+ console.error(err);
+ authorized();
+ }));
+ socket.write('ng');
+}
+
+function authorized() {
+ const socket = tls.connect(server.address().port, {
+ ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))],
+ servername: 'localhost'
+ }, common.mustCall(function() {
+ assert(socket.authorized);
+ socket.end();
+ server.close();
+ }));
+ socket.on('error', common.mustNotCall());
+ socket.write('ok');
+}
diff --git a/test/disabled/test-tls-client-resume.js b/test/disabled/test-tls-client-resume.js
new file mode 100644
index 0000000..211d086
--- /dev/null
+++ b/test/disabled/test-tls-client-resume.js
@@ -0,0 +1,56 @@
+'use strict';
+// Create an ssl server. First connection, validate that not resume.
+// Cache session and close connection. Use session on second connection.
+// ASSERT resumption.
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
+};
+
+// create server
+const server = tls.Server(options, common.mustCall(function(socket) {
+ socket.end('Goodbye');
+}, 2));
+
+// start listening
+server.listen(0, function() {
+
+ let session1 = null;
+ const client1 = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, function() {
+ console.log('connect1');
+ assert.ok(!client1.isSessionReused(), 'Session *should not* be reused.');
+ session1 = client1.getSession();
+ });
+
+ client1.on('close', function() {
+ console.log('close1');
+
+ const opts = {
+ port: server.address().port,
+ rejectUnauthorized: false,
+ session: session1
+ };
+
+ const client2 = tls.connect(opts, function() {
+ console.log('connect2');
+ assert.ok(client2.isSessionReused(), 'Session *should* be reused.');
+ });
+
+ client2.on('close', function() {
+ console.log('close2');
+ server.close();
+ });
+ });
+});
diff --git a/test/disabled/test-tls-client-verify.js b/test/disabled/test-tls-client-verify.js
new file mode 100644
index 0000000..565b391
--- /dev/null
+++ b/test/disabled/test-tls-client-verify.js
@@ -0,0 +1,132 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+const hosterr = /Hostname\/IP doesn't match certificate's altnames/;
+const testCases =
+ [{ ca: ['ca1-cert'],
+ key: 'agent2-key',
+ cert: 'agent2-cert',
+ servers: [
+ { ok: true, key: 'agent1-key', cert: 'agent1-cert' },
+ { ok: false, key: 'agent2-key', cert: 'agent2-cert' },
+ { ok: false, key: 'agent3-key', cert: 'agent3-cert' }
+ ]
+ },
+
+ { ca: [],
+ key: 'agent2-key',
+ cert: 'agent2-cert',
+ servers: [
+ { ok: false, key: 'agent1-key', cert: 'agent1-cert' },
+ { ok: false, key: 'agent2-key', cert: 'agent2-cert' },
+ { ok: false, key: 'agent3-key', cert: 'agent3-cert' }
+ ]
+ },
+
+ { ca: ['ca1-cert', 'ca2-cert'],
+ key: 'agent2-key',
+ cert: 'agent2-cert',
+ servers: [
+ { ok: true, key: 'agent1-key', cert: 'agent1-cert' },
+ { ok: false, key: 'agent2-key', cert: 'agent2-cert' },
+ { ok: true, key: 'agent3-key', cert: 'agent3-cert' }
+ ]
+ }
+ ];
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+let successfulTests = 0;
+
+function testServers(index, servers, clientOptions, cb) {
+ const serverOptions = servers[index];
+ if (!serverOptions) {
+ cb();
+ return;
+ }
+
+ const ok = serverOptions.ok;
+
+ if (serverOptions.key) {
+ serverOptions.key = loadPEM(serverOptions.key);
+ }
+
+ if (serverOptions.cert) {
+ serverOptions.cert = loadPEM(serverOptions.cert);
+ }
+
+ const server = tls.createServer(serverOptions, common.mustCall(function(s) {
+ s.end('hello world\n');
+ }));
+
+ server.listen(0, common.mustCall(function() {
+ let b = '';
+
+ console.error('connecting...');
+ clientOptions.port = this.address().port;
+ const client = tls.connect(clientOptions, common.mustCall(function() {
+ const authorized = client.authorized ||
+ hosterr.test(client.authorizationError);
+
+ console.error(`expected: ${ok} authed: ${authorized}`);
+
+ assert.strictEqual(ok, authorized);
+ server.close();
+ }));
+
+ client.on('data', function(d) {
+ b += d.toString();
+ });
+
+ client.on('end', common.mustCall(function() {
+ assert.strictEqual('hello world\n', b);
+ }));
+
+ client.on('close', common.mustCall(function() {
+ testServers(index + 1, servers, clientOptions, cb);
+ }));
+ }));
+}
+
+
+function runTest(testIndex) {
+ const tcase = testCases[testIndex];
+ if (!tcase) return;
+
+ const clientOptions = {
+ port: undefined,
+ ca: tcase.ca.map(loadPEM),
+ key: loadPEM(tcase.key),
+ cert: loadPEM(tcase.cert),
+ rejectUnauthorized: false
+ };
+
+
+ testServers(0, tcase.servers, clientOptions, common.mustCall(function() {
+ successfulTests++;
+ runTest(testIndex + 1);
+ }));
+}
+
+
+runTest(0);
+
+
+process.on('exit', function() {
+ console.log('successful tests: %d', successfulTests);
+ assert.strictEqual(successfulTests, testCases.length);
+});
diff --git a/test/disabled/test-tls-close-error.js b/test/disabled/test-tls-close-error.js
new file mode 100644
index 0000000..e7e48cd
--- /dev/null
+++ b/test/disabled/test-tls-close-error.js
@@ -0,0 +1,26 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+}, function(c) {
+}).listen(0, common.mustCall(function() {
+ const c = tls.connect(this.address().port, function() {
+ assert(false, 'should not be called');
+ });
+
+ c.on('error', common.mustCall(function(err) {}));
+
+ c.on('close', common.mustCall(function(err) {
+ assert.ok(err);
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-close-notify.js b/test/disabled/test-tls-close-notify.js
new file mode 100644
index 0000000..15f9f36
--- /dev/null
+++ b/test/disabled/test-tls-close-notify.js
@@ -0,0 +1,27 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const fs = require('fs');
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+}, function(c) {
+ // Send close-notify without shutting down TCP socket
+ if (c._handle.shutdownSSL() !== 1)
+ c._handle.shutdownSSL();
+}).listen(0, common.mustCall(function() {
+ const c = tls.connect(this.address().port, {
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ // Ensure that we receive 'end' event anyway
+ c.on('end', common.mustCall(function() {
+ c.destroy();
+ server.close();
+ }));
+ }));
+}));
diff --git a/test/disabled/test-tls-cnnic-whitelist.js b/test/disabled/test-tls-cnnic-whitelist.js
new file mode 100644
index 0000000..84b71c7
--- /dev/null
+++ b/test/disabled/test-tls-cnnic-whitelist.js
@@ -0,0 +1,77 @@
+// Flags: --use-bundled-ca
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const testCases = [
+ { // Test 0: for the check of a cert not existed in the whitelist.
+ // agent7-cert.pem is issued by the fake CNNIC root CA so that its
+ // hash is not listed in the whitelist.
+ // fake-cnnic-root-cert has the same subject name as the original
+ // rootCA.
+ serverOpts: {
+ key: loadPEM('agent7-key'),
+ cert: loadPEM('agent7-cert')
+ },
+ clientOpts: {
+ port: undefined,
+ rejectUnauthorized: true,
+ ca: [loadPEM('fake-cnnic-root-cert')]
+ },
+ errorCode: 'CERT_REVOKED'
+ },
+ // Test 1: for the fix of node#2061
+ // agent6-cert.pem is signed by intermidate cert of ca3.
+ // The server has a cert chain of agent6->ca3->ca1(root) but
+ // tls.connect should be failed with an error of
+ // UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
+ // installed locally.
+ {
+ serverOpts: {
+ ca: loadPEM('ca3-key'),
+ key: loadPEM('agent6-key'),
+ cert: loadPEM('agent6-cert')
+ },
+ clientOpts: {
+ port: undefined,
+ rejectUnauthorized: true
+ },
+ errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
+ }
+];
+
+function runTest(tindex) {
+ const tcase = testCases[tindex];
+
+ if (!tcase) return;
+
+ const server = tls.createServer(tcase.serverOpts, (s) => {
+ s.resume();
+ }).listen(0, common.mustCall(function() {
+ tcase.clientOpts = this.address().port;
+ const client = tls.connect(tcase.clientOpts);
+ client.on('error', common.mustCall((e) => {
+ assert.strictEqual(e.code, tcase.errorCode);
+ server.close(common.mustCall(() => {
+ runTest(tindex + 1);
+ }));
+ }));
+ }));
+}
+
+runTest(0);
diff --git a/test/disabled/test-tls-connect-address-family.js b/test/disabled/test-tls-connect-address-family.js
new file mode 100644
index 0000000..afacd5a
--- /dev/null
+++ b/test/disabled/test-tls-connect-address-family.js
@@ -0,0 +1,45 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.hasIPv6)
+ common.skip('no IPv6 support');
+
+const assert = require('assert');
+const tls = require('tls');
+const dns = require('dns');
+
+function runTest() {
+ const ciphers = 'AECDH-NULL-SHA';
+ tls.createServer({ ciphers }, common.mustCall(function() {
+ this.close();
+ })).listen(0, '::1', common.mustCall(function() {
+ const options = {
+ host: 'localhost',
+ port: this.address().port,
+ family: 6,
+ ciphers: ciphers,
+ rejectUnauthorized: false,
+ };
+ // Will fail with ECONNREFUSED if the address family is not honored.
+ tls.connect(options).once('secureConnect', common.mustCall(function() {
+ assert.strictEqual('::1', this.remoteAddress);
+ this.destroy();
+ }));
+ }));
+}
+
+dns.lookup('localhost', {family: 6, all: true}, (err, addresses) => {
+ if (err) {
+ if (err.code === 'ENOTFOUND')
+ common.skip('localhost does not resolve to ::1');
+
+ throw err;
+ }
+
+ if (addresses.some((val) => val.address === '::1'))
+ runTest();
+ else
+ common.skip('localhost does not resolve to ::1');
+});
diff --git a/test/disabled/test-tls-connect-given-socket.js b/test/disabled/test-tls-connect-given-socket.js
new file mode 100644
index 0000000..b69e0b9
--- /dev/null
+++ b/test/disabled/test-tls-connect-given-socket.js
@@ -0,0 +1,65 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const net = require('net');
+const fs = require('fs');
+const path = require('path');
+
+const options = {
+ key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
+ cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
+};
+
+const server = tls.createServer(options, common.mustCall((socket) => {
+ socket.end('Hello');
+}, 2)).listen(0, common.mustCall(() => {
+ let waiting = 2;
+ function establish(socket, calls) {
+ const client = tls.connect({
+ rejectUnauthorized: false,
+ socket: socket
+ }, common.mustCall(() => {
+ let data = '';
+ client.on('data', common.mustCall((chunk) => {
+ data += chunk.toString();
+ }));
+ client.on('end', common.mustCall(() => {
+ assert.strictEqual(data, 'Hello');
+ if (--waiting === 0)
+ server.close();
+ }));
+ }, calls));
+ assert(client.readable);
+ assert(client.writable);
+
+ return client;
+ }
+
+ const { port } = server.address();
+
+ // Immediate death socket
+ const immediateDeath = net.connect(port);
+ establish(immediateDeath, 0).destroy();
+
+ // Outliving
+ const outlivingTCP = net.connect(port, common.mustCall(() => {
+ outlivingTLS.destroy();
+ next();
+ }));
+ const outlivingTLS = establish(outlivingTCP, 0);
+
+ function next() {
+ // Already connected socket
+ const connected = net.connect(port, common.mustCall(() => {
+ establish(connected);
+ }));
+
+ // Connecting socket
+ const connecting = net.connect(port);
+ establish(connecting);
+ }
+}));
diff --git a/test/disabled/test-tls-connect-no-host.js b/test/disabled/test-tls-connect-no-host.js
new file mode 100644
index 0000000..f63c821
--- /dev/null
+++ b/test/disabled/test-tls-connect-no-host.js
@@ -0,0 +1,34 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+
+const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+// https://github.com/nodejs/node/issues/1489
+// tls.connect(options) with no options.host should accept a cert with
+// CN:'localhost'
+tls.createServer({
+ key: key,
+ cert: cert
+}).listen(0, function() {
+ const socket = tls.connect({
+ port: this.address().port,
+ ca: cert,
+ // No host set here. 'localhost' is the default,
+ // but tls.checkServerIdentity() breaks before the fix with:
+ // Error: Hostname/IP doesn't match certificate's altnames:
+ // "Host: undefined. is not cert's CN: localhost"
+ }, function() {
+ assert(socket.authorized);
+ process.exit();
+ });
+});
diff --git a/test/disabled/test-tls-connect-pipe.js b/test/disabled/test-tls-connect-pipe.js
new file mode 100644
index 0000000..2467a91
--- /dev/null
+++ b/test/disabled/test-tls-connect-pipe.js
@@ -0,0 +1,26 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+common.refreshTmpDir();
+
+const server = tls.Server(options, common.mustCall(function(socket) {
+ server.close();
+}));
+server.listen(common.PIPE, common.mustCall(function() {
+ const options = { rejectUnauthorized: false };
+ const client = tls.connect(common.PIPE, options, common.mustCall(function() {
+ client.end();
+ }));
+}));
diff --git a/test/disabled/test-tls-connect-secure-context.js b/test/disabled/test-tls-connect-secure-context.js
new file mode 100644
index 0000000..d1552a6
--- /dev/null
+++ b/test/disabled/test-tls-connect-secure-context.js
@@ -0,0 +1,25 @@
+'use strict';
+const common = require('../common');
+
+// Verify connection with explicitly created client SecureContext.
+
+const join = require('path').join;
+const {
+ assert, connect, keys, tls
+} = require(join(common.fixturesDir, 'tls-connect'))();
+
+connect({
+ client: {
+ servername: 'agent1',
+ secureContext: tls.createSecureContext({
+ ca: keys.agent1.ca,
+ }),
+ },
+ server: {
+ cert: keys.agent1.cert,
+ key: keys.agent1.key,
+ },
+}, function(err, pair, cleanup) {
+ assert.ifError(err);
+ return cleanup();
+});
diff --git a/test/disabled/test-tls-connect-simple.js b/test/disabled/test-tls-connect-simple.js
new file mode 100644
index 0000000..aa59f05
--- /dev/null
+++ b/test/disabled/test-tls-connect-simple.js
@@ -0,0 +1,42 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+const fs = require('fs');
+
+let serverConnected = 0;
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = tls.Server(options, common.mustCall(function(socket) {
+ if (++serverConnected === 2) {
+ server.close(common.mustCall());
+ server.on('close', common.mustCall());
+ }
+}, 2));
+
+server.listen(0, function() {
+ const client1options = {
+ port: this.address().port,
+ rejectUnauthorized: false
+ };
+ const client1 = tls.connect(client1options, common.mustCall(function() {
+ client1.end();
+ }));
+
+ const client2options = {
+ port: this.address().port,
+ rejectUnauthorized: false
+ };
+ const client2 = tls.connect(client2options);
+ client2.on('secureConnect', common.mustCall(function() {
+ client2.end();
+ }));
+});
diff --git a/test/disabled/test-tls-connect-stream-writes.js b/test/disabled/test-tls-connect-stream-writes.js
new file mode 100644
index 0000000..5266d6c
--- /dev/null
+++ b/test/disabled/test-tls-connect-stream-writes.js
@@ -0,0 +1,63 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+const fs = require('fs');
+const tls = require('tls');
+const stream = require('stream');
+const net = require('net');
+
+const cert_dir = common.fixturesDir;
+const options = { key: fs.readFileSync(`${cert_dir}/test_key.pem`),
+ cert: fs.readFileSync(`${cert_dir}/test_cert.pem`),
+ ca: [ fs.readFileSync(`${cert_dir}/test_ca.pem`) ],
+ ciphers: 'AES256-GCM-SHA384' };
+const content = 'hello world';
+const recv_bufs = [];
+let send_data = '';
+const server = tls.createServer(options, function(s) {
+ s.on('data', function(c) {
+ recv_bufs.push(c);
+ });
+});
+server.listen(0, function() {
+ const raw = net.connect(this.address().port);
+
+ let pending = false;
+ raw.on('readable', function() {
+ if (pending)
+ p._read();
+ });
+
+ let p = new stream.Duplex({
+ read: function read() {
+ pending = false;
+
+ const chunk = raw.read();
+ if (chunk) {
+ this.push(chunk);
+ } else {
+ pending = true;
+ }
+ },
+ write: function write(data, enc, cb) {
+ raw.write(data, enc, cb);
+ }
+ });
+
+ const socket = tls.connect({
+ socket: p,
+ rejectUnauthorized: false
+ }, function() {
+ for (let i = 0; i < 50; ++i) {
+ socket.write(content);
+ send_data += content;
+ }
+ socket.end();
+ server.close();
+ });
+});
+
+process.on('exit', function() {
+ const recv_data = (Buffer.concat(recv_bufs)).toString();
+ assert.strictEqual(send_data, recv_data);
+});
diff --git a/test/disabled/test-tls-connect.js b/test/disabled/test-tls-connect.js
new file mode 100644
index 0000000..b410f86
--- /dev/null
+++ b/test/disabled/test-tls-connect.js
@@ -0,0 +1,39 @@
+'use strict';
+const common = require('../common');
+const assert = require('assert');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+
+// https://github.com/joyent/node/issues/1218
+// uncatchable exception on TLS connection error
+{
+ const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+ const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+ const options = {cert: cert, key: key, port: common.PORT};
+ const conn = tls.connect(options, common.fail);
+
+ conn.on('error', common.mustCall());
+}
+
+// SSL_accept/SSL_connect error handling
+{
+ const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+ const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+ const conn = tls.connect({
+ cert: cert,
+ key: key,
+ port: common.PORT,
+ ciphers: 'rick-128-roll'
+ }, function() {
+ assert.ok(false); // callback should never be executed
+ });
+
+ conn.on('error', common.mustCall());
+}
diff --git a/test/disabled/test-tls-delayed-attach-error.js b/test/disabled/test-tls-delayed-attach-error.js
new file mode 100644
index 0000000..9d37f15
--- /dev/null
+++ b/test/disabled/test-tls-delayed-attach-error.js
@@ -0,0 +1,36 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const fs = require('fs');
+const net = require('net');
+
+const bonkers = Buffer.alloc(1024, 42);
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = net.createServer(common.mustCall(function(c) {
+ setTimeout(common.mustCall(function() {
+ const s = new tls.TLSSocket(c, {
+ isServer: true,
+ secureContext: tls.createSecureContext(options)
+ });
+
+ s.on('_tlsError', common.mustCall());
+
+ s.on('close', function() {
+ server.close();
+ s.destroy();
+ });
+ }), 200);
+})).listen(0, function() {
+ const c = net.connect({port: this.address().port}, function() {
+ c.write(bonkers);
+ });
+});
diff --git a/test/disabled/test-tls-delayed-attach.js b/test/disabled/test-tls-delayed-attach.js
new file mode 100644
index 0000000..12ebb91
--- /dev/null
+++ b/test/disabled/test-tls-delayed-attach.js
@@ -0,0 +1,45 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const net = require('net');
+
+const sent = 'hello world';
+let received = '';
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = net.createServer(function(c) {
+ setTimeout(function() {
+ const s = new tls.TLSSocket(c, {
+ isServer: true,
+ secureContext: tls.createSecureContext(options)
+ });
+
+ s.on('data', function(chunk) {
+ received += chunk;
+ });
+
+ s.on('end', function() {
+ server.close();
+ s.destroy();
+ });
+ }, 200);
+}).listen(0, function() {
+ const c = tls.connect(this.address().port, {
+ rejectUnauthorized: false
+ }, function() {
+ c.end(sent);
+ });
+});
+
+process.on('exit', function() {
+ assert.strictEqual(received, sent);
+});
diff --git a/test/disabled/test-tls-destroy-whilst-write.js b/test/disabled/test-tls-destroy-whilst-write.js
new file mode 100644
index 0000000..d157c7b
--- /dev/null
+++ b/test/disabled/test-tls-destroy-whilst-write.js
@@ -0,0 +1,27 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const stream = require('stream');
+
+const delay = new stream.Duplex({
+ read: function read() {
+ },
+ write: function write(data, enc, cb) {
+ console.log('pending');
+ setImmediate(function() {
+ console.log('done');
+ cb();
+ });
+ }
+});
+
+const secure = tls.connect({
+ socket: delay
+});
+setImmediate(function() {
+ secure.destroy();
+});
diff --git a/test/disabled/test-tls-dhe.js b/test/disabled/test-tls-dhe.js
new file mode 100644
index 0000000..3e43fd2
--- /dev/null
+++ b/test/disabled/test-tls-dhe.js
@@ -0,0 +1,96 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('missing openssl-cli');
+
+const assert = require('assert');
+const tls = require('tls');
+const spawn = require('child_process').spawn;
+const fs = require('fs');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
+let nsuccess = 0;
+let ntests = 0;
+const ciphers = 'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+
+function loadDHParam(n) {
+ let path = common.fixturesDir;
+ if (n !== 'error') path += '/keys';
+ return fs.readFileSync(`${path}/dh${n}.pem`);
+}
+
+function test(keylen, expectedCipher, cb) {
+ const options = {
+ key: key,
+ cert: cert,
+ ciphers: ciphers,
+ dhparam: loadDHParam(keylen)
+ };
+
+ const server = tls.createServer(options, function(conn) {
+ conn.end();
+ });
+
+ server.on('close', function(err) {
+ assert(!err);
+ if (cb) cb();
+ });
+
+ server.listen(0, '127.0.0.1', function() {
+ const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`,
+ '-cipher', ciphers];
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ args.push('-no_rand_screen');
+
+ const client = spawn(common.opensslCli, args);
+ let out = '';
+ client.stdout.setEncoding('utf8');
+ client.stdout.on('data', function(d) {
+ out += d;
+ });
+ client.stdout.on('end', function() {
+ // DHE key length can be checked -brief option in s_client but it
+ // is only supported in openssl 1.0.2 so we cannot check it.
+ const reg = new RegExp(`Cipher : ${expectedCipher}`);
+ if (reg.test(out)) {
+ nsuccess++;
+ server.close();
+ }
+ });
+ });
+}
+
+function test512() {
+ assert.throws(function() {
+ test(512, 'DHE-RSA-AES128-SHA256', null);
+ }, /DH parameter is less than 1024 bits/);
+}
+
+function test1024() {
+ test(1024, 'DHE-RSA-AES128-SHA256', test2048);
+ ntests++;
+}
+
+function test2048() {
+ test(2048, 'DHE-RSA-AES128-SHA256', testError);
+ ntests++;
+}
+
+function testError() {
+ test('error', 'ECDHE-RSA-AES128-SHA256', test512);
+ ntests++;
+}
+
+test1024();
+
+process.on('exit', function() {
+ assert.strictEqual(ntests, nsuccess);
+ assert.strictEqual(ntests, 3);
+});
diff --git a/test/disabled/test-tls-ecdh-disable.js b/test/disabled/test-tls-ecdh-disable.js
new file mode 100644
index 0000000..a44ce2c
--- /dev/null
+++ b/test/disabled/test-tls-ecdh-disable.js
@@ -0,0 +1,37 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('missing openssl-cli');
+
+const assert = require('assert');
+const tls = require('tls');
+const exec = require('child_process').exec;
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
+ ciphers: 'ECDHE-RSA-RC4-SHA',
+ ecdhCurve: false
+};
+
+const server = tls.createServer(options, common.mustNotCall());
+
+server.listen(0, '127.0.0.1', common.mustCall(function() {
+ let cmd = `"${common.opensslCli}" s_client -cipher ${
+ options.ciphers} -connect 127.0.0.1:${this.address().port}`;
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ cmd += ' -no_rand_screen';
+
+ exec(cmd, common.mustCall(function(err, stdout, stderr) {
+ // Old versions of openssl will still exit with 0 so we
+ // can't just check if err is not null.
+ assert(stderr.includes('handshake failure'));
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-ecdh.js b/test/disabled/test-tls-ecdh.js
new file mode 100644
index 0000000..32df9c1
--- /dev/null
+++ b/test/disabled/test-tls-ecdh.js
@@ -0,0 +1,42 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('missing openssl-cli');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const exec = require('child_process').exec;
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
+ ciphers: '-ALL:ECDHE-RSA-AES128-SHA256',
+ ecdhCurve: 'prime256v1'
+};
+
+const reply = 'I AM THE WALRUS'; // something recognizable
+
+const server = tls.createServer(options, common.mustCall(function(conn) {
+ conn.end(reply);
+}));
+
+server.listen(0, '127.0.0.1', common.mustCall(function() {
+ let cmd = `"${common.opensslCli}" s_client -cipher ${
+ options.ciphers} -connect 127.0.0.1:${this.address().port}`;
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ cmd += ' -no_rand_screen';
+
+ exec(cmd, common.mustCall(function(err, stdout, stderr) {
+ if (err) throw err;
+ assert(stdout.includes(reply));
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-econnreset.js b/test/disabled/test-tls-econnreset.js
new file mode 100644
index 0000000..fb3cb2f
--- /dev/null
+++ b/test/disabled/test-tls-econnreset.js
@@ -0,0 +1,76 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const cacert =
+`-----BEGIN CERTIFICATE-----
+MIIBxTCCAX8CAnXnMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n
+TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv
+bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMH0xCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
+MBcGA1UEChMQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRow
+GAYDVQQDExFjYS5zdHJvbmdsb29wLmNvbTBMMA0GCSqGSIb3DQEBAQUAAzsAMDgC
+MQDKbQ6rIR5t1q1v4Ha36jrq0IkyUohy9EYNvLnXUly1PGqxby0ILlAVJ8JawpY9
+AVkCAwEAATANBgkqhkiG9w0BAQUFAAMxALA1uS4CqQXRSAyYTfio5oyLGz71a+NM
++0AFLBwh5AQjhGd0FcenU4OfHxyDEOJT/Q==
+-----END CERTIFICATE-----`;
+
+const cert =
+`-----BEGIN CERTIFICATE-----
+MIIBfDCCATYCAgQaMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n
+TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv
+bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMBkxFzAV
+BgNVBAMTDnN0cm9uZ2xvb3AuY29tMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMfk
+I0LWU15pPUwIQNMnRVhhOibi0TQmAau8FBtgwEfGK01WpfGUaJr1a41K8Uq7xwID
+AQABoxkwFzAVBgNVHREEDjAMhwQAAAAAhwR/AAABMA0GCSqGSIb3DQEBBQUAAzEA
+cGpYrhkrb7mIh9DNhV0qp7pGjqBzlHqB7KQXw2luLDp//6dyHBMexDCQznkhZKRU
+-----END CERTIFICATE-----`;
+
+const key =
+`-----BEGIN RSA PRIVATE KEY-----
+MIH0AgEAAjEAx+QjQtZTXmk9TAhA0ydFWGE6JuLRNCYBq7wUG2DAR8YrTVal8ZRo
+mvVrjUrxSrvHAgMBAAECMBCGccvSwC2r8Z9Zh1JtirQVxaL1WWpAQfmVwLe0bAgg
+/JWMU/6hS36TsYyZMxwswQIZAPTAfht/zDLb7Hwgu2twsS1Ra9w/yyvtlwIZANET
+26votwJAHK1yUrZGA5nnp5qcmQ/JUQIZAII5YV/UUZvF9D/fUplJ7puENPWNY9bN
+pQIZAMMwxuS3XiO7two2sQF6W+JTYyX1DPCwAQIZAOYg1TvEGT38k8e8jygv8E8w
+YqrWTeQFNQ==
+-----END RSA PRIVATE KEY-----`;
+
+const ca = [ cert, cacert ];
+
+let clientError = null;
+let connectError = null;
+
+const server =
+ tls.createServer({ ca: ca, cert: cert, key: key }, function(conn) {
+ throw 'unreachable';
+ }).on('tlsClientError', function(err, conn) {
+ assert(!clientError && conn);
+ clientError = err;
+ }).listen(0, function() {
+ const options = {
+ ciphers: 'AES128-GCM-SHA256',
+ port: this.address().port,
+ ca: ca
+ };
+ tls.connect(options).on('error', function(err) {
+ assert(!connectError);
+
+ connectError = err;
+ this.destroy();
+ server.close();
+ }).write('123');
+ });
+
+process.on('exit', function() {
+ assert(clientError);
+ assert(connectError);
+ assert(/socket hang up/.test(clientError.message));
+ assert(/ECONNRESET/.test(clientError.code));
+});
diff --git a/test/disabled/test-tls-empty-sni-context.js b/test/disabled/test-tls-empty-sni-context.js
new file mode 100644
index 0000000..3f39d6e
--- /dev/null
+++ b/test/disabled/test-tls-empty-sni-context.js
@@ -0,0 +1,34 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!process.features.tls_sni)
+ common.skip('node compiled without OpenSSL or with old OpenSSL version.');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const options = {
+ SNICallback: (name, callback) => {
+ callback(null, tls.createSecureContext());
+ }
+};
+
+const server = tls.createServer(options, (c) => {
+ common.fail('Should not be called');
+}).on('tlsClientError', common.mustCall((err, c) => {
+ assert(/SSL_use_certificate:passed a null parameter/i.test(err.message));
+ server.close();
+})).listen(0, common.mustCall(() => {
+ const c = tls.connect({
+ port: server.address().port,
+ rejectUnauthorized: false,
+ servername: 'any.name'
+ }, common.mustNotCall());
+
+ c.on('error', common.mustCall((err) => {
+ assert(/socket hang up/.test(err.message));
+ }));
+}));
diff --git a/test/disabled/test-tls-env-bad-extra-ca.js b/test/disabled/test-tls-env-bad-extra-ca.js
new file mode 100644
index 0000000..ece93f3
--- /dev/null
+++ b/test/disabled/test-tls-env-bad-extra-ca.js
@@ -0,0 +1,39 @@
+// Setting NODE_EXTRA_CA_CERTS to non-existent file emits a warning
+
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fork = require('child_process').fork;
+
+if (process.env.CHILD) {
+ // This will try to load the extra CA certs, and emit a warning when it fails.
+ return tls.createServer({});
+}
+
+const env = {
+ CHILD: 'yes',
+ NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/no-such-file-exists`,
+};
+
+const opts = {
+ env: env,
+ silent: true,
+};
+let stderr = '';
+
+fork(__filename, opts)
+ .on('exit', common.mustCall(function(status) {
+ assert.strictEqual(status, 0, 'client did not succeed in connecting');
+ }))
+ .on('close', common.mustCall(function() {
+ const re = /Warning: Ignoring extra certs from.*no-such-file-exists.* load failed:.*No such file or directory/;
+ assert(re.test(stderr), stderr);
+ }))
+ .stderr.setEncoding('utf8').on('data', function(str) {
+ stderr += str;
+ });
diff --git a/test/disabled/test-tls-env-extra-ca.js b/test/disabled/test-tls-env-extra-ca.js
new file mode 100644
index 0000000..be7c826
--- /dev/null
+++ b/test/disabled/test-tls-env-extra-ca.js
@@ -0,0 +1,44 @@
+// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation
+
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const fs = require('fs');
+const tls = require('tls');
+
+const fork = require('child_process').fork;
+
+if (process.env.CHILD) {
+ const copts = {
+ port: process.env.PORT,
+ checkServerIdentity: common.mustCall(),
+ };
+ const client = tls.connect(copts, common.mustCall(function() {
+ client.end('hi');
+ }));
+ return;
+}
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
+};
+
+const server = tls.createServer(options, common.mustCall(function(s) {
+ s.end('bye');
+ server.close();
+})).listen(0, common.mustCall(function() {
+ const env = {
+ CHILD: 'yes',
+ PORT: this.address().port,
+ NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/keys/ca1-cert.pem`,
+ };
+
+ fork(__filename, {env: env}).on('exit', common.mustCall(function(status) {
+ assert.strictEqual(status, 0, 'client did not succeed in connecting');
+ }));
+}));
diff --git a/test/disabled/test-tls-external-accessor.js b/test/disabled/test-tls-external-accessor.js
new file mode 100644
index 0000000..2d7b1f6
--- /dev/null
+++ b/test/disabled/test-tls-external-accessor.js
@@ -0,0 +1,22 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+// Ensure accessing ._external doesn't hit an assert in the accessor method.
+{
+ const pctx = tls.createSecureContext().context;
+ const cctx = Object.create(pctx);
+ assert.throws(() => cctx._external, /incompatible receiver/);
+ pctx._external;
+}
+{
+ const pctx = tls.createSecurePair().credentials.context;
+ const cctx = Object.create(pctx);
+ assert.throws(() => cctx._external, /incompatible receiver/);
+ pctx._external;
+}
diff --git a/test/disabled/test-tls-fast-writing.js b/test/disabled/test-tls-fast-writing.js
new file mode 100644
index 0000000..b8605ca
--- /dev/null
+++ b/test/disabled/test-tls-fast-writing.js
@@ -0,0 +1,60 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const dir = common.fixturesDir;
+const options = { key: fs.readFileSync(`${dir}/test_key.pem`),
+ cert: fs.readFileSync(`${dir}/test_cert.pem`),
+ ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] };
+
+const server = tls.createServer(options, onconnection);
+let gotChunk = false;
+let gotDrain = false;
+
+setTimeout(function() {
+ console.log('not ok - timed out');
+ process.exit(1);
+}, common.platformTimeout(1000));
+
+function onconnection(conn) {
+ conn.on('data', function(c) {
+ if (!gotChunk) {
+ gotChunk = true;
+ console.log('ok - got chunk');
+ }
+
+ // just some basic sanity checks.
+ assert(c.length);
+ assert(Buffer.isBuffer(c));
+
+ if (gotDrain)
+ process.exit(0);
+ });
+}
+
+server.listen(0, function() {
+ const chunk = Buffer.alloc(1024, 'x');
+ const opt = { port: this.address().port, rejectUnauthorized: false };
+ const conn = tls.connect(opt, function() {
+ conn.on('drain', ondrain);
+ write();
+ });
+ function ondrain() {
+ if (!gotDrain) {
+ gotDrain = true;
+ console.log('ok - got drain');
+ }
+ if (gotChunk)
+ process.exit(0);
+ write();
+ }
+ function write() {
+ // this needs to return false eventually
+ while (false !== conn.write(chunk));
+ }
+});
diff --git a/test/disabled/test-tls-friendly-error-message.js b/test/disabled/test-tls-friendly-error-message.js
new file mode 100644
index 0000000..51ce0d0
--- /dev/null
+++ b/test/disabled/test-tls-friendly-error-message.js
@@ -0,0 +1,23 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
+
+tls.createServer({ key: key, cert: cert }, common.mustCall(function(conn) {
+ conn.end();
+ this.close();
+})).listen(0, common.mustCall(function() {
+ const options = { port: this.address().port, rejectUnauthorized: true };
+ tls.connect(options).on('error', common.mustCall(function(err) {
+ assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
+ assert.strictEqual(err.message, 'unable to verify the first certificate');
+ this.destroy();
+ }));
+}));
diff --git a/test/disabled/test-tls-getcipher.js b/test/disabled/test-tls-getcipher.js
new file mode 100644
index 0000000..dc3ff1b
--- /dev/null
+++ b/test/disabled/test-tls-getcipher.js
@@ -0,0 +1,36 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const fs = require('fs');
+const cipher_list = ['AES128-SHA256', 'AES256-SHA256'];
+const cipher_version_pattern = /TLS|SSL/;
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
+ ciphers: cipher_list.join(':'),
+ honorCipherOrder: true
+};
+
+const server = tls.createServer(options,
+ common.mustCall(function(cleartextStream) {}));
+
+server.listen(0, '127.0.0.1', common.mustCall(function() {
+ const client = tls.connect({
+ host: '127.0.0.1',
+ port: this.address().port,
+ ciphers: cipher_list.join(':'),
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ const cipher = client.getCipher();
+ assert.strictEqual(cipher.name, cipher_list[0]);
+ assert(cipher_version_pattern.test(cipher.version));
+ client.end();
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-getprotocol.js b/test/disabled/test-tls-getprotocol.js
new file mode 100644
index 0000000..dd96aa6
--- /dev/null
+++ b/test/disabled/test-tls-getprotocol.js
@@ -0,0 +1,40 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const clientConfigs = [
+ { secureProtocol: 'TLSv1_method', version: 'TLSv1' },
+ { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' },
+ { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' }
+];
+
+const serverConfig = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
+};
+
+const server = tls.createServer(serverConfig, common.mustCall(function() {
+
+}, clientConfigs.length)).listen(0, common.localhostIPv4, function() {
+ let connected = 0;
+ clientConfigs.forEach(function(v) {
+ tls.connect({
+ host: common.localhostIPv4,
+ port: server.address().port,
+ rejectUnauthorized: false,
+ secureProtocol: v.secureProtocol
+ }, common.mustCall(function() {
+ assert.strictEqual(this.getProtocol(), v.version);
+ this.on('end', common.mustCall(function() {
+ assert.strictEqual(this.getProtocol(), null);
+ })).end();
+ if (++connected === clientConfigs.length)
+ server.close();
+ }));
+ });
+});
diff --git a/test/disabled/test-tls-handshake-error.js b/test/disabled/test-tls-handshake-error.js
new file mode 100644
index 0000000..9ae1f31
--- /dev/null
+++ b/test/disabled/test-tls-handshake-error.js
@@ -0,0 +1,32 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
+ rejectUnauthorized: true
+}, function(c) {
+}).listen(0, common.mustCall(function() {
+ const c = tls.connect({
+ port: this.address().port,
+ ciphers: 'RC4'
+ }, function() {
+ assert(false, 'should not be called');
+ });
+
+ c.on('error', common.mustCall(function(err) {
+ assert.notStrictEqual(err.code, 'ECONNRESET');
+ }));
+
+ c.on('close', common.mustCall(function(err) {
+ assert.ok(err);
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-handshake-nohang.js b/test/disabled/test-tls-handshake-nohang.js
new file mode 100644
index 0000000..5c65ca4
--- /dev/null
+++ b/test/disabled/test-tls-handshake-nohang.js
@@ -0,0 +1,11 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+// neither should hang
+tls.createSecurePair(null, false, false, false);
+tls.createSecurePair(null, true, false, false);
diff --git a/test/disabled/test-tls-hello-parser-failure.js b/test/disabled/test-tls-hello-parser-failure.js
new file mode 100644
index 0000000..a6659d4
--- /dev/null
+++ b/test/disabled/test-tls-hello-parser-failure.js
@@ -0,0 +1,41 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const net = require('net');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`)
+};
+
+const bonkers = Buffer.alloc(1024 * 1024, 42);
+
+const server = tls.createServer(options, function(c) {
+
+}).listen(0, common.mustCall(function() {
+ const client = net.connect(this.address().port, common.mustCall(function() {
+ client.write(bonkers);
+ }));
+
+ const writeAgain = setImmediate(function() {
+ client.write(bonkers);
+ });
+
+ client.once('error', common.mustCall(function(err) {
+ clearImmediate(writeAgain);
+ client.destroy();
+ server.close();
+ }));
+
+ client.on('close', common.mustCall(function(hadError) {
+ assert.strictEqual(hadError, true, 'Client never errored');
+ }));
+}));
diff --git a/test/disabled/test-tls-honorcipherorder.js b/test/disabled/test-tls-honorcipherorder.js
new file mode 100644
index 0000000..a9d35a0
--- /dev/null
+++ b/test/disabled/test-tls-honorcipherorder.js
@@ -0,0 +1,97 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+let nconns = 0;
+
+// We explicitly set TLS version to 1.2 so as to be safe when the
+// default method is updated in the future
+const SSL_Method = 'TLSv1_2_method';
+const localhost = '127.0.0.1';
+
+process.on('exit', function() {
+ assert.strictEqual(nconns, 6);
+});
+
+function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
+ const soptions = {
+ secureProtocol: SSL_Method,
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
+ ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' +
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ honorCipherOrder: !!honorCipherOrder
+ };
+
+ const server = tls.createServer(soptions, function(cleartextStream) {
+ nconns++;
+
+ // End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
+ // it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
+ cleartextStream.end();
+ });
+ server.listen(0, localhost, function() {
+ const coptions = {
+ rejectUnauthorized: false,
+ secureProtocol: SSL_Method
+ };
+ if (clientCipher) {
+ coptions.ciphers = clientCipher;
+ }
+ const port = this.address().port;
+ const client = tls.connect(port, localhost, coptions, function() {
+ const cipher = client.getCipher();
+ client.end();
+ server.close();
+ assert.strictEqual(cipher.name, expectedCipher);
+ if (cb) cb();
+ });
+ });
+}
+
+test1();
+
+function test1() {
+ // Client has the preference of cipher suites by default
+ test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
+ 'AES128-GCM-SHA256', test2);
+}
+
+function test2() {
+ // Server has the preference of cipher suites, and AES256-SHA256 is
+ // the server's top choice.
+ test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
+ 'AES256-SHA256', test3);
+}
+
+function test3() {
+ // Server has the preference of cipher suites. AES128-GCM-SHA256 is given
+ // higher priority over AES128-SHA256 among client cipher suites.
+ test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4);
+
+}
+
+function test4() {
+ // As client has only one cipher, server has no choice, irrespective
+ // of honorCipherOrder.
+ test(true, 'AES128-SHA256', 'AES128-SHA256', test5);
+}
+
+function test5() {
+ // Client did not explicitly set ciphers and client offers
+ // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
+ // default list so the negotiated cipher is selected according to the
+ // server's top preference of AES256-SHA256.
+ test(true, null, 'AES256-SHA256', test6);
+}
+
+function test6() {
+ // Ensure that `tls.DEFAULT_CIPHERS` is used
+ tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256';
+ test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256');
+}
diff --git a/test/disabled/test-tls-inception.js b/test/disabled/test-tls-inception.js
new file mode 100644
index 0000000..50debbc
--- /dev/null
+++ b/test/disabled/test-tls-inception.js
@@ -0,0 +1,66 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const fs = require('fs');
+const path = require('path');
+const net = require('net');
+
+const options = {
+ key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
+ cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
+};
+
+const body = 'A'.repeat(40000);
+
+// the "proxy" server
+const a = tls.createServer(options, function(socket) {
+ const myOptions = {
+ host: '127.0.0.1',
+ port: b.address().port,
+ rejectUnauthorized: false
+ };
+ const dest = net.connect(myOptions);
+ dest.pipe(socket);
+ socket.pipe(dest);
+
+ dest.on('end', function() {
+ socket.destroy();
+ });
+});
+
+// the "target" server
+const b = tls.createServer(options, function(socket) {
+ socket.end(body);
+});
+
+a.listen(0, function() {
+ b.listen(0, function() {
+ const myOptions = {
+ host: '127.0.0.1',
+ port: a.address().port,
+ rejectUnauthorized: false
+ };
+ const socket = tls.connect(myOptions);
+ const ssl = tls.connect({
+ socket: socket,
+ rejectUnauthorized: false
+ });
+ ssl.setEncoding('utf8');
+ let buf = '';
+ ssl.on('data', function(data) {
+ buf += data;
+ });
+ ssl.on('end', common.mustCall(function() {
+ assert.strictEqual(buf, body);
+ ssl.end();
+ a.close();
+ b.close();
+ }));
+ });
+});
diff --git a/test/disabled/test-tls-interleave.js b/test/disabled/test-tls-interleave.js
new file mode 100644
index 0000000..15d617c
--- /dev/null
+++ b/test/disabled/test-tls-interleave.js
@@ -0,0 +1,55 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+
+const tls = require('tls');
+
+const fs = require('fs');
+
+const dir = common.fixturesDir;
+const options = { key: fs.readFileSync(`${dir}/test_key.pem`),
+ cert: fs.readFileSync(`${dir}/test_cert.pem`),
+ ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] };
+
+const writes = [
+ 'some server data',
+ 'and a separate packet',
+ 'and one more',
+];
+let receivedWrites = 0;
+
+const server = tls.createServer(options, function(c) {
+ writes.forEach(function(str) {
+ c.write(str);
+ });
+}).listen(0, common.mustCall(function() {
+ const connectOpts = { rejectUnauthorized: false };
+ const c = tls.connect(this.address().port, connectOpts, function() {
+ c.write('some client data');
+ c.on('readable', function() {
+ let data = c.read();
+ if (data === null)
+ return;
+
+ data = data.toString();
+ while (data.length !== 0) {
+ assert(data.startsWith(writes[receivedWrites]));
+ data = data.slice(writes[receivedWrites].length);
+
+ if (++receivedWrites === writes.length) {
+ c.end();
+ server.close();
+ }
+ }
+ });
+ });
+}));
+
+
+process.on('exit', function() {
+ assert.strictEqual(receivedWrites, writes.length);
+});
diff --git a/test/disabled/test-tls-invoke-queued.js b/test/disabled/test-tls-invoke-queued.js
new file mode 100644
index 0000000..3d4cb8b
--- /dev/null
+++ b/test/disabled/test-tls-invoke-queued.js
@@ -0,0 +1,37 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const fs = require('fs');
+const tls = require('tls');
+
+let received = '';
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+}, common.mustCall(function(c) {
+ c._write('hello ', null, common.mustCall(function() {
+ c._write('world!', null, common.mustCall(function() {
+ c.destroy();
+ }));
+ // Data on next _write() will be written but callback will not be invoked
+ c._write(' gosh', null, common.mustNotCall());
+ }));
+
+ server.close();
+})).listen(0, common.mustCall(function() {
+ const c = tls.connect(this.address().port, {
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ c.on('data', function(chunk) {
+ received += chunk;
+ });
+ c.on('end', common.mustCall(function() {
+ assert.strictEqual(received, 'hello world! gosh');
+ }));
+ }));
+}));
diff --git a/test/disabled/test-tls-js-stream.js b/test/disabled/test-tls-js-stream.js
new file mode 100644
index 0000000..56f62ae
--- /dev/null
+++ b/test/disabled/test-tls-js-stream.js
@@ -0,0 +1,73 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const stream = require('stream');
+const fs = require('fs');
+const net = require('net');
+
+const connected = {
+ client: 0,
+ server: 0
+};
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+}, function(c) {
+ console.log('new client');
+ connected.server++;
+ c.end('ohai');
+}).listen(0, function() {
+ const raw = net.connect(this.address().port);
+
+ let pending = false;
+ raw.on('readable', function() {
+ if (pending)
+ p._read();
+ });
+
+ let p = new stream.Duplex({
+ read: function read() {
+ pending = false;
+
+ const chunk = raw.read();
+ if (chunk) {
+ console.log('read', chunk);
+ this.push(chunk);
+ } else {
+ pending = true;
+ }
+ },
+ write: function write(data, enc, cb) {
+ console.log('write', data, enc);
+ raw.write(data, enc, cb);
+ }
+ });
+
+ const socket = tls.connect({
+ socket: p,
+ rejectUnauthorized: false
+ }, function() {
+ console.log('client secure');
+
+ connected.client++;
+
+ socket.end('hello');
+ socket.resume();
+ socket.destroy();
+ });
+
+ socket.once('close', function() {
+ console.log('client close');
+ server.close();
+ });
+});
+
+process.once('exit', function() {
+ assert.strictEqual(connected.client, 1);
+ assert.strictEqual(connected.server, 1);
+});
diff --git a/test/disabled/test-tls-junk-closes-server.js b/test/disabled/test-tls-junk-closes-server.js
new file mode 100644
index 0000000..33b0583
--- /dev/null
+++ b/test/disabled/test-tls-junk-closes-server.js
@@ -0,0 +1,28 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const fs = require('fs');
+const net = require('net');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
+};
+
+const server = tls.createServer(options, common.mustNotCall());
+
+server.listen(0, common.mustCall(function() {
+ const c = net.createConnection(this.address().port);
+
+ c.on('connect', common.mustCall(function() {
+ c.write('blah\nblah\nblah\n');
+ }));
+
+ c.on('end', common.mustCall(function() {
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-junk-server.js b/test/disabled/test-tls-junk-server.js
new file mode 100644
index 0000000..3270dec
--- /dev/null
+++ b/test/disabled/test-tls-junk-server.js
@@ -0,0 +1,27 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const https = require('https');
+const net = require('net');
+
+const server = net.createServer(function(s) {
+ s.once('data', function() {
+ s.end('I was waiting for you, hello!', function() {
+ s.destroy();
+ });
+ });
+});
+
+server.listen(0, function() {
+ const req = https.request({ port: this.address().port });
+ req.end();
+
+ req.once('error', common.mustCall(function(err) {
+ assert(/unknown protocol/.test(err.message));
+ server.close();
+ }));
+});
diff --git a/test/disabled/test-tls-key-mismatch.js b/test/disabled/test-tls-key-mismatch.js
new file mode 100644
index 0000000..c301646
--- /dev/null
+++ b/test/disabled/test-tls-key-mismatch.js
@@ -0,0 +1,20 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const errorMessageRegex =
+ /^Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch$/;
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
+};
+
+assert.throws(function() {
+ tls.createSecureContext(options);
+}, errorMessageRegex);
diff --git a/test/disabled/test-tls-legacy-onselect.js b/test/disabled/test-tls-legacy-onselect.js
new file mode 100644
index 0000000..4b66f31
--- /dev/null
+++ b/test/disabled/test-tls-legacy-onselect.js
@@ -0,0 +1,27 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const net = require('net');
+
+const server = net.Server(common.mustCall(function(raw) {
+ const pair = tls.createSecurePair(null, true, false, false);
+ pair.on('error', () => {});
+ pair.ssl.setSNICallback(common.mustCall(function() {
+ raw.destroy();
+ server.close();
+ }));
+ require('_tls_legacy').pipe(pair, raw);
+})).listen(0, function() {
+ tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false,
+ servername: 'server'
+ }, function() {
+ }).on('error', function() {
+ // Just ignore
+ });
+});
diff --git a/test/disabled/test-tls-max-send-fragment.js b/test/disabled/test-tls-max-send-fragment.js
new file mode 100644
index 0000000..1f9dd33
--- /dev/null
+++ b/test/disabled/test-tls-max-send-fragment.js
@@ -0,0 +1,42 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const buf = Buffer.allocUnsafe(10000);
+let received = 0;
+const maxChunk = 768;
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+}, function(c) {
+ // Lower and upper limits
+ assert(!c.setMaxSendFragment(511));
+ assert(!c.setMaxSendFragment(16385));
+
+ // Correct fragment size
+ assert(c.setMaxSendFragment(maxChunk));
+
+ c.end(buf);
+}).listen(0, common.mustCall(function() {
+ const c = tls.connect(this.address().port, {
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ c.on('data', function(chunk) {
+ assert(chunk.length <= maxChunk);
+ received += chunk.length;
+ });
+
+ // Ensure that we receive 'end' event anyway
+ c.on('end', common.mustCall(function() {
+ c.destroy();
+ server.close();
+ assert.strictEqual(received, buf.length);
+ }));
+ }));
+}));
diff --git a/test/disabled/test-tls-multi-key.js b/test/disabled/test-tls-multi-key.js
new file mode 100644
index 0000000..ca2517c
--- /dev/null
+++ b/test/disabled/test-tls-multi-key.js
@@ -0,0 +1,51 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: [
+ fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`),
+ fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ ],
+ cert: [
+ fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
+ fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`)
+ ]
+};
+
+const ciphers = [];
+
+const server = tls.createServer(options, function(conn) {
+ conn.end('ok');
+}).listen(0, function() {
+ const ecdsa = tls.connect(this.address().port, {
+ ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ rejectUnauthorized: false
+ }, function() {
+ ciphers.push(ecdsa.getCipher());
+ const rsa = tls.connect(server.address().port, {
+ ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
+ rejectUnauthorized: false
+ }, function() {
+ ciphers.push(rsa.getCipher());
+ ecdsa.end();
+ rsa.end();
+ server.close();
+ });
+ });
+});
+
+process.on('exit', function() {
+ assert.deepStrictEqual(ciphers, [{
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ version: 'TLSv1/SSLv3'
+ }, {
+ name: 'ECDHE-RSA-AES256-GCM-SHA384',
+ version: 'TLSv1/SSLv3'
+ }]);
+});
diff --git a/test/disabled/test-tls-no-cert-required.js b/test/disabled/test-tls-no-cert-required.js
new file mode 100644
index 0000000..7f3d1b8
--- /dev/null
+++ b/test/disabled/test-tls-no-cert-required.js
@@ -0,0 +1,29 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+// Omitting the cert or pfx option to tls.createServer() should not throw.
+// AECDH-NULL-SHA is a no-authentication/no-encryption cipher and hence
+// doesn't need a certificate.
+tls.createServer({ ciphers: 'AECDH-NULL-SHA' })
+ .listen(0, common.mustCall(close));
+
+tls.createServer(assert.fail)
+ .listen(0, common.mustCall(close));
+
+tls.createServer({})
+ .listen(0, common.mustCall(close));
+
+assert.throws(() => tls.createServer('this is not valid'),
+ /^TypeError: options must be an object$/);
+
+tls.createServer()
+ .listen(0, common.mustCall(close));
+
+function close() {
+ this.close();
+}
diff --git a/test/disabled/test-tls-no-rsa-key.js b/test/disabled/test-tls-no-rsa-key.js
new file mode 100644
index 0000000..07a3ea4
--- /dev/null
+++ b/test/disabled/test-tls-no-rsa-key.js
@@ -0,0 +1,33 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`)
+};
+
+const server = tls.createServer(options, function(conn) {
+ conn.end('ok');
+}).listen(0, common.mustCall(function() {
+ const c = tls.connect(this.address().port, {
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ c.on('end', common.mustCall(function() {
+ c.end();
+ server.close();
+ }));
+
+ c.on('data', function(data) {
+ assert.strictEqual(data.toString(), 'ok');
+ });
+
+ const cert = c.getPeerCertificate();
+ assert.strictEqual(cert.subject.C, 'US');
+ }));
+}));
diff --git a/test/disabled/test-tls-no-sslv23.js b/test/disabled/test-tls-no-sslv23.js
new file mode 100644
index 0000000..737f42b
--- /dev/null
+++ b/test/disabled/test-tls-no-sslv23.js
@@ -0,0 +1,55 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'blargh' });
+}, /Unknown method/);
+
+const errMessageSSLv2 = /SSLv2 methods disabled/;
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'SSLv2_method' });
+}, errMessageSSLv2);
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' });
+}, errMessageSSLv2);
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' });
+}, errMessageSSLv2);
+
+const errMessageSSLv3 = /SSLv3 methods disabled/;
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'SSLv3_method' });
+}, errMessageSSLv3);
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' });
+}, errMessageSSLv3);
+
+assert.throws(function() {
+ tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' });
+}, errMessageSSLv3);
+
+// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are
+// still accepted. They are OpenSSL's way of saying that all known protocols
+// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.)
+tls.createSecureContext({ secureProtocol: 'SSLv23_method' });
+tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' });
+tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' });
+tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' });
diff --git a/test/disabled/test-tls-no-sslv3.js b/test/disabled/test-tls-no-sslv3.js
new file mode 100644
index 0000000..0a118db
--- /dev/null
+++ b/test/disabled/test-tls-no-sslv3.js
@@ -0,0 +1,51 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (common.opensslCli === false)
+ common.skip('node compiled without OpenSSL CLI.');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const spawn = require('child_process').spawn;
+
+const cert = fs.readFileSync(`${common.fixturesDir}/test_cert.pem`);
+const key = fs.readFileSync(`${common.fixturesDir}/test_key.pem`);
+const server = tls.createServer({ cert: cert, key: key }, common.mustNotCall());
+const errors = [];
+let stderr = '';
+
+server.listen(0, '127.0.0.1', function() {
+ const address = `${this.address().address}:${this.address().port}`;
+ const args = ['s_client',
+ '-ssl3',
+ '-connect', address];
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ args.push('-no_rand_screen');
+
+ const client = spawn(common.opensslCli, args, { stdio: 'pipe' });
+ client.stdout.pipe(process.stdout);
+ client.stderr.pipe(process.stderr);
+ client.stderr.setEncoding('utf8');
+ client.stderr.on('data', (data) => stderr += data);
+
+ client.once('exit', common.mustCall(function(exitCode) {
+ assert.strictEqual(exitCode, 1);
+ server.close();
+ }));
+});
+
+server.on('tlsClientError', (err) => errors.push(err));
+
+process.on('exit', function() {
+ if (/unknown option -ssl3/.test(stderr)) {
+ common.printSkipMessage('`openssl s_client -ssl3` not supported.');
+ } else {
+ assert.strictEqual(errors.length, 1);
+ assert(/:wrong version number/.test(errors[0].message));
+ }
+});
diff --git a/test/disabled/test-tls-npn-server-client.js b/test/disabled/test-tls-npn-server-client.js
new file mode 100644
index 0000000..22491c1
--- /dev/null
+++ b/test/disabled/test-tls-npn-server-client.js
@@ -0,0 +1,104 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!process.features.tls_npn)
+ common.skip('Skipping because node compiled without NPN feature of OpenSSL.');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const serverOptions = {
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert'),
+ crl: loadPEM('ca2-crl'),
+ SNICallback: function(servername, cb) {
+ cb(null, tls.createSecureContext({
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert'),
+ crl: loadPEM('ca2-crl'),
+ }));
+ },
+ NPNProtocols: ['a', 'b', 'c']
+};
+
+const clientsOptions = [{
+ port: undefined,
+ key: serverOptions.key,
+ cert: serverOptions.cert,
+ crl: serverOptions.crl,
+ NPNProtocols: ['a', 'b', 'c'],
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: serverOptions.key,
+ cert: serverOptions.cert,
+ crl: serverOptions.crl,
+ NPNProtocols: ['c', 'b', 'e'],
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: serverOptions.key,
+ cert: serverOptions.cert,
+ crl: serverOptions.crl,
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: serverOptions.key,
+ cert: serverOptions.cert,
+ crl: serverOptions.crl,
+ NPNProtocols: ['first-priority-unsupported', 'x', 'y'],
+ rejectUnauthorized: false
+}];
+
+const serverResults = [];
+const clientsResults = [];
+
+const server = tls.createServer(serverOptions, function(c) {
+ serverResults.push(c.npnProtocol);
+});
+server.listen(0, startTest);
+
+function startTest() {
+ function connectClient(options, callback) {
+ options.port = server.address().port;
+ const client = tls.connect(options, function() {
+ clientsResults.push(client.npnProtocol);
+ client.destroy();
+
+ callback();
+ });
+ }
+
+ connectClient(clientsOptions[0], function() {
+ connectClient(clientsOptions[1], function() {
+ connectClient(clientsOptions[2], function() {
+ connectClient(clientsOptions[3], function() {
+ server.close();
+ });
+ });
+ });
+ });
+}
+
+process.on('exit', function() {
+ assert.strictEqual(serverResults[0], clientsResults[0]);
+ assert.strictEqual(serverResults[1], clientsResults[1]);
+ assert.strictEqual(serverResults[2], 'http/1.1');
+ assert.strictEqual(clientsResults[2], false);
+ assert.strictEqual(serverResults[3], 'first-priority-unsupported');
+ assert.strictEqual(clientsResults[3], false);
+});
diff --git a/test/disabled/test-tls-ocsp-callback.js b/test/disabled/test-tls-ocsp-callback.js
new file mode 100644
index 0000000..673b69e
--- /dev/null
+++ b/test/disabled/test-tls-ocsp-callback.js
@@ -0,0 +1,126 @@
+'use strict';
+const common = require('../common');
+
+if (!process.features.tls_ocsp)
+ common.skip('node compiled without OpenSSL or with old OpenSSL version.');
+
+if (!common.opensslCli)
+ common.skip('node compiled without OpenSSL CLI.');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+const assert = require('assert');
+const fs = require('fs');
+const join = require('path').join;
+
+const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET;
+
+const pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));
+
+function test(testOptions, cb) {
+
+ const keyFile = join(common.fixturesDir, 'keys', 'agent1-key.pem');
+ const certFile = join(common.fixturesDir, 'keys', 'agent1-cert.pem');
+ const caFile = join(common.fixturesDir, 'keys', 'ca1-cert.pem');
+ const key = fs.readFileSync(keyFile);
+ const cert = fs.readFileSync(certFile);
+ const ca = fs.readFileSync(caFile);
+ const options = {
+ key: key,
+ cert: cert,
+ ca: [ca]
+ };
+ let requestCount = 0;
+ let clientSecure = 0;
+ let ocspCount = 0;
+ let ocspResponse;
+
+ if (testOptions.pfx) {
+ delete options.key;
+ delete options.cert;
+ options.pfx = testOptions.pfx;
+ options.passphrase = testOptions.passphrase;
+ }
+
+ const server = tls.createServer(options, function(cleartext) {
+ cleartext.on('error', function(er) {
+ // We're ok with getting ECONNRESET in this test, but it's
+ // timing-dependent, and thus unreliable. Any other errors
+ // are just failures, though.
+ if (er.code !== 'ECONNRESET')
+ throw er;
+ });
+ ++requestCount;
+ cleartext.end();
+ });
+ server.on('OCSPRequest', function(cert, issuer, callback) {
+ ++ocspCount;
+ assert.ok(Buffer.isBuffer(cert));
+ assert.ok(Buffer.isBuffer(issuer));
+
+ // Just to check that async really works there
+ setTimeout(function() {
+ callback(null,
+ testOptions.response ? Buffer.from(testOptions.response) : null);
+ }, 100);
+ });
+ server.listen(0, function() {
+ const client = tls.connect({
+ port: this.address().port,
+ requestOCSP: testOptions.ocsp !== false,
+ secureOptions: testOptions.ocsp === false ?
+ SSL_OP_NO_TICKET : 0,
+ rejectUnauthorized: false
+ }, function() {
+ clientSecure++;
+ });
+ client.on('OCSPResponse', function(resp) {
+ ocspResponse = resp;
+ if (resp)
+ client.destroy();
+ });
+ client.on('close', function() {
+ server.close(cb);
+ });
+ });
+
+ process.on('exit', function() {
+ if (testOptions.ocsp === false) {
+ assert.strictEqual(requestCount, clientSecure);
+ assert.strictEqual(requestCount, 1);
+ return;
+ }
+
+ if (testOptions.response) {
+ assert.strictEqual(ocspResponse.toString(), testOptions.response);
+ } else {
+ assert.strictEqual(ocspResponse, null);
+ }
+ assert.strictEqual(requestCount, testOptions.response ? 0 : 1);
+ assert.strictEqual(clientSecure, requestCount);
+ assert.strictEqual(ocspCount, 1);
+ });
+}
+
+const tests = [
+ { response: false },
+ { response: 'hello world' },
+ { ocsp: false }
+];
+
+if (!common.hasFipsCrypto) {
+ tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' });
+}
+
+function runTests(i) {
+ if (i === tests.length) return;
+
+ test(tests[i], common.mustCall(function() {
+ runTests(i + 1);
+ }));
+}
+
+runTests(0);
diff --git a/test/disabled/test-tls-on-empty-socket.js b/test/disabled/test-tls-on-empty-socket.js
new file mode 100644
index 0000000..5b66edd
--- /dev/null
+++ b/test/disabled/test-tls-on-empty-socket.js
@@ -0,0 +1,41 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const fs = require('fs');
+const net = require('net');
+
+let out = '';
+
+const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+}, function(c) {
+ c.end('hello');
+}).listen(0, function() {
+ const socket = new net.Socket();
+
+ const s = tls.connect({
+ socket: socket,
+ rejectUnauthorized: false
+ }, function() {
+ s.on('data', function(chunk) {
+ out += chunk;
+ });
+ s.on('end', function() {
+ s.destroy();
+ server.close();
+ });
+ });
+
+ socket.connect(this.address().port);
+});
+
+process.on('exit', function() {
+ assert.strictEqual(out, 'hello');
+});
diff --git a/test/disabled/test-tls-over-http-tunnel.js b/test/disabled/test-tls-over-http-tunnel.js
new file mode 100644
index 0000000..ae9c8e0
--- /dev/null
+++ b/test/disabled/test-tls-over-http-tunnel.js
@@ -0,0 +1,155 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const https = require('https');
+const fs = require('fs');
+const net = require('net');
+const http = require('http');
+
+let gotRequest = false;
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
+
+const options = {
+ key: key,
+ cert: cert
+};
+
+const server = https.createServer(options, function(req, res) {
+ console.log('SERVER: got request');
+ res.writeHead(200, {
+ 'content-type': 'text/plain'
+ });
+ console.log('SERVER: sending response');
+ res.end('hello world\n');
+});
+
+const proxy = net.createServer(function(clientSocket) {
+ console.log('PROXY: got a client connection');
+
+ let serverSocket = null;
+
+ clientSocket.on('data', function(chunk) {
+ if (!serverSocket) {
+ // Verify the CONNECT request
+ assert.strictEqual(`CONNECT localhost:${server.address().port} ` +
+ 'HTTP/1.1\r\n' +
+ 'Proxy-Connections: keep-alive\r\n' +
+ `Host: localhost:${proxy.address().port}\r\n` +
+ 'Connection: close\r\n\r\n',
+ chunk.toString());
+
+ console.log('PROXY: got CONNECT request');
+ console.log('PROXY: creating a tunnel');
+
+ // create the tunnel
+ serverSocket = net.connect(server.address().port, function() {
+ console.log('PROXY: replying to client CONNECT request');
+
+ // Send the response
+ clientSocket.write('HTTP/1.1 200 OK\r\nProxy-Connections: keep' +
+ '-alive\r\nConnections: keep-alive\r\nVia: ' +
+ `localhost:${proxy.address().port}\r\n\r\n`);
+ });
+
+ serverSocket.on('data', function(chunk) {
+ clientSocket.write(chunk);
+ });
+
+ serverSocket.on('end', function() {
+ clientSocket.destroy();
+ });
+ } else {
+ serverSocket.write(chunk);
+ }
+ });
+
+ clientSocket.on('end', function() {
+ serverSocket.destroy();
+ });
+});
+
+server.listen(0);
+
+proxy.listen(0, function() {
+ console.log('CLIENT: Making CONNECT request');
+
+ const req = http.request({
+ port: this.address().port,
+ method: 'CONNECT',
+ path: `localhost:${server.address().port}`,
+ headers: {
+ 'Proxy-Connections': 'keep-alive'
+ }
+ });
+ req.useChunkedEncodingByDefault = false; // for v0.6
+ req.on('response', onResponse); // for v0.6
+ req.on('upgrade', onUpgrade); // for v0.6
+ req.on('connect', onConnect); // for v0.7 or later
+ req.end();
+
+ function onResponse(res) {
+ // Very hacky. This is necessary to avoid http-parser leaks.
+ res.upgrade = true;
+ }
+
+ function onUpgrade(res, socket, head) {
+ // Hacky.
+ process.nextTick(function() {
+ onConnect(res, socket, head);
+ });
+ }
+
+ function onConnect(res, socket, header) {
+ assert.strictEqual(200, res.statusCode);
+ console.log('CLIENT: got CONNECT response');
+
+ // detach the socket
+ socket.removeAllListeners('data');
+ socket.removeAllListeners('close');
+ socket.removeAllListeners('error');
+ socket.removeAllListeners('drain');
+ socket.removeAllListeners('end');
+ socket.ondata = null;
+ socket.onend = null;
+ socket.ondrain = null;
+
+ console.log('CLIENT: Making HTTPS request');
+
+ https.get({
+ path: '/foo',
+ key: key,
+ cert: cert,
+ socket: socket, // reuse the socket
+ agent: false,
+ rejectUnauthorized: false
+ }, function(res) {
+ assert.strictEqual(200, res.statusCode);
+
+ res.on('data', function(chunk) {
+ assert.strictEqual('hello world\n', chunk.toString());
+ console.log('CLIENT: got HTTPS response');
+ gotRequest = true;
+ });
+
+ res.on('end', function() {
+ proxy.close();
+ server.close();
+ });
+ }).on('error', function(er) {
+ // We're ok with getting ECONNRESET in this test, but it's
+ // timing-dependent, and thus unreliable. Any other errors
+ // are just failures, though.
+ if (er.code !== 'ECONNRESET')
+ throw er;
+ }).end();
+ }
+});
+
+process.on('exit', function() {
+ assert.ok(gotRequest);
+});
diff --git a/test/disabled/test-tls-parse-cert-string.js b/test/disabled/test-tls-parse-cert-string.js
new file mode 100644
index 0000000..bbe098b
--- /dev/null
+++ b/test/disabled/test-tls-parse-cert-string.js
@@ -0,0 +1,36 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+const tls = require('tls');
+
+{
+ const singles = 'C=US\nST=CA\nL=SF\nO=Node.js Foundation\nOU=Node.js\n' +
+ 'CN=ca1\nemailAddress=ry@clouds.org';
+ const singlesOut = tls.parseCertString(singles);
+ assert.deepStrictEqual(singlesOut, {
+ C: 'US',
+ ST: 'CA',
+ L: 'SF',
+ O: 'Node.js Foundation',
+ OU: 'Node.js',
+ CN: 'ca1',
+ emailAddress: 'ry@clouds.org'
+ });
+}
+
+{
+ const doubles = 'OU=Domain Control Validated\nOU=PositiveSSL Wildcard\n' +
+ 'CN=*.nodejs.org';
+ const doublesOut = tls.parseCertString(doubles);
+ assert.deepStrictEqual(doublesOut, {
+ OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ],
+ CN: '*.nodejs.org'
+ });
+}
+
+{
+ const invalid = 'fhqwhgads';
+ const invalidOut = tls.parseCertString(invalid);
+ assert.deepStrictEqual(invalidOut, {});
+}
diff --git a/test/disabled/test-tls-passphrase.js b/test/disabled/test-tls-passphrase.js
new file mode 100644
index 0000000..0092dbd
--- /dev/null
+++ b/test/disabled/test-tls-passphrase.js
@@ -0,0 +1,275 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+
+const passKey = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem'));
+const rawKey = fs.readFileSync(path.join(common.fixturesDir, 'raw-key.pem'));
+const cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem'));
+
+assert(Buffer.isBuffer(passKey));
+assert(Buffer.isBuffer(cert));
+assert.strictEqual(typeof passKey.toString(), 'string');
+assert.strictEqual(typeof cert.toString(), 'string');
+
+const server = tls.Server({
+ key: passKey,
+ passphrase: 'passphrase',
+ cert: cert,
+ ca: [cert],
+ requestCert: true,
+ rejectUnauthorized: true
+}, function(s) {
+ s.end();
+});
+
+server.listen(0, common.mustCall(function() {
+ // Buffer
+ tls.connect({
+ port: this.address().port,
+ key: passKey,
+ passphrase: 'passphrase',
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: rawKey,
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: rawKey,
+ passphrase: 'ignored',
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ // Buffer[]
+ tls.connect({
+ port: this.address().port,
+ key: [passKey],
+ passphrase: 'passphrase',
+ cert: [cert],
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [rawKey],
+ cert: [cert],
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [rawKey],
+ passphrase: 'ignored',
+ cert: [cert],
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ // string
+ tls.connect({
+ port: this.address().port,
+ key: passKey.toString(),
+ passphrase: 'passphrase',
+ cert: cert.toString(),
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: rawKey.toString(),
+ cert: cert.toString(),
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: rawKey.toString(),
+ passphrase: 'ignored',
+ cert: cert.toString(),
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ // String[]
+ tls.connect({
+ port: this.address().port,
+ key: [passKey.toString()],
+ passphrase: 'passphrase',
+ cert: [cert.toString()],
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [rawKey.toString()],
+ cert: [cert.toString()],
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [rawKey.toString()],
+ passphrase: 'ignored',
+ cert: [cert.toString()],
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ // Object[]
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: passKey, passphrase: 'passphrase'}],
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: passKey, passphrase: 'passphrase'}],
+ passphrase: 'ignored',
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: passKey}],
+ passphrase: 'passphrase',
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: passKey.toString(), passphrase: 'passphrase'}],
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: rawKey, passphrase: 'ignored'}],
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: rawKey.toString(), passphrase: 'ignored'}],
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: rawKey}],
+ passphrase: 'ignored',
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: rawKey.toString()}],
+ passphrase: 'ignored',
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: rawKey}],
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+
+ tls.connect({
+ port: this.address().port,
+ key: [{pem: rawKey.toString()}],
+ cert: cert,
+ rejectUnauthorized: false
+ }, common.mustCall());
+})).unref();
+
+const errMessagePassword = /bad password read/;
+
+// Missing passphrase
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: passKey,
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessagePassword);
+
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: [passKey],
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessagePassword);
+
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: [{pem: passKey}],
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessagePassword);
+
+const errMessageDecrypt = /bad decrypt/;
+
+// Invalid passphrase
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: passKey,
+ passphrase: 'invalid',
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessageDecrypt);
+
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: [passKey],
+ passphrase: 'invalid',
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessageDecrypt);
+
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: [{pem: passKey}],
+ passphrase: 'invalid',
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessageDecrypt);
+
+assert.throws(function() {
+ tls.connect({
+ port: server.address().port,
+ key: [{pem: passKey, passphrase: 'invalid'}],
+ passphrase: 'passphrase', // Valid but unused
+ cert: cert,
+ rejectUnauthorized: false
+ });
+}, errMessageDecrypt);
diff --git a/test/disabled/test-tls-pause.js b/test/disabled/test-tls-pause.js
new file mode 100644
index 0000000..4aded19
--- /dev/null
+++ b/test/disabled/test-tls-pause.js
@@ -0,0 +1,70 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+
+const options = {
+ key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
+ cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
+};
+
+const bufSize = 1024 * 1024;
+let sent = 0;
+let received = 0;
+
+const server = tls.Server(options, function(socket) {
+ socket.pipe(socket);
+ socket.on('data', function(c) {
+ console.error('data', c.length);
+ });
+});
+
+server.listen(0, function() {
+ let resumed = false;
+ const client = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, function() {
+ console.error('connected');
+ client.pause();
+ console.error('paused');
+ send();
+ function send() {
+ console.error('sending');
+ const ret = client.write(Buffer.allocUnsafe(bufSize));
+ console.error('write => %j', ret);
+ if (false !== ret) {
+ console.error('write again');
+ sent += bufSize;
+ assert.ok(sent < 100 * 1024 * 1024); // max 100MB
+ return process.nextTick(send);
+ }
+ sent += bufSize;
+ console.error(`sent: ${sent}`);
+ resumed = true;
+ client.resume();
+ console.error('resumed', client);
+ }
+ });
+ client.on('data', function(data) {
+ console.error('data');
+ assert.ok(resumed);
+ received += data.length;
+ console.error('received', received);
+ console.error('sent', sent);
+ if (received >= sent) {
+ console.error(`received: ${received}`);
+ client.end();
+ server.close();
+ }
+ });
+});
+
+process.on('exit', function() {
+ assert.strictEqual(sent, received);
+});
diff --git a/test/disabled/test-tls-peer-certificate-encoding.js b/test/disabled/test-tls-peer-certificate-encoding.js
new file mode 100644
index 0000000..d6e920a
--- /dev/null
+++ b/test/disabled/test-tls-peer-certificate-encoding.js
@@ -0,0 +1,33 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const util = require('util');
+const join = require('path').join;
+
+const options = {
+ key: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-key.pem')),
+ cert: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-cert.pem')),
+ ca: [ fs.readFileSync(join(common.fixturesDir, 'keys', 'ca2-cert.pem')) ]
+};
+
+const server = tls.createServer(options, function(cleartext) {
+ cleartext.end('World');
+});
+server.listen(0, common.mustCall(function() {
+ const socket = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ const peerCert = socket.getPeerCertificate();
+
+ console.error(util.inspect(peerCert));
+ assert.strictEqual(peerCert.subject.CN, 'Ádám Lippai');
+ server.close();
+ }));
+ socket.end('Hello');
+}));
diff --git a/test/disabled/test-tls-peer-certificate-multi-keys.js b/test/disabled/test-tls-peer-certificate-multi-keys.js
new file mode 100644
index 0000000..ed5566f
--- /dev/null
+++ b/test/disabled/test-tls-peer-certificate-multi-keys.js
@@ -0,0 +1,34 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const util = require('util');
+const join = require('path').join;
+
+const options = {
+ key: fs.readFileSync(join(common.fixturesDir, 'agent.key')),
+ cert: fs.readFileSync(join(common.fixturesDir, 'multi-alice.crt'))
+};
+
+const server = tls.createServer(options, function(cleartext) {
+ cleartext.end('World');
+});
+server.listen(0, common.mustCall(function() {
+ const socket = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ }, common.mustCall(function() {
+ const peerCert = socket.getPeerCertificate();
+ console.error(util.inspect(peerCert));
+ assert.deepStrictEqual(
+ peerCert.subject.OU,
+ ['Information Technology', 'Engineering', 'Marketing']
+ );
+ server.close();
+ }));
+ socket.end('Hello');
+}));
diff --git a/test/disabled/test-tls-peer-certificate.js b/test/disabled/test-tls-peer-certificate.js
new file mode 100644
index 0000000..eb5be6d
--- /dev/null
+++ b/test/disabled/test-tls-peer-certificate.js
@@ -0,0 +1,39 @@
+'use strict';
+const common = require('../common');
+
+// Verify that detailed getPeerCertificate() return value has all certs.
+
+const join = require('path').join;
+const {
+ assert, connect, debug, keys
+} = require(join(common.fixturesDir, 'tls-connect'))();
+
+connect({
+ client: {rejectUnauthorized: false},
+ server: keys.agent1,
+}, function(err, pair, cleanup) {
+ assert.ifError(err);
+ const socket = pair.client.conn;
+ let peerCert = socket.getPeerCertificate();
+ assert.ok(!peerCert.issuerCertificate);
+
+ peerCert = socket.getPeerCertificate(true);
+ debug('peerCert:\n', peerCert);
+
+ assert.ok(peerCert.issuerCertificate);
+ assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
+ assert.strictEqual(peerCert.serialNumber, '9A84ABCFB8A72AC0');
+ assert.strictEqual(peerCert.exponent, '0x10001');
+ assert.strictEqual(
+ peerCert.fingerprint,
+ '8D:06:3A:B3:E5:8B:85:29:72:4F:7D:1B:54:CD:95:19:3C:EF:6F:AA'
+ );
+ assert.deepStrictEqual(peerCert.infoAccess['OCSP - URI'],
+ [ 'http://ocsp.nodejs.org/' ]);
+
+ const issuer = peerCert.issuerCertificate;
+ assert.strictEqual(issuer.issuerCertificate, issuer);
+ assert.strictEqual(issuer.serialNumber, '8DF21C01468AF393');
+
+ return cleanup();
+});
diff --git a/test/disabled/test-tls-pfx-gh-5100-regr.js b/test/disabled/test-tls-pfx-gh-5100-regr.js
new file mode 100644
index 0000000..ba38f02
--- /dev/null
+++ b/test/disabled/test-tls-pfx-gh-5100-regr.js
@@ -0,0 +1,38 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('node compiled without crypto.');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const path = require('path');
+
+const pfx = fs.readFileSync(
+ path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));
+
+const server = tls.createServer({
+ pfx: pfx,
+ passphrase: 'sample',
+ requestCert: true,
+ rejectUnauthorized: false
+}, common.mustCall(function(c) {
+ assert.strictEqual(
+ c.authorizationError,
+ null,
+ 'authorizationError must be null'
+ );
+ c.end();
+})).listen(0, function() {
+ const client = tls.connect({
+ port: this.address().port,
+ pfx: pfx,
+ passphrase: 'sample',
+ rejectUnauthorized: false
+ }, function() {
+ client.end();
+ server.close();
+ });
+});
diff --git a/test/disabled/test-tls-regr-gh-5108.js b/test/disabled/test-tls-regr-gh-5108.js
new file mode 100644
index 0000000..9bb07fe
--- /dev/null
+++ b/test/disabled/test-tls-regr-gh-5108.js
@@ -0,0 +1,40 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+
+const server = tls.createServer(options, function(s) {
+ s.end('hello');
+}).listen(0, function() {
+ const opts = {
+ port: this.address().port,
+ rejectUnauthorized: false
+ };
+ const client = tls.connect(opts, function() {
+ putImmediate(client);
+ });
+});
+
+
+function putImmediate(client) {
+ setImmediate(function() {
+ if (client.ssl) {
+ const fd = client.ssl.fd;
+ assert(!!fd);
+ putImmediate(client);
+ } else {
+ server.close();
+ }
+ });
+}
diff --git a/test/disabled/test-tls-request-timeout.js b/test/disabled/test-tls-request-timeout.js
new file mode 100644
index 0000000..3989e40
--- /dev/null
+++ b/test/disabled/test-tls-request-timeout.js
@@ -0,0 +1,30 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = tls.Server(options, common.mustCall(function(socket) {
+ const s = socket.setTimeout(100);
+ assert.ok(s instanceof tls.TLSSocket);
+
+ socket.on('timeout', common.mustCall(function(err) {
+ socket.end();
+ server.close();
+ }));
+}));
+
+server.listen(0, function() {
+ tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ });
+});
diff --git a/test/disabled/test-tls-retain-handle-no-abort.js b/test/disabled/test-tls-retain-handle-no-abort.js
new file mode 100644
index 0000000..4be64c1
--- /dev/null
+++ b/test/disabled/test-tls-retain-handle-no-abort.js
@@ -0,0 +1,40 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const util = require('util');
+
+const sent = 'hello world';
+const serverOptions = {
+ isServer: true,
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+let ssl = null;
+
+process.on('exit', function() {
+ assert.ok(ssl !== null);
+ // If the internal pointer to stream_ isn't cleared properly then this
+ // will abort.
+ util.inspect(ssl);
+});
+
+const server = tls.createServer(serverOptions, function(s) {
+ s.on('data', function() { });
+ s.on('end', function() {
+ server.close();
+ s.destroy();
+ });
+}).listen(0, function() {
+ const c = new tls.TLSSocket();
+ ssl = c.ssl;
+ c.connect(this.address().port, function() {
+ c.end(sent);
+ });
+});
diff --git a/test/disabled/test-tls-securepair-fiftharg.js b/test/disabled/test-tls-securepair-fiftharg.js
new file mode 100644
index 0000000..97b563a
--- /dev/null
+++ b/test/disabled/test-tls-securepair-fiftharg.js
@@ -0,0 +1,27 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const fs = require('fs');
+const tls = require('tls');
+
+const sslcontext = tls.createSecureContext({
+ cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`),
+ key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`)
+});
+
+let catchedServername;
+const pair = tls.createSecurePair(sslcontext, true, false, false, {
+ SNICallback: common.mustCall(function(servername, cb) {
+ catchedServername = servername;
+ })
+});
+
+// captured traffic from browser's request to https://www.google.com
+const sslHello = fs.readFileSync(`${common.fixturesDir}/google_ssl_hello.bin`);
+
+pair.encrypted.write(sslHello);
+
+process.on('exit', function() {
+ assert.strictEqual('www.google.com', catchedServername);
+});
diff --git a/test/disabled/test-tls-securepair-server.js b/test/disabled/test-tls-securepair-server.js
new file mode 100644
index 0000000..d335bb2
--- /dev/null
+++ b/test/disabled/test-tls-securepair-server.js
@@ -0,0 +1,133 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('missing openssl-cli');
+
+const assert = require('assert');
+const tls = require('tls');
+const join = require('path').join;
+const net = require('net');
+const fs = require('fs');
+const spawn = require('child_process').spawn;
+
+const key = fs.readFileSync(join(common.fixturesDir, 'agent.key')).toString();
+const cert = fs.readFileSync(join(common.fixturesDir, 'agent.crt')).toString();
+
+function log(a) {
+ console.error(`***server*** ${a}`);
+}
+
+const server = net.createServer(common.mustCall(function(socket) {
+ log(`connection fd=${socket.fd}`);
+ const sslcontext = tls.createSecureContext({key: key, cert: cert});
+ sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
+
+ const pair = tls.createSecurePair(sslcontext, true);
+
+ assert.ok(pair.encrypted.writable);
+ assert.ok(pair.cleartext.writable);
+
+ pair.encrypted.pipe(socket);
+ socket.pipe(pair.encrypted);
+
+ log('i set it secure');
+
+ pair.on('secure', function() {
+ log('connected+secure!');
+ pair.cleartext.write('hello\r\n');
+ log(pair.cleartext.getPeerCertificate());
+ log(pair.cleartext.getCipher());
+ });
+
+ pair.cleartext.on('data', function(data) {
+ log(`read bytes ${data.length}`);
+ pair.cleartext.write(data);
+ });
+
+ socket.on('end', function() {
+ log('socket end');
+ });
+
+ pair.cleartext.on('error', function(err) {
+ log('got error: ');
+ log(err);
+ log(err.stack);
+ socket.destroy();
+ });
+
+ pair.encrypted.on('error', function(err) {
+ log('encrypted error: ');
+ log(err);
+ log(err.stack);
+ socket.destroy();
+ });
+
+ socket.on('error', function(err) {
+ log('socket error: ');
+ log(err);
+ log(err.stack);
+ socket.destroy();
+ });
+
+ socket.on('close', function(err) {
+ log('socket closed');
+ });
+
+ pair.on('error', function(err) {
+ log('secure error: ');
+ log(err);
+ log(err.stack);
+ socket.destroy();
+ });
+}));
+
+let gotHello = false;
+let sentWorld = false;
+let gotWorld = false;
+
+server.listen(0, common.mustCall(function() {
+ // To test use: openssl s_client -connect localhost:8000
+
+ const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`];
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ args.push('-no_rand_screen');
+
+ const client = spawn(common.opensslCli, args);
+
+
+ let out = '';
+
+ client.stdout.setEncoding('utf8');
+ client.stdout.on('data', function(d) {
+ out += d;
+
+ if (!gotHello && /hello/.test(out)) {
+ gotHello = true;
+ client.stdin.write('world\r\n');
+ sentWorld = true;
+ }
+
+ if (!gotWorld && /world/.test(out)) {
+ gotWorld = true;
+ client.stdin.end();
+ }
+ });
+
+ client.stdout.pipe(process.stdout, { end: false });
+
+ client.on('exit', common.mustCall(function(code) {
+ assert.strictEqual(0, code);
+ server.close();
+ }));
+}));
+
+process.on('exit', function() {
+ assert.ok(gotHello);
+ assert.ok(sentWorld);
+ assert.ok(gotWorld);
+});
diff --git a/test/disabled/test-tls-server-connection-server.js b/test/disabled/test-tls-server-connection-server.js
new file mode 100644
index 0000000..7eef14d
--- /dev/null
+++ b/test/disabled/test-tls-server-connection-server.js
@@ -0,0 +1,32 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = tls.createServer(options, function(s) {
+ s.end('hello');
+}).listen(0, function() {
+ const opts = {
+ port: this.address().port,
+ rejectUnauthorized: false
+ };
+
+ server.on('connection', common.mustCall(function(socket) {
+ assert.strictEqual(socket.server, server);
+ server.close();
+ }));
+
+ const client = tls.connect(opts, function() {
+ client.end();
+ });
+});
diff --git a/test/disabled/test-tls-server-failed-handshake-emits-clienterror.js b/test/disabled/test-tls-server-failed-handshake-emits-clienterror.js
new file mode 100644
index 0000000..8efb4ec
--- /dev/null
+++ b/test/disabled/test-tls-server-failed-handshake-emits-clienterror.js
@@ -0,0 +1,28 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const net = require('net');
+const assert = require('assert');
+
+const bonkers = Buffer.alloc(1024, 42);
+
+
+const server = tls.createServer({})
+ .listen(0, function() {
+ const c = net.connect({ port: this.address().port }, function() {
+ c.write(bonkers);
+ });
+
+ }).on('tlsClientError', common.mustCall(function(e) {
+ assert.ok(e instanceof Error,
+ 'Instance of Error should be passed to error handler');
+ assert.ok(
+ /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message),
+ 'Expecting SSL unknown protocol');
+
+ server.close();
+ }));
diff --git a/test/disabled/test-tls-server-verify.js b/test/disabled/test-tls-server-verify.js
new file mode 100644
index 0000000..7a106f6
--- /dev/null
+++ b/test/disabled/test-tls-server-verify.js
@@ -0,0 +1,348 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!common.opensslCli)
+ common.skip('node compiled without OpenSSL CLI.');
+
+// This is a rather complex test which sets up various TLS servers with node
+// and connects to them using the 'openssl s_client' command line utility
+// with various keys. Depending on the certificate authority and other
+// parameters given to the server, the various clients are
+// - rejected,
+// - accepted and "unauthorized", or
+// - accepted and "authorized".
+
+const assert = require('assert');
+const { spawn } = require('child_process');
+const { SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION } =
+ require('crypto').constants;
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+const testCases =
+ [{ title: 'Do not request certs. Everyone is unauthorized.',
+ requestCert: false,
+ rejectUnauthorized: false,
+ renegotiate: false,
+ CAs: ['ca1-cert'],
+ clients:
+ [{ name: 'agent1', shouldReject: false, shouldAuth: false },
+ { name: 'agent2', shouldReject: false, shouldAuth: false },
+ { name: 'agent3', shouldReject: false, shouldAuth: false },
+ { name: 'nocert', shouldReject: false, shouldAuth: false }
+ ]
+ },
+
+ { title: 'Allow both authed and unauthed connections with CA1',
+ requestCert: true,
+ rejectUnauthorized: false,
+ renegotiate: false,
+ CAs: ['ca1-cert'],
+ clients:
+ [{ name: 'agent1', shouldReject: false, shouldAuth: true },
+ { name: 'agent2', shouldReject: false, shouldAuth: false },
+ { name: 'agent3', shouldReject: false, shouldAuth: false },
+ { name: 'nocert', shouldReject: false, shouldAuth: false }
+ ]
+ },
+
+ { title: 'Do not request certs at connection. Do that later',
+ requestCert: false,
+ rejectUnauthorized: false,
+ renegotiate: true,
+ CAs: ['ca1-cert'],
+ clients:
+ [{ name: 'agent1', shouldReject: false, shouldAuth: true },
+ { name: 'agent2', shouldReject: false, shouldAuth: false },
+ { name: 'agent3', shouldReject: false, shouldAuth: false },
+ { name: 'nocert', shouldReject: false, shouldAuth: false }
+ ]
+ },
+
+ { title: 'Allow only authed connections with CA1',
+ requestCert: true,
+ rejectUnauthorized: true,
+ renegotiate: false,
+ CAs: ['ca1-cert'],
+ clients:
+ [{ name: 'agent1', shouldReject: false, shouldAuth: true },
+ { name: 'agent2', shouldReject: true },
+ { name: 'agent3', shouldReject: true },
+ { name: 'nocert', shouldReject: true }
+ ]
+ },
+
+ { title: 'Allow only authed connections with CA1 and CA2',
+ requestCert: true,
+ rejectUnauthorized: true,
+ renegotiate: false,
+ CAs: ['ca1-cert', 'ca2-cert'],
+ clients:
+ [{ name: 'agent1', shouldReject: false, shouldAuth: true },
+ { name: 'agent2', shouldReject: true },
+ { name: 'agent3', shouldReject: false, shouldAuth: true },
+ { name: 'nocert', shouldReject: true }
+ ]
+ },
+
+
+ { title: 'Allow only certs signed by CA2 but not in the CRL',
+ requestCert: true,
+ rejectUnauthorized: true,
+ renegotiate: false,
+ CAs: ['ca2-cert'],
+ crl: 'ca2-crl',
+ clients: [
+ { name: 'agent1', shouldReject: true, shouldAuth: false },
+ { name: 'agent2', shouldReject: true, shouldAuth: false },
+ { name: 'agent3', shouldReject: false, shouldAuth: true },
+ // Agent4 has a cert in the CRL.
+ { name: 'agent4', shouldReject: true, shouldAuth: false },
+ { name: 'nocert', shouldReject: true }
+ ]
+ }
+ ];
+
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+
+const serverKey = loadPEM('agent2-key');
+const serverCert = loadPEM('agent2-cert');
+
+
+function runClient(prefix, port, options, cb) {
+
+ // Client can connect in three ways:
+ // - Self-signed cert
+ // - Certificate, but not signed by CA.
+ // - Certificate signed by CA.
+
+ const args = ['s_client', '-connect', `127.0.0.1:${port}`];
+
+ // for the performance issue in s_client on Windows
+ if (common.isWindows)
+ args.push('-no_rand_screen');
+
+ console.log(`${prefix} connecting with`, options.name);
+
+ switch (options.name) {
+ case 'agent1':
+ // Signed by CA1
+ args.push('-key');
+ args.push(filenamePEM('agent1-key'));
+ args.push('-cert');
+ args.push(filenamePEM('agent1-cert'));
+ break;
+
+ case 'agent2':
+ // Self-signed
+ // This is also the key-cert pair that the server will use.
+ args.push('-key');
+ args.push(filenamePEM('agent2-key'));
+ args.push('-cert');
+ args.push(filenamePEM('agent2-cert'));
+ break;
+
+ case 'agent3':
+ // Signed by CA2
+ args.push('-key');
+ args.push(filenamePEM('agent3-key'));
+ args.push('-cert');
+ args.push(filenamePEM('agent3-cert'));
+ break;
+
+ case 'agent4':
+ // Signed by CA2 (rejected by ca2-crl)
+ args.push('-key');
+ args.push(filenamePEM('agent4-key'));
+ args.push('-cert');
+ args.push(filenamePEM('agent4-cert'));
+ break;
+
+ case 'nocert':
+ // Do not send certificate
+ break;
+
+ default:
+ throw new Error(`${prefix}Unknown agent name`);
+ }
+
+ // To test use: openssl s_client -connect localhost:8000
+ const client = spawn(common.opensslCli, args);
+
+ let out = '';
+
+ let rejected = true;
+ let authed = false;
+ let goodbye = false;
+
+ client.stdout.setEncoding('utf8');
+ client.stdout.on('data', function(d) {
+ out += d;
+
+ if (!goodbye && /_unauthed/.test(out)) {
+ console.error(`${prefix} * unauthed`);
+ goodbye = true;
+ client.kill();
+ authed = false;
+ rejected = false;
+ }
+
+ if (!goodbye && /_authed/.test(out)) {
+ console.error(`${prefix} * authed`);
+ goodbye = true;
+ client.kill();
+ authed = true;
+ rejected = false;
+ }
+ });
+
+ //client.stdout.pipe(process.stdout);
+
+ client.on('exit', function(code) {
+ //assert.strictEqual(
+ // 0, code,
+ // `${prefix}${options.name}: s_client exited with error code ${code}`);
+ if (options.shouldReject) {
+ assert.strictEqual(
+ true, rejected,
+ `${prefix}${options.name} NOT rejected, but should have been`);
+ } else {
+ assert.strictEqual(
+ false, rejected,
+ `${prefix}${options.name} rejected, but should NOT have been`);
+ assert.strictEqual(
+ options.shouldAuth, authed,
+ `${prefix}${options.name} authed is ${authed} but should have been ${
+ options.shouldAuth}`);
+ }
+
+ cb();
+ });
+}
+
+
+// Run the tests
+let successfulTests = 0;
+function runTest(port, testIndex) {
+ const prefix = `${testIndex} `;
+ const tcase = testCases[testIndex];
+ if (!tcase) return;
+
+ console.error(`${prefix}Running '%s'`, tcase.title);
+
+ const cas = tcase.CAs.map(loadPEM);
+
+ const crl = tcase.crl ? loadPEM(tcase.crl) : null;
+
+ const serverOptions = {
+ key: serverKey,
+ cert: serverCert,
+ ca: cas,
+ crl: crl,
+ requestCert: tcase.requestCert,
+ rejectUnauthorized: tcase.rejectUnauthorized
+ };
+
+ /*
+ * If renegotiating - session might be resumed and openssl won't request
+ * client's certificate (probably because of bug in the openssl)
+ */
+ if (tcase.renegotiate) {
+ serverOptions.secureOptions =
+ SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
+ }
+
+ let renegotiated = false;
+ const server = tls.Server(serverOptions, function handleConnection(c) {
+ c.on('error', function(e) {
+ // child.kill() leads ECONNRESET errro in the TLS connection of
+ // openssl s_client via spawn(). A Test result is already
+ // checked by the data of client.stdout before child.kill() so
+ // these tls errors can be ignored.
+ });
+ if (tcase.renegotiate && !renegotiated) {
+ renegotiated = true;
+ setTimeout(function() {
+ console.error(`${prefix}- connected, renegotiating`);
+ c.write('\n_renegotiating\n');
+ return c.renegotiate({
+ requestCert: true,
+ rejectUnauthorized: false
+ }, function(err) {
+ assert(!err);
+ c.write('\n_renegotiated\n');
+ handleConnection(c);
+ });
+ }, 200);
+ return;
+ }
+
+ if (c.authorized) {
+ console.error(`${prefix}- authed connection: ${
+ c.getPeerCertificate().subject.CN}`);
+ c.write('\n_authed\n');
+ } else {
+ console.error(`${prefix}- unauthed connection: %s`, c.authorizationError);
+ c.write('\n_unauthed\n');
+ }
+ });
+
+ function runNextClient(clientIndex) {
+ const options = tcase.clients[clientIndex];
+ if (options) {
+ runClient(`${prefix}${clientIndex} `, port, options, function() {
+ runNextClient(clientIndex + 1);
+ });
+ } else {
+ server.close();
+ successfulTests++;
+ runTest(port, nextTest++);
+ }
+ }
+
+ server.listen(port, function() {
+ port = server.address().port;
+ if (tcase.debug) {
+ console.error(`${prefix}TLS server running on port ${port}`);
+ } else {
+ if (tcase.renegotiate) {
+ runNextClient(0);
+ } else {
+ let clientsCompleted = 0;
+ for (let i = 0; i < tcase.clients.length; i++) {
+ runClient(`${prefix}${i} `, port, tcase.clients[i], function() {
+ clientsCompleted++;
+ if (clientsCompleted === tcase.clients.length) {
+ server.close();
+ successfulTests++;
+ runTest(port, nextTest++);
+ }
+ });
+ }
+ }
+ }
+ });
+}
+
+
+let nextTest = 0;
+runTest(0, nextTest++);
+runTest(0, nextTest++);
+
+
+process.on('exit', function() {
+ assert.strictEqual(successfulTests, testCases.length);
+});
diff --git a/test/disabled/test-tls-session-cache.js b/test/disabled/test-tls-session-cache.js
new file mode 100644
index 0000000..326e760
--- /dev/null
+++ b/test/disabled/test-tls-session-cache.js
@@ -0,0 +1,127 @@
+'use strict';
+const common = require('../common');
+
+if (!common.opensslCli)
+ common.skip('node compiled without OpenSSL CLI.');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+doTest({ tickets: false }, function() {
+ doTest({ tickets: true }, function() {
+ console.error('all done');
+ });
+});
+
+function doTest(testOptions, callback) {
+ const assert = require('assert');
+ const tls = require('tls');
+ const fs = require('fs');
+ const join = require('path').join;
+ const spawn = require('child_process').spawn;
+
+ const keyFile = join(common.fixturesDir, 'agent.key');
+ const certFile = join(common.fixturesDir, 'agent.crt');
+ const key = fs.readFileSync(keyFile);
+ const cert = fs.readFileSync(certFile);
+ const options = {
+ key: key,
+ cert: cert,
+ ca: [cert],
+ requestCert: true
+ };
+ let requestCount = 0;
+ let resumeCount = 0;
+ let session;
+
+ const server = tls.createServer(options, function(cleartext) {
+ cleartext.on('error', function(er) {
+ // We're ok with getting ECONNRESET in this test, but it's
+ // timing-dependent, and thus unreliable. Any other errors
+ // are just failures, though.
+ if (er.code !== 'ECONNRESET')
+ throw er;
+ });
+ ++requestCount;
+ cleartext.end();
+ });
+ server.on('newSession', function(id, data, cb) {
+ // Emulate asynchronous store
+ setTimeout(function() {
+ assert.ok(!session);
+ session = {
+ id: id,
+ data: data
+ };
+ cb();
+ }, 1000);
+ });
+ server.on('resumeSession', function(id, callback) {
+ ++resumeCount;
+ assert.ok(session);
+ assert.strictEqual(session.id.toString('hex'), id.toString('hex'));
+
+ // Just to check that async really works there
+ setTimeout(function() {
+ callback(null, session.data);
+ }, 100);
+ });
+
+ server.listen(0, function() {
+ const args = [
+ 's_client',
+ '-tls1',
+ '-connect', `localhost:${this.address().port}`,
+ '-servername', 'ohgod',
+ '-key', join(common.fixturesDir, 'agent.key'),
+ '-cert', join(common.fixturesDir, 'agent.crt'),
+ '-reconnect'
+ ].concat(testOptions.tickets ? [] : '-no_ticket');
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ args.push('-no_rand_screen');
+
+ function spawnClient() {
+ const client = spawn(common.opensslCli, args, {
+ stdio: [ 0, 1, 'pipe' ]
+ });
+ let err = '';
+ client.stderr.setEncoding('utf8');
+ client.stderr.on('data', function(chunk) {
+ err += chunk;
+ });
+
+ client.on('exit', common.mustCall(function(code, signal) {
+ if (code !== 0) {
+ // If SmartOS and connection refused, then retry. See
+ // https://github.com/nodejs/node/issues/2663.
+ if (common.isSunOS && err.includes('Connection refused')) {
+ requestCount = 0;
+ spawnClient();
+ return;
+ }
+ common.fail(`code: ${code}, signal: ${signal}, output: ${err}`);
+ }
+ assert.strictEqual(code, 0);
+ server.close(common.mustCall(function() {
+ setTimeout(callback, 100);
+ }));
+ }));
+ }
+
+ spawnClient();
+ });
+
+ process.on('exit', function() {
+ if (testOptions.tickets) {
+ assert.strictEqual(requestCount, 6);
+ assert.strictEqual(resumeCount, 0);
+ } else {
+ // initial request + reconnect requests (5 times)
+ assert.ok(session);
+ assert.strictEqual(requestCount, 6);
+ assert.strictEqual(resumeCount, 5);
+ }
+ });
+}
diff --git a/test/disabled/test-tls-set-ciphers.js b/test/disabled/test-tls-set-ciphers.js
new file mode 100644
index 0000000..d53029e
--- /dev/null
+++ b/test/disabled/test-tls-set-ciphers.js
@@ -0,0 +1,45 @@
+'use strict';
+const common = require('../common');
+
+if (!common.opensslCli)
+ common.skip('node compiled without OpenSSL CLI.');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const exec = require('child_process').exec;
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
+ ciphers: 'DES-CBC3-SHA'
+};
+
+const reply = 'I AM THE WALRUS'; // something recognizable
+let response = '';
+
+process.on('exit', function() {
+ assert.notStrictEqual(response.indexOf(reply), -1);
+});
+
+const server = tls.createServer(options, common.mustCall(function(conn) {
+ conn.end(reply);
+}));
+
+server.listen(0, '127.0.0.1', function() {
+ let cmd = `"${common.opensslCli}" s_client -cipher ${
+ options.ciphers} -connect 127.0.0.1:${this.address().port}`;
+
+ // for the performance and stability issue in s_client on Windows
+ if (common.isWindows)
+ cmd += ' -no_rand_screen';
+
+ exec(cmd, function(err, stdout, stderr) {
+ if (err) throw err;
+ response = stdout;
+ server.close();
+ });
+});
diff --git a/test/disabled/test-tls-set-encoding.js b/test/disabled/test-tls-set-encoding.js
new file mode 100644
index 0000000..4114ee5
--- /dev/null
+++ b/test/disabled/test-tls-set-encoding.js
@@ -0,0 +1,58 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
+};
+
+// Contains a UTF8 only character
+const messageUtf8 = 'x√ab c';
+
+// The same string above represented with ASCII
+const messageAscii = 'xb\b\u001aab c';
+
+const server = tls.Server(options, common.mustCall(function(socket) {
+ socket.end(messageUtf8);
+}));
+
+
+server.listen(0, function() {
+ const client = tls.connect({
+ port: this.address().port,
+ rejectUnauthorized: false
+ });
+
+ let buffer = '';
+
+ client.setEncoding('ascii');
+
+ client.on('data', function(d) {
+ assert.ok(typeof d === 'string');
+ buffer += d;
+ });
+
+
+ client.on('close', function() {
+ // readyState is deprecated but we want to make
+ // sure this isn't triggering an assert in lib/net.js
+ // See issue #1069.
+ assert.strictEqual('closed', client.readyState);
+
+ // Confirming the buffer string is encoded in ASCII
+ // and thus does NOT match the UTF8 string
+ assert.notStrictEqual(buffer, messageUtf8);
+
+ // Confirming the buffer string is encoded in ASCII
+ // and thus does equal the ASCII string representation
+ assert.strictEqual(buffer, messageAscii);
+
+ server.close();
+ });
+});
diff --git a/test/disabled/test-tls-sni-option.js b/test/disabled/test-tls-sni-option.js
new file mode 100644
index 0000000..ff3e2ef
--- /dev/null
+++ b/test/disabled/test-tls-sni-option.js
@@ -0,0 +1,168 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!process.features.tls_sni)
+ common.skip('node compiled without OpenSSL or with old OpenSSL version.');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const serverOptions = {
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert'),
+ requestCert: true,
+ rejectUnauthorized: false,
+ SNICallback: function(servername, callback) {
+ const context = SNIContexts[servername];
+
+ // Just to test asynchronous callback
+ setTimeout(function() {
+ if (context) {
+ if (context.emptyRegression)
+ callback(null, {});
+ else
+ callback(null, tls.createSecureContext(context));
+ } else {
+ callback(null, null);
+ }
+ }, 100);
+ }
+};
+
+let SNIContexts = {
+ 'a.example.com': {
+ key: loadPEM('agent1-key'),
+ cert: loadPEM('agent1-cert'),
+ ca: [ loadPEM('ca2-cert') ]
+ },
+ 'b.example.com': {
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert')
+ },
+ 'c.another.com': {
+ emptyRegression: true
+ }
+};
+
+const clientsOptions = [{
+ port: undefined,
+ key: loadPEM('agent1-key'),
+ cert: loadPEM('agent1-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: loadPEM('agent4-key'),
+ cert: loadPEM('agent4-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert'),
+ ca: [loadPEM('ca2-cert')],
+ servername: 'b.example.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.wrong.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert'),
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.another.com',
+ rejectUnauthorized: false
+}];
+
+const serverResults = [];
+const clientResults = [];
+const serverErrors = [];
+const clientErrors = [];
+let serverError;
+let clientError;
+
+const server = tls.createServer(serverOptions, function(c) {
+ serverResults.push({ sni: c.servername, authorized: c.authorized });
+});
+
+server.on('tlsClientError', function(err) {
+ serverResults.push(null);
+ serverError = err.message;
+});
+
+server.listen(0, startTest);
+
+function startTest() {
+ function connectClient(i, callback) {
+ const options = clientsOptions[i];
+ clientError = null;
+ serverError = null;
+
+ options.port = server.address().port;
+ const client = tls.connect(options, function() {
+ clientResults.push(
+ /Hostname\/IP doesn't/.test(client.authorizationError || ''));
+ client.destroy();
+
+ next();
+ });
+
+ client.on('error', function(err) {
+ clientResults.push(false);
+ clientError = err.message;
+ next();
+ });
+
+ function next() {
+ clientErrors.push(clientError);
+ serverErrors.push(serverError);
+
+ if (i === clientsOptions.length - 1)
+ callback();
+ else
+ connectClient(i + 1, callback);
+ }
+ }
+
+ connectClient(0, function() {
+ server.close();
+ });
+}
+
+process.on('exit', function() {
+ assert.deepStrictEqual(serverResults, [
+ { sni: 'a.example.com', authorized: false },
+ { sni: 'a.example.com', authorized: true },
+ { sni: 'b.example.com', authorized: false },
+ { sni: 'c.wrong.com', authorized: false },
+ null
+ ]);
+ assert.deepStrictEqual(clientResults, [true, true, true, false, false]);
+ assert.deepStrictEqual(clientErrors, [
+ null, null, null, null, 'socket hang up'
+ ]);
+ assert.deepStrictEqual(serverErrors, [
+ null, null, null, null, 'Invalid SNI context'
+ ]);
+});
diff --git a/test/disabled/test-tls-sni-server-client.js b/test/disabled/test-tls-sni-server-client.js
new file mode 100644
index 0000000..ebe51f2
--- /dev/null
+++ b/test/disabled/test-tls-sni-server-client.js
@@ -0,0 +1,113 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+if (!process.features.tls_sni)
+ common.skip('node compiled without OpenSSL or with old OpenSSL version.');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const serverOptions = {
+ key: loadPEM('agent2-key'),
+ cert: loadPEM('agent2-cert')
+};
+
+const SNIContexts = {
+ 'a.example.com': {
+ key: loadPEM('agent1-key'),
+ cert: loadPEM('agent1-cert')
+ },
+ 'asterisk.test.com': {
+ key: loadPEM('agent3-key'),
+ cert: loadPEM('agent3-cert')
+ },
+ 'chain.example.com': {
+ key: loadPEM('agent6-key'),
+ // NOTE: Contains ca3 chain cert
+ cert: loadPEM('agent6-cert')
+ }
+};
+
+const clientsOptions = [{
+ port: undefined,
+ ca: [loadPEM('ca1-cert')],
+ servername: 'a.example.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ ca: [loadPEM('ca2-cert')],
+ servername: 'b.test.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ ca: [loadPEM('ca2-cert')],
+ servername: 'a.b.test.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ ca: [loadPEM('ca1-cert')],
+ servername: 'c.wrong.com',
+ rejectUnauthorized: false
+}, {
+ port: undefined,
+ ca: [loadPEM('ca1-cert')],
+ servername: 'chain.example.com',
+ rejectUnauthorized: false
+}];
+
+const serverResults = [];
+const clientResults = [];
+
+const server = tls.createServer(serverOptions, function(c) {
+ serverResults.push(c.servername);
+});
+
+server.addContext('a.example.com', SNIContexts['a.example.com']);
+server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
+server.addContext('chain.example.com', SNIContexts['chain.example.com']);
+
+server.listen(0, startTest);
+
+function startTest() {
+ let i = 0;
+ function start() {
+ // No options left
+ if (i === clientsOptions.length)
+ return server.close();
+
+ const options = clientsOptions[i++];
+ options.port = server.address().port;
+ const client = tls.connect(options, function() {
+ clientResults.push(
+ client.authorizationError &&
+ /Hostname\/IP doesn't/.test(client.authorizationError));
+ client.destroy();
+
+ // Continue
+ start();
+ });
+ }
+
+ start();
+}
+
+process.on('exit', function() {
+ assert.deepStrictEqual(serverResults, [
+ 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
+ 'chain.example.com'
+ ]);
+ assert.deepStrictEqual(clientResults, [true, true, false, false, true]);
+});
diff --git a/test/disabled/test-tls-socket-close.js b/test/disabled/test-tls-socket-close.js
new file mode 100644
index 0000000..f9a77bf
--- /dev/null
+++ b/test/disabled/test-tls-socket-close.js
@@ -0,0 +1,67 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const net = require('net');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
+
+let tlsSocket;
+// tls server
+const tlsServer = tls.createServer({ cert, key }, (socket) => {
+ tlsSocket = socket;
+ socket.on('error', common.mustCall((error) => {
+ assert.strictEqual(error.code, 'EINVAL');
+ tlsServer.close();
+ netServer.close();
+ }));
+});
+
+let netSocket;
+// plain tcp server
+const netServer = net.createServer((socket) => {
+ // if client wants to use tls
+ tlsServer.emit('connection', socket);
+
+ netSocket = socket;
+}).listen(0, common.mustCall(function() {
+ connectClient(netServer);
+}));
+
+function connectClient(server) {
+ const tlsConnection = tls.connect({
+ host: 'localhost',
+ port: server.address().port,
+ rejectUnauthorized: false
+ });
+
+ tlsConnection.write('foo', 'utf8', common.mustCall(() => {
+ assert(netSocket);
+ netSocket.setTimeout(1, common.mustCall(() => {
+ assert(tlsSocket);
+ // this breaks if TLSSocket is already managing the socket:
+ netSocket.destroy();
+ const interval = setInterval(() => {
+ // Checking this way allows us to do the write at a time that causes a
+ // segmentation fault (not always, but often) in Node.js 7.7.3 and
+ // earlier. If we instead, for example, wait on the `close` event, then
+ // it will not segmentation fault, which is what this test is all about.
+ if (tlsSocket._handle._parent.bytesRead === 0) {
+ tlsSocket.write('bar');
+ clearInterval(interval);
+ }
+ }, 1);
+ }));
+ }));
+ tlsConnection.on('error', (e) => {
+ // Tolerate the occasional ECONNRESET.
+ // Ref: https://github.com/nodejs/node/issues/13184
+ if (e.code !== 'ECONNRESET')
+ throw e;
+ });
+}
diff --git a/test/disabled/test-tls-socket-default-options.js b/test/disabled/test-tls-socket-default-options.js
new file mode 100644
index 0000000..66f2689
--- /dev/null
+++ b/test/disabled/test-tls-socket-default-options.js
@@ -0,0 +1,67 @@
+'use strict';
+const common = require('../common');
+
+// Test directly created TLS sockets and options.
+
+const assert = require('assert');
+const join = require('path').join;
+const {
+ connect, keys, tls
+} = require(join(common.fixturesDir, 'tls-connect'));
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+test(undefined, (err) => {
+ assert.strictEqual(err.message, 'unable to verify the first certificate');
+});
+
+test({}, (err) => {
+ assert.strictEqual(err.message, 'unable to verify the first certificate');
+});
+
+test({secureContext: tls.createSecureContext({ca: keys.agent1.ca})}, (err) => {
+ assert.ifError(err);
+});
+
+test({ca: keys.agent1.ca}, (err) => {
+ assert.ifError(err);
+});
+
+// Secure context options, like ca, are ignored if a sec ctx is explicitly
+// provided.
+test({secureContext: tls.createSecureContext(), ca: keys.agent1.ca}, (err) => {
+ assert.strictEqual(err.message, 'unable to verify the first certificate');
+});
+
+function test(client, callback) {
+ callback = common.mustCall(callback);
+ connect({
+ server: {
+ key: keys.agent1.key,
+ cert: keys.agent1.cert,
+ },
+ }, function(err, pair, cleanup) {
+ assert.strictEqual(err.message, 'unable to verify the first certificate');
+ let recv = '';
+ pair.server.server.once('secureConnection', common.mustCall((conn) => {
+ conn.on('data', (data) => recv += data);
+ conn.on('end', common.mustCall(() => {
+ // Server sees nothing wrong with connection, even though the client's
+ // authentication of the server cert failed.
+ assert.strictEqual(recv, 'hello');
+ cleanup();
+ }));
+ }));
+
+ // Client doesn't support the 'secureConnect' event, and doesn't error if
+ // authentication failed. Caller must explicitly check for failure.
+ (new tls.TLSSocket(null, client)).connect(pair.server.server.address().port)
+ .on('connect', common.mustCall(function() {
+ this.end('hello');
+ }))
+ .on('secure', common.mustCall(function() {
+ callback(this.ssl.verifyError());
+ }));
+ });
+}
diff --git a/test/disabled/test-tls-socket-destroy.js b/test/disabled/test-tls-socket-destroy.js
new file mode 100644
index 0000000..b101a87
--- /dev/null
+++ b/test/disabled/test-tls-socket-destroy.js
@@ -0,0 +1,34 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const fs = require('fs');
+const net = require('net');
+const tls = require('tls');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
+const secureContext = tls.createSecureContext({ key, cert });
+
+const server = net.createServer(common.mustCall((conn) => {
+ const options = { isServer: true, secureContext, server };
+ const socket = new tls.TLSSocket(conn, options);
+ socket.once('data', common.mustCall(() => {
+ socket._destroySSL(); // Should not crash.
+ server.close();
+ }));
+}));
+
+server.listen(0, function() {
+ const options = {
+ port: this.address().port,
+ rejectUnauthorized: false,
+ };
+ tls.connect(options, function() {
+ this.write('*'.repeat(1 << 20)); // Write more data than fits in a frame.
+ this.on('error', this.destroy); // Server closes connection on us.
+ });
+});
diff --git a/test/disabled/test-tls-socket-failed-handshake-emits-error.js b/test/disabled/test-tls-socket-failed-handshake-emits-error.js
new file mode 100644
index 0000000..16175b8
--- /dev/null
+++ b/test/disabled/test-tls-socket-failed-handshake-emits-error.js
@@ -0,0 +1,37 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const net = require('net');
+const assert = require('assert');
+
+const bonkers = Buffer.alloc(1024, 42);
+
+const server = net.createServer(function(c) {
+ setTimeout(function() {
+ const s = new tls.TLSSocket(c, {
+ isServer: true,
+ server: server
+ });
+
+ s.on('error', common.mustCall(function(e) {
+ assert.ok(e instanceof Error,
+ 'Instance of Error should be passed to error handler');
+ assert.ok(
+ /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message),
+ 'Expecting SSL unknown protocol');
+ }));
+
+ s.on('close', function() {
+ server.close();
+ s.destroy();
+ });
+ }, common.platformTimeout(200));
+}).listen(0, function() {
+ const c = net.connect({port: this.address().port}, function() {
+ c.write(bonkers);
+ });
+});
diff --git a/test/disabled/test-tls-startcom-wosign-whitelist.js b/test/disabled/test-tls-startcom-wosign-whitelist.js
new file mode 100644
index 0000000..92d595e
--- /dev/null
+++ b/test/disabled/test-tls-startcom-wosign-whitelist.js
@@ -0,0 +1,89 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const tls = require('tls');
+
+let finished = 0;
+
+function filenamePEM(n) {
+ return path.join(common.fixturesDir, 'keys', `${n}.pem`);
+}
+
+function loadPEM(n) {
+ return fs.readFileSync(filenamePEM(n));
+}
+
+const testCases = [
+ { // agent8 is signed by fake-startcom-root with notBefore of
+ // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check.
+ serverOpts: {
+ key: loadPEM('agent8-key'),
+ cert: loadPEM('agent8-cert')
+ },
+ clientOpts: {
+ ca: loadPEM('fake-startcom-root-cert'),
+ port: undefined,
+ rejectUnauthorized: true
+ },
+ errorCode: 'CERT_OK'
+ },
+ { // agent9 is signed by fake-startcom-root with notBefore of
+ // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check.
+ serverOpts: {
+ key: loadPEM('agent9-key'),
+ cert: loadPEM('agent9-cert')
+ },
+ clientOpts: {
+ ca: loadPEM('fake-startcom-root-cert'),
+ port: undefined,
+ rejectUnauthorized: true
+ },
+ errorCode: 'CERT_REVOKED'
+ }
+];
+
+
+function runNextTest(server, tindex) {
+ server.close(function() {
+ finished++;
+ runTest(tindex + 1);
+ });
+}
+
+
+function runTest(tindex) {
+ const tcase = testCases[tindex];
+
+ if (!tcase) return;
+
+ const server = tls.createServer(tcase.serverOpts, function(s) {
+ s.resume();
+ }).listen(0, function() {
+ tcase.clientOpts.port = this.address().port;
+ const client = tls.connect(tcase.clientOpts);
+ client.on('error', function(e) {
+ assert.strictEqual(e.code, tcase.errorCode);
+ runNextTest(server, tindex);
+ });
+
+ client.on('secureConnect', function() {
+ // agent8 can pass StartCom/WoSign check so that the secureConnect
+ // is established.
+ assert.strictEqual(tcase.errorCode, 'CERT_OK');
+ client.end();
+ runNextTest(server, tindex);
+ });
+ });
+}
+
+
+runTest(0);
+
+process.on('exit', function() {
+ assert.strictEqual(finished, testCases.length);
+});
diff --git a/test/disabled/test-tls-starttls-server.js b/test/disabled/test-tls-starttls-server.js
new file mode 100644
index 0000000..28d1db8
--- /dev/null
+++ b/test/disabled/test-tls-starttls-server.js
@@ -0,0 +1,51 @@
+'use strict';
+
+// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to
+// `net.Server` instead of `tls.Server`
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const fs = require('fs');
+const net = require('net');
+const tls = require('tls');
+
+const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
+const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
+
+const server = net.createServer(common.mustCall((s) => {
+ const tlsSocket = new tls.TLSSocket(s, {
+ isServer: true,
+ server: server,
+
+ secureContext: tls.createSecureContext({
+ key: key,
+ cert: cert
+ }),
+
+ SNICallback: common.mustCall((hostname, callback) => {
+ assert.strictEqual(hostname, 'test.test');
+
+ callback(null, null);
+ })
+ });
+
+ tlsSocket.on('secure', common.mustCall(() => {
+ tlsSocket.end();
+ server.close();
+ }));
+})).listen(0, () => {
+ const opts = {
+ servername: 'test.test',
+ port: server.address().port,
+ rejectUnauthorized: false,
+ requestOCSP: true
+ };
+
+ tls.connect(opts, function() {
+ this.end();
+ });
+});
diff --git a/test/disabled/test-tls-ticket-cluster.js b/test/disabled/test-tls-ticket-cluster.js
new file mode 100644
index 0000000..49c4c34
--- /dev/null
+++ b/test/disabled/test-tls-ticket-cluster.js
@@ -0,0 +1,108 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const cluster = require('cluster');
+const fs = require('fs');
+const join = require('path').join;
+
+const workerCount = 4;
+const expectedReqCount = 16;
+
+if (cluster.isMaster) {
+ let reusedCount = 0;
+ let reqCount = 0;
+ let lastSession = null;
+ let shootOnce = false;
+ let workerPort = null;
+
+ function shoot() {
+ console.error('[master] connecting', workerPort);
+ const c = tls.connect(workerPort, {
+ session: lastSession,
+ rejectUnauthorized: false
+ }, function() {
+ lastSession = c.getSession();
+ c.end();
+
+ if (++reqCount === expectedReqCount) {
+ Object.keys(cluster.workers).forEach(function(id) {
+ cluster.workers[id].send('die');
+ });
+ } else {
+ shoot();
+ }
+ });
+ }
+
+ function fork() {
+ const worker = cluster.fork();
+ worker.on('message', function({ msg, port }) {
+ console.error('[master] got %j', msg);
+ if (msg === 'reused') {
+ ++reusedCount;
+ } else if (msg === 'listening' && !shootOnce) {
+ workerPort = port || workerPort;
+ shootOnce = true;
+ shoot();
+ }
+ });
+
+ worker.on('exit', function() {
+ console.error('[master] worker died');
+ });
+ }
+ for (let i = 0; i < workerCount; i++) {
+ fork();
+ }
+
+ process.on('exit', function() {
+ assert.strictEqual(reqCount, expectedReqCount);
+ assert.strictEqual(reusedCount + 1, reqCount);
+ });
+ return;
+}
+
+const keyFile = join(common.fixturesDir, 'agent.key');
+const certFile = join(common.fixturesDir, 'agent.crt');
+const key = fs.readFileSync(keyFile);
+const cert = fs.readFileSync(certFile);
+const options = {
+ key: key,
+ cert: cert
+};
+
+const server = tls.createServer(options, function(c) {
+ if (c.isSessionReused()) {
+ process.send({ msg: 'reused' });
+ } else {
+ process.send({ msg: 'not-reused' });
+ }
+ c.end();
+});
+
+server.listen(0, function() {
+ const { port } = server.address();
+ process.send({
+ msg: 'listening',
+ port,
+ });
+});
+
+process.on('message', function listener(msg) {
+ console.error('[worker] got %j', msg);
+ if (msg === 'die') {
+ server.close(function() {
+ console.error('[worker] server close');
+
+ process.exit();
+ });
+ }
+});
+
+process.on('exit', function() {
+ console.error('[worker] exit');
+});
diff --git a/test/disabled/test-tls-ticket.js b/test/disabled/test-tls-ticket.js
new file mode 100644
index 0000000..3d6f7a4
--- /dev/null
+++ b/test/disabled/test-tls-ticket.js
@@ -0,0 +1,98 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+const net = require('net');
+const crypto = require('crypto');
+
+const keys = crypto.randomBytes(48);
+const serverLog = [];
+const ticketLog = [];
+
+let serverCount = 0;
+function createServer() {
+ const id = serverCount++;
+
+ let counter = 0;
+ let previousKey = null;
+
+ const server = tls.createServer({
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
+ ticketKeys: keys
+ }, function(c) {
+ serverLog.push(id);
+ c.end();
+
+ counter++;
+
+ // Rotate ticket keys
+ if (counter === 1) {
+ previousKey = server.getTicketKeys();
+ server.setTicketKeys(crypto.randomBytes(48));
+ } else if (counter === 2) {
+ server.setTicketKeys(previousKey);
+ } else if (counter === 3) {
+ // Use keys from counter=2
+ } else {
+ throw new Error('UNREACHABLE');
+ }
+ });
+
+ return server;
+}
+
+const naturalServers = [ createServer(), createServer(), createServer() ];
+
+// 3x servers
+const servers = naturalServers.concat(naturalServers).concat(naturalServers);
+
+// Create one TCP server and balance sockets to multiple TLS server instances
+const shared = net.createServer(function(c) {
+ servers.shift().emit('connection', c);
+}).listen(0, function() {
+ start(function() {
+ shared.close();
+ });
+});
+
+function start(callback) {
+ let sess = null;
+ let left = servers.length;
+
+ function connect() {
+ const s = tls.connect(shared.address().port, {
+ session: sess,
+ rejectUnauthorized: false
+ }, function() {
+ sess = sess || s.getSession();
+ ticketLog.push(s.getTLSTicket().toString('hex'));
+ });
+ s.on('close', function() {
+ if (--left === 0)
+ callback();
+ else
+ connect();
+ });
+ }
+
+ connect();
+}
+
+process.on('exit', function() {
+ assert.strictEqual(ticketLog.length, serverLog.length);
+ for (let i = 0; i < naturalServers.length - 1; i++) {
+ assert.notStrictEqual(serverLog[i], serverLog[i + 1]);
+ assert.strictEqual(ticketLog[i], ticketLog[i + 1]);
+
+ // 2nd connection should have different ticket
+ assert.notStrictEqual(ticketLog[i], ticketLog[i + naturalServers.length]);
+
+ // 3rd connection should have the same ticket
+ assert.strictEqual(ticketLog[i], ticketLog[i + naturalServers.length * 2]);
+ }
+});
diff --git a/test/disabled/test-tls-timeout-server-2.js b/test/disabled/test-tls-timeout-server-2.js
new file mode 100644
index 0000000..a462750
--- /dev/null
+++ b/test/disabled/test-tls-timeout-server-2.js
@@ -0,0 +1,29 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = tls.createServer(options, common.mustCall(function(cleartext) {
+ const s = cleartext.setTimeout(50, function() {
+ cleartext.destroy();
+ server.close();
+ });
+ assert.ok(s instanceof tls.TLSSocket);
+}));
+
+server.listen(0, common.mustCall(function() {
+ tls.connect({
+ host: '127.0.0.1',
+ port: this.address().port,
+ rejectUnauthorized: false
+ });
+}));
diff --git a/test/disabled/test-tls-timeout-server.js b/test/disabled/test-tls-timeout-server.js
new file mode 100644
index 0000000..b983e2c
--- /dev/null
+++ b/test/disabled/test-tls-timeout-server.js
@@ -0,0 +1,26 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+const net = require('net');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
+ handshakeTimeout: 50
+};
+
+const server = tls.createServer(options, common.mustNotCall());
+
+server.on('tlsClientError', common.mustCall(function(err, conn) {
+ conn.destroy();
+ server.close();
+}));
+
+server.listen(0, common.mustCall(function() {
+ net.connect({ host: '127.0.0.1', port: this.address().port });
+}));
diff --git a/test/disabled/test-tls-two-cas-one-string.js b/test/disabled/test-tls-two-cas-one-string.js
new file mode 100644
index 0000000..10d626b
--- /dev/null
+++ b/test/disabled/test-tls-two-cas-one-string.js
@@ -0,0 +1,34 @@
+'use strict';
+
+const common = require('../common');
+const tls = require('tls');
+const fs = require('fs');
+
+const ca1 =
+ fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`, 'utf8');
+const ca2 =
+ fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`, 'utf8');
+const cert =
+ fs.readFileSync(`${common.fixturesDir}/keys/agent3-cert.pem`, 'utf8');
+const key =
+ fs.readFileSync(`${common.fixturesDir}/keys/agent3-key.pem`, 'utf8');
+
+function test(ca, next) {
+ const server = tls.createServer({ ca, cert, key }, function(conn) {
+ this.close();
+ conn.end();
+ });
+
+ server.addContext('agent3', { ca, cert, key });
+
+ const host = common.localhostIPv4;
+ server.listen(0, host, function() {
+ tls.connect({ servername: 'agent3', host, port: this.address().port, ca });
+ });
+
+ server.once('close', next);
+}
+
+const array = [ca1, ca2];
+const string = `${ca1}\n${ca2}`;
+test(array, () => test(string, () => {}));
diff --git a/test/disabled/test-tls-wrap-no-abort.js b/test/disabled/test-tls-wrap-no-abort.js
new file mode 100644
index 0000000..a64aea0
--- /dev/null
+++ b/test/disabled/test-tls-wrap-no-abort.js
@@ -0,0 +1,8 @@
+'use strict';
+
+require('../common');
+const util = require('util');
+const TLSWrap = process.binding('tls_wrap').TLSWrap;
+
+// This will abort if internal pointer is not set to nullptr.
+util.inspect(new TLSWrap());
diff --git a/test/disabled/test-tls-wrap-timeout.js b/test/disabled/test-tls-wrap-timeout.js
new file mode 100644
index 0000000..b4cff36
--- /dev/null
+++ b/test/disabled/test-tls-wrap-timeout.js
@@ -0,0 +1,53 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+const net = require('net');
+const fs = require('fs');
+
+const options = {
+ key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
+ cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
+};
+
+const server = tls.createServer(options, common.mustCall((c) => {
+ setImmediate(() => {
+ c.write('hello', () => {
+ setImmediate(() => {
+ c.destroy();
+ server.close();
+ });
+ });
+ });
+}));
+
+let socket;
+let lastIdleStart;
+
+server.listen(0, () => {
+ socket = net.connect(server.address().port, function() {
+ const s = socket.setTimeout(Number.MAX_VALUE, function() {
+ throw new Error('timeout');
+ });
+ assert.ok(s instanceof net.Socket);
+
+ assert.notStrictEqual(socket._idleTimeout, -1);
+ lastIdleStart = socket._idleStart;
+
+ const tsocket = tls.connect({
+ socket: socket,
+ rejectUnauthorized: false
+ });
+ tsocket.resume();
+ });
+});
+
+process.on('exit', () => {
+ assert.strictEqual(socket._idleTimeout, -1);
+ assert(lastIdleStart < socket._idleStart);
+});
diff --git a/test/disabled/test-tls-writewrap-leak.js b/test/disabled/test-tls-writewrap-leak.js
new file mode 100644
index 0000000..bc09044
--- /dev/null
+++ b/test/disabled/test-tls-writewrap-leak.js
@@ -0,0 +1,24 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const assert = require('assert');
+const net = require('net');
+const tls = require('tls');
+
+const server = net.createServer(common.mustCall((c) => {
+ c.destroy();
+})).listen(0, common.mustCall(() => {
+ const c = tls.connect({ port: server.address().port });
+ c.on('error', () => {
+ // Otherwise `.write()` callback won't be invoked.
+ c.destroyed = false;
+ });
+
+ c.write('hello', common.mustCall((err) => {
+ assert.strictEqual(err.code, 'ECANCELED');
+ server.close();
+ }));
+}));
diff --git a/test/disabled/test-tls-zero-clear-in.js b/test/disabled/test-tls-zero-clear-in.js
new file mode 100644
index 0000000..8192660
--- /dev/null
+++ b/test/disabled/test-tls-zero-clear-in.js
@@ -0,0 +1,41 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+ common.skip('missing crypto');
+
+const tls = require('tls');
+
+const fs = require('fs');
+const path = require('path');
+
+const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+const server = tls.createServer({
+ cert: cert,
+ key: key
+}, function(c) {
+ // Nop
+ setTimeout(function() {
+ c.end();
+ server.close();
+ }, 20);
+}).listen(0, common.mustCall(function() {
+ const conn = tls.connect({
+ cert: cert,
+ key: key,
+ rejectUnauthorized: false,
+ port: this.address().port
+ }, function() {
+ setTimeout(function() {
+ conn.destroy();
+ }, 20);
+ });
+
+ // SSL_write() call's return value, when called 0 bytes, should not be
+ // treated as error.
+ conn.end('');
+
+ conn.on('error', common.mustNotCall());
+}));
diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js
deleted file mode 100644
index 547629e..0000000
--- a/test/parallel/test-crypto-dh.js
+++ /dev/null
@@ -1,319 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const crypto = require('crypto');
-
-const DH_NOT_SUITABLE_GENERATOR = crypto.constants.DH_NOT_SUITABLE_GENERATOR;
-
-// Test Diffie-Hellman with two parties sharing a secret,
-// using various encodings as we go along
-const dh1 = crypto.createDiffieHellman(common.hasFipsCrypto ? 1024 : 256);
-const p1 = dh1.getPrime('buffer');
-const dh2 = crypto.createDiffieHellman(p1, 'buffer');
-let key1 = dh1.generateKeys();
-let key2 = dh2.generateKeys('hex');
-let secret1 = dh1.computeSecret(key2, 'hex', 'base64');
-let secret2 = dh2.computeSecret(key1, 'latin1', 'buffer');
-
-assert.strictEqual(secret2.toString('base64'), secret1);
-assert.strictEqual(dh1.verifyError, 0);
-assert.strictEqual(dh2.verifyError, 0);
-
-const argumentsError =
- /^TypeError: First argument should be number, string or Buffer$/;
-
-assert.throws(() => {
- crypto.createDiffieHellman([0x1, 0x2]);
-}, argumentsError);
-
-assert.throws(() => {
- crypto.createDiffieHellman(() => { });
-}, argumentsError);
-
-assert.throws(() => {
- crypto.createDiffieHellman(/abc/);
-}, argumentsError);
-
-assert.throws(() => {
- crypto.createDiffieHellman({});
-}, argumentsError);
-
-// Create "another dh1" using generated keys from dh1,
-// and compute secret again
-const dh3 = crypto.createDiffieHellman(p1, 'buffer');
-const privkey1 = dh1.getPrivateKey();
-dh3.setPublicKey(key1);
-dh3.setPrivateKey(privkey1);
-
-assert.deepStrictEqual(dh1.getPrime(), dh3.getPrime());
-assert.deepStrictEqual(dh1.getGenerator(), dh3.getGenerator());
-assert.deepStrictEqual(dh1.getPublicKey(), dh3.getPublicKey());
-assert.deepStrictEqual(dh1.getPrivateKey(), dh3.getPrivateKey());
-assert.strictEqual(dh3.verifyError, 0);
-
-const secret3 = dh3.computeSecret(key2, 'hex', 'base64');
-
-assert.strictEqual(secret1, secret3);
-
-const wrongBlockLength =
- new RegExp('^Error: error:0606506D:digital envelope' +
- ' routines:EVP_DecryptFinal_ex:wrong final block length$');
-
-// Run this one twice to make sure that the dh3 clears its error properly
-{
- const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), '');
- assert.throws(() => {
- c.final('utf8');
- }, wrongBlockLength);
-}
-
-{
- const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), '');
- assert.throws(() => {
- c.final('utf8');
- }, wrongBlockLength);
-}
-
-assert.throws(() => {
- dh3.computeSecret('');
-}, /^Error: Supplied key is too small$/);
-
-// Create a shared using a DH group.
-const alice = crypto.createDiffieHellmanGroup('modp5');
-const bob = crypto.createDiffieHellmanGroup('modp5');
-alice.generateKeys();
-bob.generateKeys();
-const aSecret = alice.computeSecret(bob.getPublicKey()).toString('hex');
-const bSecret = bob.computeSecret(alice.getPublicKey()).toString('hex');
-assert.strictEqual(aSecret, bSecret);
-assert.strictEqual(alice.verifyError, DH_NOT_SUITABLE_GENERATOR);
-assert.strictEqual(bob.verifyError, DH_NOT_SUITABLE_GENERATOR);
-
-/* Ensure specific generator (buffer) works as expected.
- * The values below (modp2/modp2buf) are for a 1024 bits long prime from
- * RFC 2412 E.2, see https://tools.ietf.org/html/rfc2412. */
-const modp2 = crypto.createDiffieHellmanGroup('modp2');
-const modp2buf = Buffer.from([
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f,
- 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b,
- 0x80, 0xdc, 0x1c, 0xd1, 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67,
- 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22,
- 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, 0xef, 0x95,
- 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d,
- 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51,
- 0xc2, 0x45, 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
- 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff,
- 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, 0xee, 0x38, 0x6b, 0xfb,
- 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b,
- 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
-]);
-const exmodp2 = crypto.createDiffieHellman(modp2buf, Buffer.from([2]));
-modp2.generateKeys();
-exmodp2.generateKeys();
-let modp2Secret = modp2.computeSecret(exmodp2.getPublicKey()).toString('hex');
-const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey())
- .toString('hex');
-assert.strictEqual(modp2Secret, exmodp2Secret);
-assert.strictEqual(modp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
-assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
-
-
-// Ensure specific generator (string with encoding) works as expected.
-const exmodp2_2 = crypto.createDiffieHellman(modp2buf, '02', 'hex');
-exmodp2_2.generateKeys();
-modp2Secret = modp2.computeSecret(exmodp2_2.getPublicKey()).toString('hex');
-const exmodp2_2Secret = exmodp2_2.computeSecret(modp2.getPublicKey())
- .toString('hex');
-assert.strictEqual(modp2Secret, exmodp2_2Secret);
-assert.strictEqual(exmodp2_2.verifyError, DH_NOT_SUITABLE_GENERATOR);
-
-
-// Ensure specific generator (string without encoding) works as expected.
-const exmodp2_3 = crypto.createDiffieHellman(modp2buf, '\x02');
-exmodp2_3.generateKeys();
-modp2Secret = modp2.computeSecret(exmodp2_3.getPublicKey()).toString('hex');
-const exmodp2_3Secret = exmodp2_3.computeSecret(modp2.getPublicKey())
- .toString('hex');
-assert.strictEqual(modp2Secret, exmodp2_3Secret);
-assert.strictEqual(exmodp2_3.verifyError, DH_NOT_SUITABLE_GENERATOR);
-
-
-// Ensure specific generator (numeric) works as expected.
-const exmodp2_4 = crypto.createDiffieHellman(modp2buf, 2);
-exmodp2_4.generateKeys();
-modp2Secret = modp2.computeSecret(exmodp2_4.getPublicKey()).toString('hex');
-const exmodp2_4Secret = exmodp2_4.computeSecret(modp2.getPublicKey())
- .toString('hex');
-assert.strictEqual(modp2Secret, exmodp2_4Secret);
-assert.strictEqual(exmodp2_4.verifyError, DH_NOT_SUITABLE_GENERATOR);
-
-
-const p = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' +
- '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' +
- '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' +
- 'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF';
-const bad_dh = crypto.createDiffieHellman(p, 'hex');
-assert.strictEqual(bad_dh.verifyError, DH_NOT_SUITABLE_GENERATOR);
-
-
-const availableCurves = new Set(crypto.getCurves());
-
-// Oakley curves do not clean up ERR stack, it was causing unexpected failure
-// when accessing other OpenSSL APIs afterwards.
-if (availableCurves.has('Oakley-EC2N-3')) {
- crypto.createECDH('Oakley-EC2N-3');
- crypto.createHash('sha256');
-}
-
-// Test ECDH
-if (availableCurves.has('prime256v1') && availableCurves.has('secp256k1')) {
- const ecdh1 = crypto.createECDH('prime256v1');
- const ecdh2 = crypto.createECDH('prime256v1');
- key1 = ecdh1.generateKeys();
- key2 = ecdh2.generateKeys('hex');
- secret1 = ecdh1.computeSecret(key2, 'hex', 'base64');
- secret2 = ecdh2.computeSecret(key1, 'latin1', 'buffer');
-
- assert.strictEqual(secret1, secret2.toString('base64'));
-
- // Point formats
- assert.strictEqual(ecdh1.getPublicKey('buffer', 'uncompressed')[0], 4);
- let firstByte = ecdh1.getPublicKey('buffer', 'compressed')[0];
- assert(firstByte === 2 || firstByte === 3);
- firstByte = ecdh1.getPublicKey('buffer', 'hybrid')[0];
- assert(firstByte === 6 || firstByte === 7);
- // format value should be string
- assert.throws(() => {
- ecdh1.getPublicKey('buffer', 10);
- }, /^TypeError: Bad format: 10$/);
-
- // ECDH should check that point is on curve
- const ecdh3 = crypto.createECDH('secp256k1');
- const key3 = ecdh3.generateKeys();
-
- assert.throws(() => {
- ecdh2.computeSecret(key3, 'latin1', 'buffer');
- }, /^Error: Failed to translate Buffer to a EC_POINT$/);
-
- // ECDH should allow .setPrivateKey()/.setPublicKey()
- const ecdh4 = crypto.createECDH('prime256v1');
-
- ecdh4.setPrivateKey(ecdh1.getPrivateKey());
- ecdh4.setPublicKey(ecdh1.getPublicKey());
-
- assert.throws(() => {
- ecdh4.setPublicKey(ecdh3.getPublicKey());
- }, /^Error: Failed to convert Buffer to EC_POINT$/);
-
- // Verify that we can use ECDH without having to use newly generated keys.
- const ecdh5 = crypto.createECDH('secp256k1');
-
- // Verify errors are thrown when retrieving keys from an uninitialized object.
- assert.throws(() => {
- ecdh5.getPublicKey();
- }, /^Error: Failed to get ECDH public key$/);
-
- assert.throws(() => {
- ecdh5.getPrivateKey();
- }, /^Error: Failed to get ECDH private key$/);
-
- // A valid private key for the secp256k1 curve.
- const cafebabeKey = 'cafebabe'.repeat(8);
- // Associated compressed and uncompressed public keys (points).
- const cafebabePubPtComp =
- '03672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3';
- const cafebabePubPtUnComp =
- '04672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3' +
- '2e02c7f93d13dc2732b760ca377a5897b9dd41a1c1b29dc0442fdce6d0a04d1d';
- ecdh5.setPrivateKey(cafebabeKey, 'hex');
- assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey);
- // Show that the public point (key) is generated while setting the
- // private key.
- assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
-
- // Compressed and uncompressed public points/keys for other party's
- // private key.
- // 0xDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
- const peerPubPtComp =
- '02c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae';
- const peerPubPtUnComp =
- '04c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae' +
- 'b651944a574a362082a77e3f2b5d9223eb54d7f2f76846522bf75f3bedb8178e';
-
- const sharedSecret =
- '1da220b5329bbe8bfd19ceef5a5898593f411a6f12ea40f2a8eead9a5cf59970';
-
- assert.strictEqual(ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex'),
- sharedSecret);
- assert.strictEqual(ecdh5.computeSecret(peerPubPtUnComp, 'hex', 'hex'),
- sharedSecret);
-
- // Verify that we still have the same key pair as before the computation.
- assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey);
- assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
-
- // Verify setting and getting compressed and non-compressed serializations.
- ecdh5.setPublicKey(cafebabePubPtComp, 'hex');
- assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
- assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'),
- cafebabePubPtComp);
- ecdh5.setPublicKey(cafebabePubPtUnComp, 'hex');
- assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp);
- assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'),
- cafebabePubPtComp);
-
- // Show why allowing the public key to be set on this type
- // does not make sense.
- ecdh5.setPublicKey(peerPubPtComp, 'hex');
- assert.strictEqual(ecdh5.getPublicKey('hex'), peerPubPtUnComp);
- assert.throws(() => {
- // Error because the public key does not match the private key anymore.
- ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex');
- }, /^Error: Invalid key pair$/);
-
- // Set to a valid key to show that later attempts to set an invalid key are
- // rejected.
- ecdh5.setPrivateKey(cafebabeKey, 'hex');
-
- // Some invalid private keys for the secp256k1 curve.
- const errMessage = /^Error: Private key is not valid for specified curve.$/;
- ['0000000000000000000000000000000000000000000000000000000000000000',
- 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141',
- 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF',
- ].forEach((element) => {
- assert.throws(() => {
- ecdh5.setPrivateKey(element, 'hex');
- }, errMessage);
- // Verify object state did not change.
- assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey);
- });
-
- // Use of invalid keys was not cleaning up ERR stack, and was causing
- // unexpected failure in subsequent signing operations.
- const ecdh6 = crypto.createECDH('prime256v1');
- const invalidKey = Buffer.alloc(65);
- invalidKey.fill('\0');
- ecdh6.generateKeys();
- assert.throws(() => {
- ecdh6.computeSecret(invalidKey);
- }, /^Error: Failed to translate Buffer to a EC_POINT$/);
- // Check that signing operations are not impacted by the above error.
- const ecPrivateKey =
- '-----BEGIN EC PRIVATE KEY-----\n' +
- 'MHcCAQEEIF+jnWY1D5kbVYDNvxxo/Y+ku2uJPDwS0r/VuPZQrjjVoAoGCCqGSM49\n' +
- 'AwEHoUQDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNhB8i3mXyIMq704m2m52FdfKZ2\n' +
- 'pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==\n' +
- '-----END EC PRIVATE KEY-----';
- assert.doesNotThrow(() => {
- crypto.createSign('SHA256').sign(ecPrivateKey);
- });
-}
-
-// invalid test: curve argument is undefined
-assert.throws(() => {
- crypto.createECDH();
-}, /^TypeError: "curve" argument should be a string$/);
diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
deleted file mode 100644
index e3f49e6..0000000
--- a/test/parallel/test-crypto-fips.js
+++ /dev/null
@@ -1,235 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const spawnSync = require('child_process').spawnSync;
-const path = require('path');
-
-const FIPS_ENABLED = 1;
-const FIPS_DISABLED = 0;
-const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode';
-const OPTION_ERROR_STRING = 'bad option';
-const CNF_FIPS_ON = path.join(common.fixturesDir, 'openssl_fips_enabled.cnf');
-const CNF_FIPS_OFF = path.join(common.fixturesDir, 'openssl_fips_disabled.cnf');
-let num_children_ok = 0;
-
-function compiledWithFips() {
- return process.config.variables.openssl_fips ? true : false;
-}
-
-function sharedOpenSSL() {
- return process.config.variables.node_shared_openssl;
-}
-
-function addToEnv(newVar, value) {
- const envCopy = {};
- for (const e in process.env) {
- envCopy[e] = process.env[e];
- }
- envCopy[newVar] = value;
- return envCopy;
-}
-
-function testHelper(stream, args, expectedOutput, cmd, env) {
- const fullArgs = args.concat(['-e', `console.log(${cmd})`]);
- const child = spawnSync(process.execPath, fullArgs, {
- cwd: path.dirname(process.execPath),
- env: env
- });
-
- console.error(
- `Spawned child [pid:${child.pid}] with cmd '${cmd}' expect %j with args '${
- args}' OPENSSL_CONF=%j`, expectedOutput, env.OPENSSL_CONF);
-
- function childOk(child) {
- console.error(`Child #${++num_children_ok} [pid:${child.pid}] OK.`);
- }
-
- function responseHandler(buffer, expectedOutput) {
- const response = buffer.toString();
- assert.notStrictEqual(0, response.length);
- if (FIPS_ENABLED !== expectedOutput && FIPS_DISABLED !== expectedOutput) {
- // In the case of expected errors just look for a substring.
- assert.notStrictEqual(-1, response.indexOf(expectedOutput));
- } else {
- // Normal path where we expect either FIPS enabled or disabled.
- assert.strictEqual(expectedOutput, Number(response));
- }
- childOk(child);
- }
-
- responseHandler(child[stream], expectedOutput);
-}
-
-// By default FIPS should be off in both FIPS and non-FIPS builds.
-testHelper(
- 'stdout',
- [],
- FIPS_DISABLED,
- 'require("crypto").fips',
- addToEnv('OPENSSL_CONF', ''));
-
-// --enable-fips should turn FIPS mode on
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--enable-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
- 'require("crypto").fips',
- process.env);
-
-//--force-fips should turn FIPS mode on
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
- 'require("crypto").fips',
- process.env);
-
-// If Node was configured using --shared-openssl fips support might be
-// available depending on how OpenSSL was built. If fips support is
-// available the tests that toggle the fips_mode on/off using the config
-// file option will succeed and return 1 instead of 0.
-//
-// Note that this case is different from when calling the fips setter as the
-// configuration file is handled by OpenSSL, so it is not possible for us
-// to try to call the fips setter, to try to detect this situation, as
-// that would throw an error:
-// ("Error: Cannot set FIPS mode in a non-FIPS build.").
-// Due to this uncertanty the following tests are skipped when configured
-// with --shared-openssl.
-if (!sharedOpenSSL()) {
- // OpenSSL config file should be able to turn on FIPS mode
- testHelper(
- 'stdout',
- [`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
- 'require("crypto").fips',
- process.env);
-
- // OPENSSL_CONF should be able to turn on FIPS mode
- testHelper(
- 'stdout',
- [],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
- 'require("crypto").fips',
- addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
-
- // --openssl-config option should override OPENSSL_CONF
- testHelper(
- 'stdout',
- [`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
- 'require("crypto").fips',
- addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
-}
-
-testHelper(
- 'stdout',
- [`--openssl-config=${CNF_FIPS_OFF}`],
- FIPS_DISABLED,
- 'require("crypto").fips',
- addToEnv('OPENSSL_CONF', CNF_FIPS_ON));
-
-// --enable-fips should take precedence over OpenSSL config file
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
- 'require("crypto").fips',
- process.env);
-
-// OPENSSL_CONF should _not_ make a difference to --enable-fips
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--enable-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
- 'require("crypto").fips',
- addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
-
-// --force-fips should take precedence over OpenSSL config file
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
- 'require("crypto").fips',
- process.env);
-
-// Using OPENSSL_CONF should not make a difference to --force-fips
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--force-fips'],
- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
- 'require("crypto").fips',
- addToEnv('OPENSSL_CONF', CNF_FIPS_OFF));
-
-// setFipsCrypto should be able to turn FIPS mode on
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- [],
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
- '(require("crypto").fips = true,' +
- 'require("crypto").fips)',
- process.env);
-
-// setFipsCrypto should be able to turn FIPS mode on and off
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- [],
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
- '(require("crypto").fips = true,' +
- 'require("crypto").fips = false,' +
- 'require("crypto").fips)',
- process.env);
-
-// setFipsCrypto takes precedence over OpenSSL config file, FIPS on
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- [`--openssl-config=${CNF_FIPS_OFF}`],
- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
- '(require("crypto").fips = true,' +
- 'require("crypto").fips)',
- process.env);
-
-// setFipsCrypto takes precedence over OpenSSL config file, FIPS off
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- [`--openssl-config=${CNF_FIPS_ON}`],
- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
- '(require("crypto").fips = false,' +
- 'require("crypto").fips)',
- process.env);
-
-// --enable-fips does not prevent use of setFipsCrypto API
-testHelper(
- compiledWithFips() ? 'stdout' : 'stderr',
- ['--enable-fips'],
- compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
- '(require("crypto").fips = false,' +
- 'require("crypto").fips)',
- process.env);
-
-// --force-fips prevents use of setFipsCrypto API
-testHelper(
- 'stderr',
- ['--force-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
- 'require("crypto").fips = false',
- process.env);
-
-// --force-fips and --enable-fips order does not matter
-testHelper(
- 'stderr',
- ['--force-fips', '--enable-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
- 'require("crypto").fips = false',
- process.env);
-
-//--enable-fips and --force-fips order does not matter
-testHelper(
- 'stderr',
- ['--enable-fips', '--force-fips'],
- compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING,
- 'require("crypto").fips = false',
- process.env);
diff --git a/test/parallel/test-tls-0-dns-altname.js b/test/parallel/test-tls-0-dns-altname.js
deleted file mode 100644
index 85ddb7d..0000000
--- a/test/parallel/test-tls-0-dns-altname.js
+++ /dev/null
@@ -1,33 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-cert.pem`)
-}, function(c) {
- c.once('data', function() {
- c.destroy();
- server.close();
- });
-}).listen(0, common.mustCall(function() {
- const c = tls.connect(this.address().port, {
- rejectUnauthorized: false
- }, common.mustCall(function() {
- const cert = c.getPeerCertificate();
- assert.strictEqual(cert.subjectaltname,
- 'DNS:good.example.org\0.evil.example.com, ' +
- 'DNS:just-another.example.com, ' +
- 'IP Address:8.8.8.8, ' +
- 'IP Address:8.8.4.4, ' +
- 'DNS:last.example.com');
- c.write('ok');
- }));
-}));
diff --git a/test/parallel/test-tls-addca.js b/test/parallel/test-tls-addca.js
deleted file mode 100644
index 7a6f9a7..0000000
--- a/test/parallel/test-tls-addca.js
+++ /dev/null
@@ -1,50 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Adding a CA certificate to contextWithCert should not also add it to
-// contextWithoutCert. This is tested by trying to connect to a server that
-// depends on that CA using contextWithoutCert.
-
-const join = require('path').join;
-const {
- assert, connect, keys, tls
-} = require(join(common.fixturesDir, 'tls-connect'))();
-
-const contextWithoutCert = tls.createSecureContext({});
-const contextWithCert = tls.createSecureContext({});
-contextWithCert.context.addCACert(keys.agent1.ca);
-
-const serverOptions = {
- key: keys.agent1.key,
- cert: keys.agent1.cert,
-};
-
-const clientOptions = {
- ca: [keys.agent1.ca],
- servername: 'agent1',
- rejectUnauthorized: true,
-};
-
-// This client should fail to connect because it doesn't trust the CA
-// certificate.
-clientOptions.secureContext = contextWithoutCert;
-
-connect({
- client: clientOptions,
- server: serverOptions,
-}, function(err, pair, cleanup) {
- assert(err);
- assert.strictEqual(err.message, 'unable to verify the first certificate');
- cleanup();
-
- // This time it should connect because contextWithCert includes the needed CA
- // certificate.
- clientOptions.secureContext = contextWithCert;
- connect({
- client: clientOptions,
- server: serverOptions,
- }, function(err, pair, cleanup) {
- assert.ifError(err);
- cleanup();
- });
-});
diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
deleted file mode 100644
index 0b34472..0000000
--- a/test/parallel/test-tls-alert-handling.js
+++ /dev/null
@@ -1,78 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('node compiled without OpenSSL CLI.');
-
-const fs = require('fs');
-const net = require('net');
-const path = require('path');
-const tls = require('tls');
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const opts = {
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert')
-};
-const max_iter = 20;
-let iter = 0;
-
-const server = tls.createServer(opts, function(s) {
- s.pipe(s);
- s.on('error', function() {
- // ignore error
- });
-});
-
-server.listen(0, function() {
- sendClient();
-});
-
-
-function sendClient() {
- const client = tls.connect(server.address().port, {
- rejectUnauthorized: false
- });
- client.on('data', common.mustCall(function() {
- if (iter++ === 2) sendBADTLSRecord();
- if (iter < max_iter) {
- client.write('a');
- return;
- }
- client.end();
- server.close();
- }, max_iter));
- client.write('a');
- client.on('error', function() {
- // ignore error
- });
- client.on('close', function() {
- server.close();
- });
-}
-
-
-function sendBADTLSRecord() {
- const BAD_RECORD = Buffer.from([0xff, 0xff, 0xff, 0xff, 0xff, 0xff]);
- const socket = net.connect(server.address().port);
- const client = tls.connect({
- socket: socket,
- rejectUnauthorized: false
- }, function() {
- socket.write(BAD_RECORD);
- socket.end();
- });
- client.on('error', function() {
- // ignore error
- });
-}
diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js
deleted file mode 100644
index a48002d..0000000
--- a/test/parallel/test-tls-alert.js
+++ /dev/null
@@ -1,50 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('node compiled without OpenSSL CLI.');
-
-const assert = require('assert');
-const { spawn } = require('child_process');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-let success = false;
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const server = tls.Server({
- secureProtocol: 'TLSv1_2_server_method',
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert')
-}, null).listen(0, function() {
- const args = ['s_client', '-quiet', '-tls1_1',
- '-connect', `127.0.0.1:${this.address().port}`];
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- args.push('-no_rand_screen');
-
- const client = spawn(common.opensslCli, args);
- let out = '';
- client.stderr.setEncoding('utf8');
- client.stderr.on('data', function(d) {
- out += d;
- if (/SSL alert number 70/.test(out)) {
- success = true;
- server.close();
- }
- });
-});
-process.on('exit', function() {
- assert(success);
-});
diff --git a/test/parallel/test-tls-alpn-server-client.js b/test/parallel/test-tls-alpn-server-client.js
deleted file mode 100644
index 56f925b..0000000
--- a/test/parallel/test-tls-alpn-server-client.js
+++ /dev/null
@@ -1,538 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!process.features.tls_alpn || !process.features.tls_npn) {
- common.skip(
- 'Skipping because node compiled without NPN or ALPN feature of OpenSSL.');
-}
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const serverIP = common.localhostIPv4;
-
-function checkResults(result, expected) {
- assert.strictEqual(result.server.ALPN, expected.server.ALPN);
- assert.strictEqual(result.server.NPN, expected.server.NPN);
- assert.strictEqual(result.client.ALPN, expected.client.ALPN);
- assert.strictEqual(result.client.NPN, expected.client.NPN);
-}
-
-function runTest(clientsOptions, serverOptions, cb) {
- serverOptions.key = loadPEM('agent2-key');
- serverOptions.cert = loadPEM('agent2-cert');
- const results = [];
- let index = 0;
- const server = tls.createServer(serverOptions, function(c) {
- results[index].server = {ALPN: c.alpnProtocol, NPN: c.npnProtocol};
- });
-
- server.listen(0, serverIP, function() {
- connectClient(clientsOptions);
- });
-
- function connectClient(options) {
- const opt = options.shift();
- opt.port = server.address().port;
- opt.host = serverIP;
- opt.rejectUnauthorized = false;
-
- results[index] = {};
- const client = tls.connect(opt, function() {
- results[index].client = {ALPN: client.alpnProtocol,
- NPN: client.npnProtocol};
- client.destroy();
- if (options.length) {
- index++;
- connectClient(options);
- } else {
- server.close();
- cb(results);
- }
- });
- }
-
-}
-
-// Server: ALPN/NPN, Client: ALPN/NPN
-function Test1() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- ALPNProtocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e'],
- NPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by ALPN
- checkResults(results[0],
- {server: {ALPN: 'a', NPN: false},
- client: {ALPN: 'a', NPN: undefined}});
- // 'b' is selected by ALPN
- checkResults(results[1],
- {server: {ALPN: 'b', NPN: false},
- client: {ALPN: 'b', NPN: undefined}});
- // nothing is selected by ALPN
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test2();
- });
-}
-
-// Server: ALPN/NPN, Client: ALPN
-function Test2() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- ALPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by ALPN
- checkResults(results[0],
- {server: {ALPN: 'a', NPN: false},
- client: {ALPN: 'a', NPN: undefined}});
- // 'b' is selected by ALPN
- checkResults(results[1],
- {server: {ALPN: 'b', NPN: false},
- client: {ALPN: 'b', NPN: undefined}});
- // nothing is selected by ALPN
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test3();
- });
-}
-
-// Server: ALPN/NPN, Client: NPN
-function Test3() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- NPNProtocols: ['a', 'b', 'c']
- }, {
- NPPNProtocols: ['c', 'b', 'e']
- }, {
- NPPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by NPN
- checkResults(results[0],
- {server: {ALPN: false, NPN: 'a'},
- client: {ALPN: false, NPN: 'a'}});
- // nothing is selected by ALPN
- checkResults(results[1],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test4();
- });
-}
-
-// Server: ALPN/NPN, Client: Nothing
-function Test4() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{}, {}, {}];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected by ALPN
- checkResults(results[0],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[1],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test5();
- });
-}
-
-// Server: ALPN, Client: ALPN/NPN
-function Test5() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- ALPNProtocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e'],
- NPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by ALPN
- checkResults(results[0], {server: {ALPN: 'a', NPN: false},
- client: {ALPN: 'a', NPN: undefined}});
- // 'b' is selected by ALPN
- checkResults(results[1], {server: {ALPN: 'b', NPN: false},
- client: {ALPN: 'b', NPN: undefined}});
- // nothing is selected by ALPN
- checkResults(results[2], {server: {ALPN: false,
- NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test6();
- });
-}
-
-// Server: ALPN, Client: ALPN
-function Test6() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- ALPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by ALPN
- checkResults(results[0], {server: {ALPN: 'a', NPN: false},
- client: {ALPN: 'a', NPN: undefined}});
- // 'b' is selected by ALPN
- checkResults(results[1], {server: {ALPN: 'b', NPN: false},
- client: {ALPN: 'b', NPN: undefined}});
- // nothing is selected by ALPN
- checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test7();
- });
-}
-
-// Server: ALPN, Client: NPN
-function Test7() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- NPNProtocols: ['a', 'b', 'c']
- }, {
- NPNProtocols: ['c', 'b', 'e']
- }, {
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected by ALPN
- checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[1], {server: {ALPN: false, NPN: 'c'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test8();
- });
-}
-
-// Server: ALPN, Client: Nothing
-function Test8() {
- const serverOptions = {
- ALPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{}, {}, {}];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected by ALPN
- checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected by ALPN
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test9();
- });
-}
-
-// Server: NPN, Client: ALPN/NPN
-function Test9() {
- const serverOptions = {
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- ALPNrotocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e'],
- NPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by NPN
- checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
- client: {ALPN: false, NPN: 'a'}});
- // 'b' is selected by NPN
- checkResults(results[1], {server: {ALPN: false, NPN: 'b'},
- client: {ALPN: false, NPN: 'b'}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test10();
- });
-}
-
-// Server: NPN, Client: ALPN
-function Test10() {
- const serverOptions = {
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- ALPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected
- checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test11();
- });
-}
-
-// Server: NPN, Client: NPN
-function Test11() {
- const serverOptions = {
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{
- NPNProtocols: ['a', 'b', 'c']
- }, {
- NPNProtocols: ['c', 'b', 'e']
- }, {
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // 'a' is selected by NPN
- checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
- client: {ALPN: false, NPN: 'a'}});
- // 'b' is selected by NPN
- checkResults(results[1], {server: {ALPN: false, NPN: 'b'},
- client: {ALPN: false, NPN: 'b'}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test12();
- });
-}
-
-// Server: NPN, Client: Nothing
-function Test12() {
- const serverOptions = {
- NPNProtocols: ['a', 'b', 'c']
- };
-
- const clientsOptions = [{}, {}, {}];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected
- checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test13();
- });
-}
-
-// Server: Nothing, Client: ALPN/NPN
-function Test13() {
- const serverOptions = {};
-
- const clientsOptions = [{
- ALPNrotocols: ['a', 'b', 'c'],
- NPNProtocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e'],
- NPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y'],
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected
- checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[1], {server: {ALPN: false, NPN: 'c'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test14();
- });
-}
-
-// Server: Nothing, Client: ALPN
-function Test14() {
- const serverOptions = {};
-
- const clientsOptions = [{
- ALPNrotocols: ['a', 'b', 'c']
- }, {
- ALPNProtocols: ['c', 'b', 'e']
- }, {
- ALPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected
- checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test15();
- });
-}
-
-// Server: Nothing, Client: NPN
-function Test15() {
- const serverOptions = {};
-
- const clientsOptions = [{
- NPNProtocols: ['a', 'b', 'c']
- }, {
- NPNProtocols: ['c', 'b', 'e']
- }, {
- NPNProtocols: ['first-priority-unsupported', 'x', 'y']
- }];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected
- checkResults(results[0], {server: {ALPN: false, NPN: 'a'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[1], {server: {ALPN: false, NPN: 'c'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'first-priority-unsupported'},
- client: {ALPN: false, NPN: false}});
- // execute next test
- Test16();
- });
-}
-
-// Server: Nothing, Client: Nothing
-function Test16() {
- const serverOptions = {};
-
- const clientsOptions = [{}, {}, {}];
-
- runTest(clientsOptions, serverOptions, function(results) {
- // nothing is selected
- checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- // nothing is selected
- checkResults(results[2],
- {server: {ALPN: false, NPN: 'http/1.1'},
- client: {ALPN: false, NPN: false}});
- });
-}
-
-Test1();
diff --git a/test/parallel/test-tls-async-cb-after-socket-end.js b/test/parallel/test-tls-async-cb-after-socket-end.js
deleted file mode 100644
index a49b44d..0000000
--- a/test/parallel/test-tls-async-cb-after-socket-end.js
+++ /dev/null
@@ -1,70 +0,0 @@
-'use strict';
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const path = require('path');
-const fs = require('fs');
-const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET;
-
-const tls = require('tls');
-
-const options = {
- secureOptions: SSL_OP_NO_TICKET,
- key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
- cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
-};
-
-const server = tls.createServer(options, function(c) {
-});
-
-let sessionCb = null;
-let client = null;
-
-server.on('newSession', function(key, session, done) {
- done();
-});
-
-server.on('resumeSession', function(id, cb) {
- sessionCb = cb;
-
- next();
-});
-
-server.listen(0, function() {
- const clientOpts = {
- port: this.address().port,
- rejectUnauthorized: false,
- session: false
- };
-
- const s1 = tls.connect(clientOpts, function() {
- clientOpts.session = s1.getSession();
- console.log('1st secure');
-
- s1.destroy();
- const s2 = tls.connect(clientOpts, function(s) {
- console.log('2nd secure');
-
- s2.destroy();
- }).on('connect', function() {
- console.log('2nd connected');
- client = s2;
-
- next();
- });
- });
-});
-
-function next() {
- if (!client || !sessionCb)
- return;
-
- client.destroy();
- setTimeout(function() {
- sessionCb();
- server.close();
- }, 100);
-}
diff --git a/test/parallel/test-tls-basic-validations.js b/test/parallel/test-tls-basic-validations.js
deleted file mode 100644
index d6c20ea..0000000
--- a/test/parallel/test-tls-basic-validations.js
+++ /dev/null
@@ -1,53 +0,0 @@
-'use strict';
-
-require('../common');
-const assert = require('assert');
-const tls = require('tls');
-
-assert.throws(() => tls.createSecureContext({ciphers: 1}),
- /TypeError: Ciphers must be a string/);
-
-assert.throws(() => tls.createServer({ciphers: 1}),
- /TypeError: Ciphers must be a string/);
-
-assert.throws(() => tls.createSecureContext({key: 'dummykey', passphrase: 1}),
- /TypeError: Pass phrase must be a string/);
-
-assert.throws(() => tls.createServer({key: 'dummykey', passphrase: 1}),
- /TypeError: Pass phrase must be a string/);
-
-assert.throws(() => tls.createServer({ecdhCurve: 1}),
- /TypeError: ECDH curve name must be a string/);
-
-assert.throws(() => tls.createServer({handshakeTimeout: 'abcd'}),
- /TypeError: handshakeTimeout must be a number/);
-
-assert.throws(() => tls.createServer({sessionTimeout: 'abcd'}),
- /TypeError: Session timeout must be a 32-bit integer/);
-
-assert.throws(() => tls.createServer({ticketKeys: 'abcd'}),
- /TypeError: Ticket keys must be a buffer/);
-
-assert.throws(() => tls.createServer({ticketKeys: Buffer.alloc(0)}),
- /TypeError: Ticket keys length must be 48 bytes/);
-
-assert.throws(() => tls.createSecurePair({}),
- /Error: First argument must be a tls module SecureContext/);
-
-{
- const buffer = Buffer.from('abcd');
- const out = {};
- tls.convertALPNProtocols(buffer, out);
- out.ALPNProtocols.write('efgh');
- assert(buffer.equals(Buffer.from('abcd')));
- assert(out.ALPNProtocols.equals(Buffer.from('efgh')));
-}
-
-{
- const buffer = Buffer.from('abcd');
- const out = {};
- tls.convertNPNProtocols(buffer, out);
- out.NPNProtocols.write('efgh');
- assert(buffer.equals(Buffer.from('abcd')));
- assert(out.NPNProtocols.equals(Buffer.from('efgh')));
-}
diff --git a/test/parallel/test-tls-ca-concat.js b/test/parallel/test-tls-ca-concat.js
deleted file mode 100644
index 8fa83a4..0000000
--- a/test/parallel/test-tls-ca-concat.js
+++ /dev/null
@@ -1,24 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Check ca option can contain concatenated certs by prepending an unrelated
-// non-CA cert and showing that agent6's CA root is still found.
-
-const join = require('path').join;
-const {
- assert, connect, keys
-} = require(join(common.fixturesDir, 'tls-connect'))();
-
-connect({
- client: {
- checkServerIdentity: (servername, cert) => { },
- ca: `${keys.agent1.cert}\n${keys.agent6.ca}`,
- },
- server: {
- cert: keys.agent6.cert,
- key: keys.agent6.key,
- },
-}, function(err, pair, cleanup) {
- assert.ifError(err);
- return cleanup();
-});
diff --git a/test/parallel/test-tls-cert-chains-concat.js b/test/parallel/test-tls-cert-chains-concat.js
deleted file mode 100644
index d53edef..0000000
--- a/test/parallel/test-tls-cert-chains-concat.js
+++ /dev/null
@@ -1,50 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Check cert chain is received by client, and is completed with the ca cert
-// known to the client.
-
-const join = require('path').join;
-const {
- assert, connect, debug, keys
-} = require(join(common.fixturesDir, 'tls-connect'))();
-
-// agent6-cert.pem includes cert for agent6 and ca3
-connect({
- client: {
- checkServerIdentity: (servername, cert) => { },
- ca: keys.agent6.ca,
- },
- server: {
- cert: keys.agent6.cert,
- key: keys.agent6.key,
- },
-}, function(err, pair, cleanup) {
- assert.ifError(err);
-
- const peer = pair.client.conn.getPeerCertificate();
- debug('peer:\n', peer);
- assert.strictEqual(peer.subject.emailAddress, 'adam.lippai@tresorit.com');
- assert.strictEqual(peer.subject.CN, 'Ádám Lippai'),
- assert.strictEqual(peer.issuer.CN, 'ca3');
- assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC');
-
- const next = pair.client.conn.getPeerCertificate(true).issuerCertificate;
- const root = next.issuerCertificate;
- delete next.issuerCertificate;
- debug('next:\n', next);
- assert.strictEqual(next.subject.CN, 'ca3');
- assert.strictEqual(next.issuer.CN, 'ca1');
- assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF');
-
- debug('root:\n', root);
- assert.strictEqual(root.subject.CN, 'ca1');
- assert.strictEqual(root.issuer.CN, 'ca1');
- assert.strictEqual(root.serialNumber, '8DF21C01468AF393');
-
- // No client cert, so empty object returned.
- assert.deepStrictEqual(pair.server.conn.getPeerCertificate(), {});
- assert.deepStrictEqual(pair.server.conn.getPeerCertificate(true), {});
-
- return cleanup();
-});
diff --git a/test/parallel/test-tls-cert-chains-in-ca.js b/test/parallel/test-tls-cert-chains-in-ca.js
deleted file mode 100644
index 69f62c3..0000000
--- a/test/parallel/test-tls-cert-chains-in-ca.js
+++ /dev/null
@@ -1,46 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Check cert chain is received by client, and is completed with the ca cert
-// known to the client.
-
-const join = require('path').join;
-const {
- assert, connect, debug, keys
-} = require(join(common.fixturesDir, 'tls-connect'))();
-
-
-// agent6-cert.pem includes cert for agent6 and ca3, split it apart and
-// provide ca3 in the .ca property.
-const agent6Chain = keys.agent6.cert.split('-----END CERTIFICATE-----')
- .map((c) => { return c + '-----END CERTIFICATE-----'; });
-const agent6End = agent6Chain[0];
-const agent6Middle = agent6Chain[1];
-connect({
- client: {
- checkServerIdentity: (servername, cert) => { },
- ca: keys.agent6.ca,
- },
- server: {
- cert: agent6End,
- key: keys.agent6.key,
- ca: agent6Middle,
- },
-}, function(err, pair, cleanup) {
- assert.ifError(err);
-
- const peer = pair.client.conn.getPeerCertificate();
- debug('peer:\n', peer);
- assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC');
-
- const next = pair.client.conn.getPeerCertificate(true).issuerCertificate;
- const root = next.issuerCertificate;
- delete next.issuerCertificate;
- debug('next:\n', next);
- assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF');
-
- debug('root:\n', root);
- assert.strictEqual(root.serialNumber, '8DF21C01468AF393');
-
- return cleanup();
-});
diff --git a/test/parallel/test-tls-cert-regression.js b/test/parallel/test-tls-cert-regression.js
deleted file mode 100644
index 20cfff5..0000000
--- a/test/parallel/test-tls-cert-regression.js
+++ /dev/null
@@ -1,45 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-
-const cert =
-`-----BEGIN CERTIFICATE-----
-MIIBfjCCASgCCQDmmNjAojbDQjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB
-VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0
-cyBQdHkgTHRkMCAXDTE0MDExNjE3NTMxM1oYDzIyODcxMDMxMTc1MzEzWjBFMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKwlfMX
-6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+wsU1O9FzRIVmpeIjDXhbp
-Mjsa1HtzSiccPXsCAwEAATANBgkqhkiG9w0BAQUFAANBAHOoKy0NkyfiYH7Ne5ka
-uvCyndyeB4d24FlfqEUlkfaWCZlNKRaV9YhLDiEg3BcIreFo4brtKQfZzTRs0GVm
-KHg=
------END CERTIFICATE-----`;
-
-const key =
-`-----BEGIN RSA PRIVATE KEY-----
-MIIBPQIBAAJBAPKwlfMX6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+w
-sU1O9FzRIVmpeIjDXhbpMjsa1HtzSiccPXsCAwEAAQJBAM4uU9aJE0OfdE1p/X+K
-LrCT3XMdFCJ24GgmHyOURtwDy18upQJecDVdcZp16fjtOPmaW95GoYRyifB3R4I5
-RxECIQD7jRM9slCSVV8xp9kOJQNpHjhRQYVGBn+pyllS2sb+RQIhAPb7Y+BIccri
-NWnuhwCW8hA7Fkj/kaBdAwyW7L3Tvui/AiEAiqLCovMecre4Yi6GcsQ1b/6mvSmm
-IOS+AT6zIfXPTB0CIQCJKGR3ymN/Qw5crL1GQ41cHCQtF9ickOq/lBUW+j976wIh
-AOaJnkQrmurlRdePX6LvN/LgGAQoxwovfjcOYNnZsIVY
------END RSA PRIVATE KEY-----`;
-
-function test(cert, key, cb) {
- const server = tls.createServer({
- cert: cert,
- key: key
- }).listen(0, function() {
- server.close(cb);
- });
-}
-
-test(cert, key, common.mustCall(function() {
- test(Buffer.from(cert), Buffer.from(key), common.mustCall());
-}));
diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js
deleted file mode 100644
index 0cc55d6..0000000
--- a/test/parallel/test-tls-check-server-identity.js
+++ /dev/null
@@ -1,260 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const util = require('util');
-
-const tls = require('tls');
-
-const tests = [
- // False-y values.
- {
- host: false,
- cert: { subject: { CN: 'a.com' } },
- error: 'Host: false. is not cert\'s CN: a.com'
- },
- {
- host: null,
- cert: { subject: { CN: 'a.com' } },
- error: 'Host: null. is not cert\'s CN: a.com'
- },
- {
- host: undefined,
- cert: { subject: { CN: 'a.com' } },
- error: 'Host: undefined. is not cert\'s CN: a.com'
- },
-
- // Basic CN handling
- { host: 'a.com', cert: { subject: { CN: 'a.com' } } },
- { host: 'a.com', cert: { subject: { CN: 'A.COM' } } },
- {
- host: 'a.com',
- cert: { subject: { CN: 'b.com' } },
- error: 'Host: a.com. is not cert\'s CN: b.com'
- },
- { host: 'a.com', cert: { subject: { CN: 'a.com.' } } },
- {
- host: 'a.com',
- cert: { subject: { CN: '.a.com' } },
- error: 'Host: a.com. is not cert\'s CN: .a.com'
- },
-
- // Wildcards in CN
- { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } },
- {
- host: 'ba.com',
- cert: { subject: { CN: '*.a.com' } },
- error: 'Host: ba.com. is not cert\'s CN: *.a.com'
- },
- {
- host: '\n.b.com',
- cert: { subject: { CN: '*n.b.com' } },
- error: 'Host: \n.b.com. is not cert\'s CN: *n.b.com'
- },
- { host: 'b.a.com', cert: {
- subjectaltname: 'DNS:omg.com',
- subject: { CN: '*.a.com' } },
- error: 'Host: b.a.com. is not in the cert\'s altnames: ' +
- 'DNS:omg.com'
- },
- {
- host: 'b.a.com',
- cert: { subject: { CN: 'b*b.a.com' } },
- error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com'
- },
-
- // Empty Cert
- {
- host: 'a.com',
- cert: { },
- error: 'Cert is empty'
- },
-
- // Multiple CN fields
- {
- host: 'foo.com', cert: {
- subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com;
- }
- },
-
- // DNS names and CN
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:*',
- subject: { CN: 'b.com' }
- },
- error: 'Host: a.com. is not in the cert\'s altnames: ' +
- 'DNS:*'
- },
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:*.com',
- subject: { CN: 'b.com' }
- },
- error: 'Host: a.com. is not in the cert\'s altnames: ' +
- 'DNS:*.com'
- },
- {
- host: 'a.co.uk', cert: {
- subjectaltname: 'DNS:*.co.uk',
- subject: { CN: 'b.com' }
- }
- },
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:*.a.com',
- subject: { CN: 'a.com' }
- },
- error: 'Host: a.com. is not in the cert\'s altnames: ' +
- 'DNS:*.a.com'
- },
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:*.a.com',
- subject: { CN: 'b.com' }
- },
- error: 'Host: a.com. is not in the cert\'s altnames: ' +
- 'DNS:*.a.com'
- },
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:a.com',
- subject: { CN: 'b.com' }
- }
- },
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:A.COM',
- subject: { CN: 'b.com' }
- }
- },
-
- // DNS names
- {
- host: 'a.com', cert: {
- subjectaltname: 'DNS:*.a.com',
- subject: {}
- },
- error: 'Host: a.com. is not in the cert\'s altnames: ' +
- 'DNS:*.a.com'
- },
- {
- host: 'b.a.com', cert: {
- subjectaltname: 'DNS:*.a.com',
- subject: {}
- }
- },
- {
- host: 'c.b.a.com', cert: {
- subjectaltname: 'DNS:*.a.com',
- subject: {}
- },
- error: 'Host: c.b.a.com. is not in the cert\'s altnames: ' +
- 'DNS:*.a.com'
- },
- {
- host: 'b.a.com', cert: {
- subjectaltname: 'DNS:*b.a.com',
- subject: {}
- }
- },
- {
- host: 'a-cb.a.com', cert: {
- subjectaltname: 'DNS:*b.a.com',
- subject: {}
- }
- },
- {
- host: 'a.b.a.com', cert: {
- subjectaltname: 'DNS:*b.a.com',
- subject: {}
- },
- error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
- 'DNS:*b.a.com'
- },
- // Mutliple DNS names
- {
- host: 'a.b.a.com', cert: {
- subjectaltname: 'DNS:*b.a.com, DNS:a.b.a.com',
- subject: {}
- }
- },
- // URI names
- {
- host: 'a.b.a.com', cert: {
- subjectaltname: 'URI:http://a.b.a.com/',
- subject: {}
- }
- },
- {
- host: 'a.b.a.com', cert: {
- subjectaltname: 'URI:http://*.b.a.com/',
- subject: {}
- },
- error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
- 'URI:http://*.b.a.com/'
- },
- // IP addresses
- {
- host: 'a.b.a.com', cert: {
- subjectaltname: 'IP Address:127.0.0.1',
- subject: {}
- },
- error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
- 'IP Address:127.0.0.1'
- },
- {
- host: '127.0.0.1', cert: {
- subjectaltname: 'IP Address:127.0.0.1',
- subject: {}
- }
- },
- {
- host: '127.0.0.2', cert: {
- subjectaltname: 'IP Address:127.0.0.1',
- subject: {}
- },
- error: 'IP: 127.0.0.2 is not in the cert\'s list: ' +
- '127.0.0.1'
- },
- {
- host: '127.0.0.1', cert: {
- subjectaltname: 'DNS:a.com',
- subject: {}
- },
- error: 'IP: 127.0.0.1 is not in the cert\'s list: '
- },
- {
- host: 'localhost', cert: {
- subjectaltname: 'DNS:a.com',
- subject: { CN: 'localhost' }
- },
- error: 'Host: localhost. is not in the cert\'s altnames: ' +
- 'DNS:a.com'
- },
- // IDNA
- {
- host: 'xn--bcher-kva.example.com',
- cert: { subject: { CN: '*.example.com' } },
- },
- // RFC 6125, section 6.4.3: "[...] the client SHOULD NOT attempt to match
- // a presented identifier where the wildcard character is embedded within
- // an A-label [...]"
- {
- host: 'xn--bcher-kva.example.com',
- cert: { subject: { CN: 'xn--*.example.com' } },
- error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' +
- 'xn--*.example.com',
- },
-];
-
-tests.forEach(function(test, i) {
- const err = tls.checkServerIdentity(test.host, test.cert);
- assert.strictEqual(err && err.reason,
- test.error,
- `Test# ${i} failed: ${util.inspect(test)} \n` +
- `${test.error} != ${(err && err.reason)}`);
-});
diff --git a/test/parallel/test-tls-cipher-list.js b/test/parallel/test-tls-cipher-list.js
deleted file mode 100644
index 4a39ee9..0000000
--- a/test/parallel/test-tls-cipher-list.js
+++ /dev/null
@@ -1,30 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const spawn = require('child_process').spawn;
-const defaultCoreList = require('crypto').constants.defaultCoreCipherList;
-
-function doCheck(arg, check) {
- let out = '';
- arg = arg.concat([
- '-pe',
- 'require("crypto").constants.defaultCipherList'
- ]);
- spawn(process.execPath, arg, {})
- .on('error', common.mustNotCall())
- .stdout.on('data', function(chunk) {
- out += chunk;
- }).on('end', function() {
- assert.strictEqual(out.trim(), check);
- }).on('error', common.mustNotCall());
-}
-
-// test the default unmodified version
-doCheck([], defaultCoreList);
-
-// test the command line switch by itself
-doCheck(['--tls-cipher-list=ABC'], 'ABC');
diff --git a/test/parallel/test-tls-client-abort.js b/test/parallel/test-tls-client-abort.js
deleted file mode 100644
index 4216e34..0000000
--- a/test/parallel/test-tls-client-abort.js
+++ /dev/null
@@ -1,19 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const path = require('path');
-
-const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
-const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
-
-const conn = tls.connect({cert, key, port: 0}, common.mustNotCall());
-conn.on('error', function() {
-});
-assert.doesNotThrow(function() {
- conn.destroy();
-});
diff --git a/test/parallel/test-tls-client-abort2.js b/test/parallel/test-tls-client-abort2.js
deleted file mode 100644
index f3d84a5..0000000
--- a/test/parallel/test-tls-client-abort2.js
+++ /dev/null
@@ -1,14 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const conn = tls.connect(0, common.mustNotCall());
-conn.on('error', common.mustCall(function() {
- assert.doesNotThrow(function() {
- conn.destroy();
- });
-}));
diff --git a/test/parallel/test-tls-client-default-ciphers.js b/test/parallel/test-tls-client-default-ciphers.js
deleted file mode 100644
index 91a0a86..0000000
--- a/test/parallel/test-tls-client-default-ciphers.js
+++ /dev/null
@@ -1,26 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-function Done() {}
-
-function test1() {
- let ciphers = '';
-
- tls.createSecureContext = function(options) {
- ciphers = options.ciphers;
- throw new Done();
- };
-
- try {
- tls.connect(common.PORT);
- } catch (e) {
- assert(e instanceof Done);
- }
- assert.strictEqual(ciphers, tls.DEFAULT_CIPHERS);
-}
-test1();
diff --git a/test/parallel/test-tls-client-destroy-soon.js b/test/parallel/test-tls-client-destroy-soon.js
deleted file mode 100644
index 94a4956..0000000
--- a/test/parallel/test-tls-client-destroy-soon.js
+++ /dev/null
@@ -1,46 +0,0 @@
-'use strict';
-// Create an ssl server. First connection, validate that not resume.
-// Cache session and close connection. Use session on second connection.
-// ASSERT resumption.
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
-};
-
-const big = Buffer.alloc(2 * 1024 * 1024, 'Y');
-
-// create server
-const server = tls.createServer(options, common.mustCall(function(socket) {
- socket.end(big);
- socket.destroySoon();
-}));
-
-// start listening
-server.listen(0, common.mustCall(function() {
- const client = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- }, common.mustCall(function() {
- let bytesRead = 0;
-
- client.on('readable', function() {
- const d = client.read();
- if (d)
- bytesRead += d.length;
- });
-
- client.on('end', common.mustCall(function() {
- server.close();
- assert.strictEqual(big.length, bytesRead);
- }));
- }));
-}));
diff --git a/test/parallel/test-tls-client-getephemeralkeyinfo.js b/test/parallel/test-tls-client-getephemeralkeyinfo.js
deleted file mode 100644
index 7d93dcb..0000000
--- a/test/parallel/test-tls-client-getephemeralkeyinfo.js
+++ /dev/null
@@ -1,96 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
-
-let ntests = 0;
-let nsuccess = 0;
-
-function loadDHParam(n) {
- let path = common.fixturesDir;
- if (n !== 'error') path += '/keys';
- return fs.readFileSync(`${path}/dh${n}.pem`);
-}
-
-const cipherlist = {
- 'NOT_PFS': 'AES128-SHA256',
- 'DH': 'DHE-RSA-AES128-GCM-SHA256',
- 'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256'
-};
-
-function test(size, type, name, next) {
- const cipher = type ? cipherlist[type] : cipherlist['NOT_PFS'];
-
- if (name) tls.DEFAULT_ECDH_CURVE = name;
-
- const options = {
- key: key,
- cert: cert,
- ciphers: cipher
- };
-
- if (type === 'DH') options.dhparam = loadDHParam(size);
-
- const server = tls.createServer(options, function(conn) {
- assert.strictEqual(conn.getEphemeralKeyInfo(), null);
- conn.end();
- });
-
- server.on('close', common.mustCall(function(err) {
- assert(!err);
- if (next) next();
- }));
-
- server.listen(0, '127.0.0.1', common.mustCall(function() {
- const client = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- }, function() {
- const ekeyinfo = client.getEphemeralKeyInfo();
- assert.strictEqual(ekeyinfo.type, type);
- assert.strictEqual(ekeyinfo.size, size);
- assert.strictEqual(ekeyinfo.name, name);
- nsuccess++;
- server.close();
- });
- }));
-}
-
-function testNOT_PFS() {
- test(undefined, undefined, undefined, testDHE1024);
- ntests++;
-}
-
-function testDHE1024() {
- test(1024, 'DH', undefined, testDHE2048);
- ntests++;
-}
-
-function testDHE2048() {
- test(2048, 'DH', undefined, testECDHE256);
- ntests++;
-}
-
-function testECDHE256() {
- test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512);
- ntests++;
-}
-
-function testECDHE512() {
- test(521, 'ECDH', 'secp521r1', null);
- ntests++;
-}
-
-testNOT_PFS();
-
-process.on('exit', function() {
- assert.strictEqual(ntests, nsuccess);
- assert.strictEqual(ntests, 5);
-});
diff --git a/test/parallel/test-tls-client-mindhsize.js b/test/parallel/test-tls-client-mindhsize.js
deleted file mode 100644
index 685d790..0000000
--- a/test/parallel/test-tls-client-mindhsize.js
+++ /dev/null
@@ -1,92 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
-
-let nsuccess = 0;
-let nerror = 0;
-
-function loadDHParam(n) {
- let path = common.fixturesDir;
- if (n !== 'error') path += '/keys';
- return fs.readFileSync(`${path}/dh${n}.pem`);
-}
-
-function test(size, err, next) {
- const options = {
- key: key,
- cert: cert,
- dhparam: loadDHParam(size),
- ciphers: 'DHE-RSA-AES128-GCM-SHA256'
- };
-
- const server = tls.createServer(options, function(conn) {
- conn.end();
- });
-
- server.on('close', function(isException) {
- assert(!isException);
- if (next) next();
- });
-
- server.listen(0, '127.0.0.1', function() {
- // client set minimum DH parameter size to 2048 bits so that
- // it fails when it make a connection to the tls server where
- // dhparams is 1024 bits
- const client = tls.connect({
- minDHSize: 2048,
- port: this.address().port,
- rejectUnauthorized: false
- }, function() {
- nsuccess++;
- server.close();
- });
- if (err) {
- client.on('error', function(e) {
- nerror++;
- assert.strictEqual(e.message,
- 'DH parameter size 1024 is less than 2048');
- server.close();
- });
- }
- });
-}
-
-// A client connection fails with an error when a client has an
-// 2048 bits minDHSize option and a server has 1024 bits dhparam
-function testDHE1024() {
- test(1024, true, testDHE2048);
-}
-
-// A client connection successes when a client has an
-// 2048 bits minDHSize option and a server has 2048 bits dhparam
-function testDHE2048() {
- test(2048, false, null);
-}
-
-testDHE1024();
-
-assert.throws(() => test(512, true, common.mustNotCall()),
- /DH parameter is less than 1024 bits/);
-
-let errMessage = /minDHSize is not a positive number/;
-[0, -1, -Infinity, NaN].forEach((minDHSize) => {
- assert.throws(() => tls.connect({ minDHSize }), errMessage);
-});
-
-errMessage = /minDHSize is not a number/;
-[true, false, null, undefined, {}, [], '', '1'].forEach((minDHSize) => {
- assert.throws(() => tls.connect({ minDHSize }), errMessage);
-});
-
-process.on('exit', function() {
- assert.strictEqual(nsuccess, 1);
- assert.strictEqual(nerror, 1);
-});
diff --git a/test/parallel/test-tls-client-reject.js b/test/parallel/test-tls-client-reject.js
deleted file mode 100644
index be3233d..0000000
--- a/test/parallel/test-tls-client-reject.js
+++ /dev/null
@@ -1,61 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const path = require('path');
-
-const options = {
- key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
- cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
-};
-
-const server = tls.createServer(options, common.mustCall(function(socket) {
- socket.on('data', function(data) {
- console.error(data.toString());
- assert.strictEqual(data.toString(), 'ok');
- });
-}, 3)).listen(0, function() {
- unauthorized();
-});
-
-function unauthorized() {
- const socket = tls.connect({
- port: server.address().port,
- servername: 'localhost',
- rejectUnauthorized: false
- }, common.mustCall(function() {
- assert(!socket.authorized);
- socket.end();
- rejectUnauthorized();
- }));
- socket.on('error', common.mustNotCall());
- socket.write('ok');
-}
-
-function rejectUnauthorized() {
- const socket = tls.connect(server.address().port, {
- servername: 'localhost'
- }, common.mustNotCall());
- socket.on('error', common.mustCall(function(err) {
- console.error(err);
- authorized();
- }));
- socket.write('ng');
-}
-
-function authorized() {
- const socket = tls.connect(server.address().port, {
- ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))],
- servername: 'localhost'
- }, common.mustCall(function() {
- assert(socket.authorized);
- socket.end();
- server.close();
- }));
- socket.on('error', common.mustNotCall());
- socket.write('ok');
-}
diff --git a/test/parallel/test-tls-client-resume.js b/test/parallel/test-tls-client-resume.js
deleted file mode 100644
index 211d086..0000000
--- a/test/parallel/test-tls-client-resume.js
+++ /dev/null
@@ -1,56 +0,0 @@
-'use strict';
-// Create an ssl server. First connection, validate that not resume.
-// Cache session and close connection. Use session on second connection.
-// ASSERT resumption.
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
-};
-
-// create server
-const server = tls.Server(options, common.mustCall(function(socket) {
- socket.end('Goodbye');
-}, 2));
-
-// start listening
-server.listen(0, function() {
-
- let session1 = null;
- const client1 = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- }, function() {
- console.log('connect1');
- assert.ok(!client1.isSessionReused(), 'Session *should not* be reused.');
- session1 = client1.getSession();
- });
-
- client1.on('close', function() {
- console.log('close1');
-
- const opts = {
- port: server.address().port,
- rejectUnauthorized: false,
- session: session1
- };
-
- const client2 = tls.connect(opts, function() {
- console.log('connect2');
- assert.ok(client2.isSessionReused(), 'Session *should* be reused.');
- });
-
- client2.on('close', function() {
- console.log('close2');
- server.close();
- });
- });
-});
diff --git a/test/parallel/test-tls-client-verify.js b/test/parallel/test-tls-client-verify.js
deleted file mode 100644
index 565b391..0000000
--- a/test/parallel/test-tls-client-verify.js
+++ /dev/null
@@ -1,132 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-const hosterr = /Hostname\/IP doesn't match certificate's altnames/;
-const testCases =
- [{ ca: ['ca1-cert'],
- key: 'agent2-key',
- cert: 'agent2-cert',
- servers: [
- { ok: true, key: 'agent1-key', cert: 'agent1-cert' },
- { ok: false, key: 'agent2-key', cert: 'agent2-cert' },
- { ok: false, key: 'agent3-key', cert: 'agent3-cert' }
- ]
- },
-
- { ca: [],
- key: 'agent2-key',
- cert: 'agent2-cert',
- servers: [
- { ok: false, key: 'agent1-key', cert: 'agent1-cert' },
- { ok: false, key: 'agent2-key', cert: 'agent2-cert' },
- { ok: false, key: 'agent3-key', cert: 'agent3-cert' }
- ]
- },
-
- { ca: ['ca1-cert', 'ca2-cert'],
- key: 'agent2-key',
- cert: 'agent2-cert',
- servers: [
- { ok: true, key: 'agent1-key', cert: 'agent1-cert' },
- { ok: false, key: 'agent2-key', cert: 'agent2-cert' },
- { ok: true, key: 'agent3-key', cert: 'agent3-cert' }
- ]
- }
- ];
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-let successfulTests = 0;
-
-function testServers(index, servers, clientOptions, cb) {
- const serverOptions = servers[index];
- if (!serverOptions) {
- cb();
- return;
- }
-
- const ok = serverOptions.ok;
-
- if (serverOptions.key) {
- serverOptions.key = loadPEM(serverOptions.key);
- }
-
- if (serverOptions.cert) {
- serverOptions.cert = loadPEM(serverOptions.cert);
- }
-
- const server = tls.createServer(serverOptions, common.mustCall(function(s) {
- s.end('hello world\n');
- }));
-
- server.listen(0, common.mustCall(function() {
- let b = '';
-
- console.error('connecting...');
- clientOptions.port = this.address().port;
- const client = tls.connect(clientOptions, common.mustCall(function() {
- const authorized = client.authorized ||
- hosterr.test(client.authorizationError);
-
- console.error(`expected: ${ok} authed: ${authorized}`);
-
- assert.strictEqual(ok, authorized);
- server.close();
- }));
-
- client.on('data', function(d) {
- b += d.toString();
- });
-
- client.on('end', common.mustCall(function() {
- assert.strictEqual('hello world\n', b);
- }));
-
- client.on('close', common.mustCall(function() {
- testServers(index + 1, servers, clientOptions, cb);
- }));
- }));
-}
-
-
-function runTest(testIndex) {
- const tcase = testCases[testIndex];
- if (!tcase) return;
-
- const clientOptions = {
- port: undefined,
- ca: tcase.ca.map(loadPEM),
- key: loadPEM(tcase.key),
- cert: loadPEM(tcase.cert),
- rejectUnauthorized: false
- };
-
-
- testServers(0, tcase.servers, clientOptions, common.mustCall(function() {
- successfulTests++;
- runTest(testIndex + 1);
- }));
-}
-
-
-runTest(0);
-
-
-process.on('exit', function() {
- console.log('successful tests: %d', successfulTests);
- assert.strictEqual(successfulTests, testCases.length);
-});
diff --git a/test/parallel/test-tls-close-error.js b/test/parallel/test-tls-close-error.js
deleted file mode 100644
index e7e48cd..0000000
--- a/test/parallel/test-tls-close-error.js
+++ /dev/null
@@ -1,26 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-}, function(c) {
-}).listen(0, common.mustCall(function() {
- const c = tls.connect(this.address().port, function() {
- assert(false, 'should not be called');
- });
-
- c.on('error', common.mustCall(function(err) {}));
-
- c.on('close', common.mustCall(function(err) {
- assert.ok(err);
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-close-notify.js b/test/parallel/test-tls-close-notify.js
deleted file mode 100644
index 15f9f36..0000000
--- a/test/parallel/test-tls-close-notify.js
+++ /dev/null
@@ -1,27 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const fs = require('fs');
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-}, function(c) {
- // Send close-notify without shutting down TCP socket
- if (c._handle.shutdownSSL() !== 1)
- c._handle.shutdownSSL();
-}).listen(0, common.mustCall(function() {
- const c = tls.connect(this.address().port, {
- rejectUnauthorized: false
- }, common.mustCall(function() {
- // Ensure that we receive 'end' event anyway
- c.on('end', common.mustCall(function() {
- c.destroy();
- server.close();
- }));
- }));
-}));
diff --git a/test/parallel/test-tls-cnnic-whitelist.js b/test/parallel/test-tls-cnnic-whitelist.js
deleted file mode 100644
index 84b71c7..0000000
--- a/test/parallel/test-tls-cnnic-whitelist.js
+++ /dev/null
@@ -1,77 +0,0 @@
-// Flags: --use-bundled-ca
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const testCases = [
- { // Test 0: for the check of a cert not existed in the whitelist.
- // agent7-cert.pem is issued by the fake CNNIC root CA so that its
- // hash is not listed in the whitelist.
- // fake-cnnic-root-cert has the same subject name as the original
- // rootCA.
- serverOpts: {
- key: loadPEM('agent7-key'),
- cert: loadPEM('agent7-cert')
- },
- clientOpts: {
- port: undefined,
- rejectUnauthorized: true,
- ca: [loadPEM('fake-cnnic-root-cert')]
- },
- errorCode: 'CERT_REVOKED'
- },
- // Test 1: for the fix of node#2061
- // agent6-cert.pem is signed by intermidate cert of ca3.
- // The server has a cert chain of agent6->ca3->ca1(root) but
- // tls.connect should be failed with an error of
- // UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not
- // installed locally.
- {
- serverOpts: {
- ca: loadPEM('ca3-key'),
- key: loadPEM('agent6-key'),
- cert: loadPEM('agent6-cert')
- },
- clientOpts: {
- port: undefined,
- rejectUnauthorized: true
- },
- errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
- }
-];
-
-function runTest(tindex) {
- const tcase = testCases[tindex];
-
- if (!tcase) return;
-
- const server = tls.createServer(tcase.serverOpts, (s) => {
- s.resume();
- }).listen(0, common.mustCall(function() {
- tcase.clientOpts = this.address().port;
- const client = tls.connect(tcase.clientOpts);
- client.on('error', common.mustCall((e) => {
- assert.strictEqual(e.code, tcase.errorCode);
- server.close(common.mustCall(() => {
- runTest(tindex + 1);
- }));
- }));
- }));
-}
-
-runTest(0);
diff --git a/test/parallel/test-tls-connect-address-family.js b/test/parallel/test-tls-connect-address-family.js
deleted file mode 100644
index afacd5a..0000000
--- a/test/parallel/test-tls-connect-address-family.js
+++ /dev/null
@@ -1,45 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.hasIPv6)
- common.skip('no IPv6 support');
-
-const assert = require('assert');
-const tls = require('tls');
-const dns = require('dns');
-
-function runTest() {
- const ciphers = 'AECDH-NULL-SHA';
- tls.createServer({ ciphers }, common.mustCall(function() {
- this.close();
- })).listen(0, '::1', common.mustCall(function() {
- const options = {
- host: 'localhost',
- port: this.address().port,
- family: 6,
- ciphers: ciphers,
- rejectUnauthorized: false,
- };
- // Will fail with ECONNREFUSED if the address family is not honored.
- tls.connect(options).once('secureConnect', common.mustCall(function() {
- assert.strictEqual('::1', this.remoteAddress);
- this.destroy();
- }));
- }));
-}
-
-dns.lookup('localhost', {family: 6, all: true}, (err, addresses) => {
- if (err) {
- if (err.code === 'ENOTFOUND')
- common.skip('localhost does not resolve to ::1');
-
- throw err;
- }
-
- if (addresses.some((val) => val.address === '::1'))
- runTest();
- else
- common.skip('localhost does not resolve to ::1');
-});
diff --git a/test/parallel/test-tls-connect-given-socket.js b/test/parallel/test-tls-connect-given-socket.js
deleted file mode 100644
index b69e0b9..0000000
--- a/test/parallel/test-tls-connect-given-socket.js
+++ /dev/null
@@ -1,65 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const net = require('net');
-const fs = require('fs');
-const path = require('path');
-
-const options = {
- key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
- cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
-};
-
-const server = tls.createServer(options, common.mustCall((socket) => {
- socket.end('Hello');
-}, 2)).listen(0, common.mustCall(() => {
- let waiting = 2;
- function establish(socket, calls) {
- const client = tls.connect({
- rejectUnauthorized: false,
- socket: socket
- }, common.mustCall(() => {
- let data = '';
- client.on('data', common.mustCall((chunk) => {
- data += chunk.toString();
- }));
- client.on('end', common.mustCall(() => {
- assert.strictEqual(data, 'Hello');
- if (--waiting === 0)
- server.close();
- }));
- }, calls));
- assert(client.readable);
- assert(client.writable);
-
- return client;
- }
-
- const { port } = server.address();
-
- // Immediate death socket
- const immediateDeath = net.connect(port);
- establish(immediateDeath, 0).destroy();
-
- // Outliving
- const outlivingTCP = net.connect(port, common.mustCall(() => {
- outlivingTLS.destroy();
- next();
- }));
- const outlivingTLS = establish(outlivingTCP, 0);
-
- function next() {
- // Already connected socket
- const connected = net.connect(port, common.mustCall(() => {
- establish(connected);
- }));
-
- // Connecting socket
- const connecting = net.connect(port);
- establish(connecting);
- }
-}));
diff --git a/test/parallel/test-tls-connect-no-host.js b/test/parallel/test-tls-connect-no-host.js
deleted file mode 100644
index f63c821..0000000
--- a/test/parallel/test-tls-connect-no-host.js
+++ /dev/null
@@ -1,34 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-
-const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
-const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
-
-// https://github.com/nodejs/node/issues/1489
-// tls.connect(options) with no options.host should accept a cert with
-// CN:'localhost'
-tls.createServer({
- key: key,
- cert: cert
-}).listen(0, function() {
- const socket = tls.connect({
- port: this.address().port,
- ca: cert,
- // No host set here. 'localhost' is the default,
- // but tls.checkServerIdentity() breaks before the fix with:
- // Error: Hostname/IP doesn't match certificate's altnames:
- // "Host: undefined. is not cert's CN: localhost"
- }, function() {
- assert(socket.authorized);
- process.exit();
- });
-});
diff --git a/test/parallel/test-tls-connect-pipe.js b/test/parallel/test-tls-connect-pipe.js
deleted file mode 100644
index 2467a91..0000000
--- a/test/parallel/test-tls-connect-pipe.js
+++ /dev/null
@@ -1,26 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-common.refreshTmpDir();
-
-const server = tls.Server(options, common.mustCall(function(socket) {
- server.close();
-}));
-server.listen(common.PIPE, common.mustCall(function() {
- const options = { rejectUnauthorized: false };
- const client = tls.connect(common.PIPE, options, common.mustCall(function() {
- client.end();
- }));
-}));
diff --git a/test/parallel/test-tls-connect-secure-context.js b/test/parallel/test-tls-connect-secure-context.js
deleted file mode 100644
index d1552a6..0000000
--- a/test/parallel/test-tls-connect-secure-context.js
+++ /dev/null
@@ -1,25 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Verify connection with explicitly created client SecureContext.
-
-const join = require('path').join;
-const {
- assert, connect, keys, tls
-} = require(join(common.fixturesDir, 'tls-connect'))();
-
-connect({
- client: {
- servername: 'agent1',
- secureContext: tls.createSecureContext({
- ca: keys.agent1.ca,
- }),
- },
- server: {
- cert: keys.agent1.cert,
- key: keys.agent1.key,
- },
-}, function(err, pair, cleanup) {
- assert.ifError(err);
- return cleanup();
-});
diff --git a/test/parallel/test-tls-connect-simple.js b/test/parallel/test-tls-connect-simple.js
deleted file mode 100644
index aa59f05..0000000
--- a/test/parallel/test-tls-connect-simple.js
+++ /dev/null
@@ -1,42 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-const fs = require('fs');
-
-let serverConnected = 0;
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = tls.Server(options, common.mustCall(function(socket) {
- if (++serverConnected === 2) {
- server.close(common.mustCall());
- server.on('close', common.mustCall());
- }
-}, 2));
-
-server.listen(0, function() {
- const client1options = {
- port: this.address().port,
- rejectUnauthorized: false
- };
- const client1 = tls.connect(client1options, common.mustCall(function() {
- client1.end();
- }));
-
- const client2options = {
- port: this.address().port,
- rejectUnauthorized: false
- };
- const client2 = tls.connect(client2options);
- client2.on('secureConnect', common.mustCall(function() {
- client2.end();
- }));
-});
diff --git a/test/parallel/test-tls-connect-stream-writes.js b/test/parallel/test-tls-connect-stream-writes.js
deleted file mode 100644
index 5266d6c..0000000
--- a/test/parallel/test-tls-connect-stream-writes.js
+++ /dev/null
@@ -1,63 +0,0 @@
-'use strict';
-const common = require('../common');
-const assert = require('assert');
-const fs = require('fs');
-const tls = require('tls');
-const stream = require('stream');
-const net = require('net');
-
-const cert_dir = common.fixturesDir;
-const options = { key: fs.readFileSync(`${cert_dir}/test_key.pem`),
- cert: fs.readFileSync(`${cert_dir}/test_cert.pem`),
- ca: [ fs.readFileSync(`${cert_dir}/test_ca.pem`) ],
- ciphers: 'AES256-GCM-SHA384' };
-const content = 'hello world';
-const recv_bufs = [];
-let send_data = '';
-const server = tls.createServer(options, function(s) {
- s.on('data', function(c) {
- recv_bufs.push(c);
- });
-});
-server.listen(0, function() {
- const raw = net.connect(this.address().port);
-
- let pending = false;
- raw.on('readable', function() {
- if (pending)
- p._read();
- });
-
- let p = new stream.Duplex({
- read: function read() {
- pending = false;
-
- const chunk = raw.read();
- if (chunk) {
- this.push(chunk);
- } else {
- pending = true;
- }
- },
- write: function write(data, enc, cb) {
- raw.write(data, enc, cb);
- }
- });
-
- const socket = tls.connect({
- socket: p,
- rejectUnauthorized: false
- }, function() {
- for (let i = 0; i < 50; ++i) {
- socket.write(content);
- send_data += content;
- }
- socket.end();
- server.close();
- });
-});
-
-process.on('exit', function() {
- const recv_data = (Buffer.concat(recv_bufs)).toString();
- assert.strictEqual(send_data, recv_data);
-});
diff --git a/test/parallel/test-tls-connect.js b/test/parallel/test-tls-connect.js
deleted file mode 100644
index b410f86..0000000
--- a/test/parallel/test-tls-connect.js
+++ /dev/null
@@ -1,39 +0,0 @@
-'use strict';
-const common = require('../common');
-const assert = require('assert');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const fs = require('fs');
-const path = require('path');
-
-// https://github.com/joyent/node/issues/1218
-// uncatchable exception on TLS connection error
-{
- const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
- const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
-
- const options = {cert: cert, key: key, port: common.PORT};
- const conn = tls.connect(options, common.fail);
-
- conn.on('error', common.mustCall());
-}
-
-// SSL_accept/SSL_connect error handling
-{
- const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
- const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
-
- const conn = tls.connect({
- cert: cert,
- key: key,
- port: common.PORT,
- ciphers: 'rick-128-roll'
- }, function() {
- assert.ok(false); // callback should never be executed
- });
-
- conn.on('error', common.mustCall());
-}
diff --git a/test/parallel/test-tls-delayed-attach-error.js b/test/parallel/test-tls-delayed-attach-error.js
deleted file mode 100644
index 9d37f15..0000000
--- a/test/parallel/test-tls-delayed-attach-error.js
+++ /dev/null
@@ -1,36 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const fs = require('fs');
-const net = require('net');
-
-const bonkers = Buffer.alloc(1024, 42);
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = net.createServer(common.mustCall(function(c) {
- setTimeout(common.mustCall(function() {
- const s = new tls.TLSSocket(c, {
- isServer: true,
- secureContext: tls.createSecureContext(options)
- });
-
- s.on('_tlsError', common.mustCall());
-
- s.on('close', function() {
- server.close();
- s.destroy();
- });
- }), 200);
-})).listen(0, function() {
- const c = net.connect({port: this.address().port}, function() {
- c.write(bonkers);
- });
-});
diff --git a/test/parallel/test-tls-delayed-attach.js b/test/parallel/test-tls-delayed-attach.js
deleted file mode 100644
index 12ebb91..0000000
--- a/test/parallel/test-tls-delayed-attach.js
+++ /dev/null
@@ -1,45 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const net = require('net');
-
-const sent = 'hello world';
-let received = '';
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = net.createServer(function(c) {
- setTimeout(function() {
- const s = new tls.TLSSocket(c, {
- isServer: true,
- secureContext: tls.createSecureContext(options)
- });
-
- s.on('data', function(chunk) {
- received += chunk;
- });
-
- s.on('end', function() {
- server.close();
- s.destroy();
- });
- }, 200);
-}).listen(0, function() {
- const c = tls.connect(this.address().port, {
- rejectUnauthorized: false
- }, function() {
- c.end(sent);
- });
-});
-
-process.on('exit', function() {
- assert.strictEqual(received, sent);
-});
diff --git a/test/parallel/test-tls-destroy-whilst-write.js b/test/parallel/test-tls-destroy-whilst-write.js
deleted file mode 100644
index d157c7b..0000000
--- a/test/parallel/test-tls-destroy-whilst-write.js
+++ /dev/null
@@ -1,27 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const stream = require('stream');
-
-const delay = new stream.Duplex({
- read: function read() {
- },
- write: function write(data, enc, cb) {
- console.log('pending');
- setImmediate(function() {
- console.log('done');
- cb();
- });
- }
-});
-
-const secure = tls.connect({
- socket: delay
-});
-setImmediate(function() {
- secure.destroy();
-});
diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js
deleted file mode 100644
index 3e43fd2..0000000
--- a/test/parallel/test-tls-dhe.js
+++ /dev/null
@@ -1,96 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('missing openssl-cli');
-
-const assert = require('assert');
-const tls = require('tls');
-const spawn = require('child_process').spawn;
-const fs = require('fs');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
-let nsuccess = 0;
-let ntests = 0;
-const ciphers = 'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-
-
-function loadDHParam(n) {
- let path = common.fixturesDir;
- if (n !== 'error') path += '/keys';
- return fs.readFileSync(`${path}/dh${n}.pem`);
-}
-
-function test(keylen, expectedCipher, cb) {
- const options = {
- key: key,
- cert: cert,
- ciphers: ciphers,
- dhparam: loadDHParam(keylen)
- };
-
- const server = tls.createServer(options, function(conn) {
- conn.end();
- });
-
- server.on('close', function(err) {
- assert(!err);
- if (cb) cb();
- });
-
- server.listen(0, '127.0.0.1', function() {
- const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`,
- '-cipher', ciphers];
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- args.push('-no_rand_screen');
-
- const client = spawn(common.opensslCli, args);
- let out = '';
- client.stdout.setEncoding('utf8');
- client.stdout.on('data', function(d) {
- out += d;
- });
- client.stdout.on('end', function() {
- // DHE key length can be checked -brief option in s_client but it
- // is only supported in openssl 1.0.2 so we cannot check it.
- const reg = new RegExp(`Cipher : ${expectedCipher}`);
- if (reg.test(out)) {
- nsuccess++;
- server.close();
- }
- });
- });
-}
-
-function test512() {
- assert.throws(function() {
- test(512, 'DHE-RSA-AES128-SHA256', null);
- }, /DH parameter is less than 1024 bits/);
-}
-
-function test1024() {
- test(1024, 'DHE-RSA-AES128-SHA256', test2048);
- ntests++;
-}
-
-function test2048() {
- test(2048, 'DHE-RSA-AES128-SHA256', testError);
- ntests++;
-}
-
-function testError() {
- test('error', 'ECDHE-RSA-AES128-SHA256', test512);
- ntests++;
-}
-
-test1024();
-
-process.on('exit', function() {
- assert.strictEqual(ntests, nsuccess);
- assert.strictEqual(ntests, 3);
-});
diff --git a/test/parallel/test-tls-ecdh-disable.js b/test/parallel/test-tls-ecdh-disable.js
deleted file mode 100644
index a44ce2c..0000000
--- a/test/parallel/test-tls-ecdh-disable.js
+++ /dev/null
@@ -1,37 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('missing openssl-cli');
-
-const assert = require('assert');
-const tls = require('tls');
-const exec = require('child_process').exec;
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
- ciphers: 'ECDHE-RSA-RC4-SHA',
- ecdhCurve: false
-};
-
-const server = tls.createServer(options, common.mustNotCall());
-
-server.listen(0, '127.0.0.1', common.mustCall(function() {
- let cmd = `"${common.opensslCli}" s_client -cipher ${
- options.ciphers} -connect 127.0.0.1:${this.address().port}`;
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- cmd += ' -no_rand_screen';
-
- exec(cmd, common.mustCall(function(err, stdout, stderr) {
- // Old versions of openssl will still exit with 0 so we
- // can't just check if err is not null.
- assert(stderr.includes('handshake failure'));
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-ecdh.js b/test/parallel/test-tls-ecdh.js
deleted file mode 100644
index 32df9c1..0000000
--- a/test/parallel/test-tls-ecdh.js
+++ /dev/null
@@ -1,42 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('missing openssl-cli');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const exec = require('child_process').exec;
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
- ciphers: '-ALL:ECDHE-RSA-AES128-SHA256',
- ecdhCurve: 'prime256v1'
-};
-
-const reply = 'I AM THE WALRUS'; // something recognizable
-
-const server = tls.createServer(options, common.mustCall(function(conn) {
- conn.end(reply);
-}));
-
-server.listen(0, '127.0.0.1', common.mustCall(function() {
- let cmd = `"${common.opensslCli}" s_client -cipher ${
- options.ciphers} -connect 127.0.0.1:${this.address().port}`;
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- cmd += ' -no_rand_screen';
-
- exec(cmd, common.mustCall(function(err, stdout, stderr) {
- if (err) throw err;
- assert(stdout.includes(reply));
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-econnreset.js b/test/parallel/test-tls-econnreset.js
deleted file mode 100644
index fb3cb2f..0000000
--- a/test/parallel/test-tls-econnreset.js
+++ /dev/null
@@ -1,76 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const cacert =
-`-----BEGIN CERTIFICATE-----
-MIIBxTCCAX8CAnXnMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
-VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n
-TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv
-bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMH0xCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
-MBcGA1UEChMQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRow
-GAYDVQQDExFjYS5zdHJvbmdsb29wLmNvbTBMMA0GCSqGSIb3DQEBAQUAAzsAMDgC
-MQDKbQ6rIR5t1q1v4Ha36jrq0IkyUohy9EYNvLnXUly1PGqxby0ILlAVJ8JawpY9
-AVkCAwEAATANBgkqhkiG9w0BAQUFAAMxALA1uS4CqQXRSAyYTfio5oyLGz71a+NM
-+0AFLBwh5AQjhGd0FcenU4OfHxyDEOJT/Q==
------END CERTIFICATE-----`;
-
-const cert =
-`-----BEGIN CERTIFICATE-----
-MIIBfDCCATYCAgQaMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD
-VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n
-TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv
-bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMBkxFzAV
-BgNVBAMTDnN0cm9uZ2xvb3AuY29tMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMfk
-I0LWU15pPUwIQNMnRVhhOibi0TQmAau8FBtgwEfGK01WpfGUaJr1a41K8Uq7xwID
-AQABoxkwFzAVBgNVHREEDjAMhwQAAAAAhwR/AAABMA0GCSqGSIb3DQEBBQUAAzEA
-cGpYrhkrb7mIh9DNhV0qp7pGjqBzlHqB7KQXw2luLDp//6dyHBMexDCQznkhZKRU
------END CERTIFICATE-----`;
-
-const key =
-`-----BEGIN RSA PRIVATE KEY-----
-MIH0AgEAAjEAx+QjQtZTXmk9TAhA0ydFWGE6JuLRNCYBq7wUG2DAR8YrTVal8ZRo
-mvVrjUrxSrvHAgMBAAECMBCGccvSwC2r8Z9Zh1JtirQVxaL1WWpAQfmVwLe0bAgg
-/JWMU/6hS36TsYyZMxwswQIZAPTAfht/zDLb7Hwgu2twsS1Ra9w/yyvtlwIZANET
-26votwJAHK1yUrZGA5nnp5qcmQ/JUQIZAII5YV/UUZvF9D/fUplJ7puENPWNY9bN
-pQIZAMMwxuS3XiO7two2sQF6W+JTYyX1DPCwAQIZAOYg1TvEGT38k8e8jygv8E8w
-YqrWTeQFNQ==
------END RSA PRIVATE KEY-----`;
-
-const ca = [ cert, cacert ];
-
-let clientError = null;
-let connectError = null;
-
-const server =
- tls.createServer({ ca: ca, cert: cert, key: key }, function(conn) {
- throw 'unreachable';
- }).on('tlsClientError', function(err, conn) {
- assert(!clientError && conn);
- clientError = err;
- }).listen(0, function() {
- const options = {
- ciphers: 'AES128-GCM-SHA256',
- port: this.address().port,
- ca: ca
- };
- tls.connect(options).on('error', function(err) {
- assert(!connectError);
-
- connectError = err;
- this.destroy();
- server.close();
- }).write('123');
- });
-
-process.on('exit', function() {
- assert(clientError);
- assert(connectError);
- assert(/socket hang up/.test(clientError.message));
- assert(/ECONNRESET/.test(clientError.code));
-});
diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js
deleted file mode 100644
index 3f39d6e..0000000
--- a/test/parallel/test-tls-empty-sni-context.js
+++ /dev/null
@@ -1,34 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!process.features.tls_sni)
- common.skip('node compiled without OpenSSL or with old OpenSSL version.');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const options = {
- SNICallback: (name, callback) => {
- callback(null, tls.createSecureContext());
- }
-};
-
-const server = tls.createServer(options, (c) => {
- common.fail('Should not be called');
-}).on('tlsClientError', common.mustCall((err, c) => {
- assert(/SSL_use_certificate:passed a null parameter/i.test(err.message));
- server.close();
-})).listen(0, common.mustCall(() => {
- const c = tls.connect({
- port: server.address().port,
- rejectUnauthorized: false,
- servername: 'any.name'
- }, common.mustNotCall());
-
- c.on('error', common.mustCall((err) => {
- assert(/socket hang up/.test(err.message));
- }));
-}));
diff --git a/test/parallel/test-tls-env-bad-extra-ca.js b/test/parallel/test-tls-env-bad-extra-ca.js
deleted file mode 100644
index ece93f3..0000000
--- a/test/parallel/test-tls-env-bad-extra-ca.js
+++ /dev/null
@@ -1,39 +0,0 @@
-// Setting NODE_EXTRA_CA_CERTS to non-existent file emits a warning
-
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fork = require('child_process').fork;
-
-if (process.env.CHILD) {
- // This will try to load the extra CA certs, and emit a warning when it fails.
- return tls.createServer({});
-}
-
-const env = {
- CHILD: 'yes',
- NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/no-such-file-exists`,
-};
-
-const opts = {
- env: env,
- silent: true,
-};
-let stderr = '';
-
-fork(__filename, opts)
- .on('exit', common.mustCall(function(status) {
- assert.strictEqual(status, 0, 'client did not succeed in connecting');
- }))
- .on('close', common.mustCall(function() {
- const re = /Warning: Ignoring extra certs from.*no-such-file-exists.* load failed:.*No such file or directory/;
- assert(re.test(stderr), stderr);
- }))
- .stderr.setEncoding('utf8').on('data', function(str) {
- stderr += str;
- });
diff --git a/test/parallel/test-tls-env-extra-ca.js b/test/parallel/test-tls-env-extra-ca.js
deleted file mode 100644
index be7c826..0000000
--- a/test/parallel/test-tls-env-extra-ca.js
+++ /dev/null
@@ -1,44 +0,0 @@
-// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation
-
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const fs = require('fs');
-const tls = require('tls');
-
-const fork = require('child_process').fork;
-
-if (process.env.CHILD) {
- const copts = {
- port: process.env.PORT,
- checkServerIdentity: common.mustCall(),
- };
- const client = tls.connect(copts, common.mustCall(function() {
- client.end('hi');
- }));
- return;
-}
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
-};
-
-const server = tls.createServer(options, common.mustCall(function(s) {
- s.end('bye');
- server.close();
-})).listen(0, common.mustCall(function() {
- const env = {
- CHILD: 'yes',
- PORT: this.address().port,
- NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/keys/ca1-cert.pem`,
- };
-
- fork(__filename, {env: env}).on('exit', common.mustCall(function(status) {
- assert.strictEqual(status, 0, 'client did not succeed in connecting');
- }));
-}));
diff --git a/test/parallel/test-tls-external-accessor.js b/test/parallel/test-tls-external-accessor.js
deleted file mode 100644
index 2d7b1f6..0000000
--- a/test/parallel/test-tls-external-accessor.js
+++ /dev/null
@@ -1,22 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-// Ensure accessing ._external doesn't hit an assert in the accessor method.
-{
- const pctx = tls.createSecureContext().context;
- const cctx = Object.create(pctx);
- assert.throws(() => cctx._external, /incompatible receiver/);
- pctx._external;
-}
-{
- const pctx = tls.createSecurePair().credentials.context;
- const cctx = Object.create(pctx);
- assert.throws(() => cctx._external, /incompatible receiver/);
- pctx._external;
-}
diff --git a/test/parallel/test-tls-fast-writing.js b/test/parallel/test-tls-fast-writing.js
deleted file mode 100644
index b8605ca..0000000
--- a/test/parallel/test-tls-fast-writing.js
+++ /dev/null
@@ -1,60 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const dir = common.fixturesDir;
-const options = { key: fs.readFileSync(`${dir}/test_key.pem`),
- cert: fs.readFileSync(`${dir}/test_cert.pem`),
- ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] };
-
-const server = tls.createServer(options, onconnection);
-let gotChunk = false;
-let gotDrain = false;
-
-setTimeout(function() {
- console.log('not ok - timed out');
- process.exit(1);
-}, common.platformTimeout(1000));
-
-function onconnection(conn) {
- conn.on('data', function(c) {
- if (!gotChunk) {
- gotChunk = true;
- console.log('ok - got chunk');
- }
-
- // just some basic sanity checks.
- assert(c.length);
- assert(Buffer.isBuffer(c));
-
- if (gotDrain)
- process.exit(0);
- });
-}
-
-server.listen(0, function() {
- const chunk = Buffer.alloc(1024, 'x');
- const opt = { port: this.address().port, rejectUnauthorized: false };
- const conn = tls.connect(opt, function() {
- conn.on('drain', ondrain);
- write();
- });
- function ondrain() {
- if (!gotDrain) {
- gotDrain = true;
- console.log('ok - got drain');
- }
- if (gotChunk)
- process.exit(0);
- write();
- }
- function write() {
- // this needs to return false eventually
- while (false !== conn.write(chunk));
- }
-});
diff --git a/test/parallel/test-tls-friendly-error-message.js b/test/parallel/test-tls-friendly-error-message.js
deleted file mode 100644
index 51ce0d0..0000000
--- a/test/parallel/test-tls-friendly-error-message.js
+++ /dev/null
@@ -1,23 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
-
-tls.createServer({ key: key, cert: cert }, common.mustCall(function(conn) {
- conn.end();
- this.close();
-})).listen(0, common.mustCall(function() {
- const options = { port: this.address().port, rejectUnauthorized: true };
- tls.connect(options).on('error', common.mustCall(function(err) {
- assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE');
- assert.strictEqual(err.message, 'unable to verify the first certificate');
- this.destroy();
- }));
-}));
diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
deleted file mode 100644
index dc3ff1b..0000000
--- a/test/parallel/test-tls-getcipher.js
+++ /dev/null
@@ -1,36 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const fs = require('fs');
-const cipher_list = ['AES128-SHA256', 'AES256-SHA256'];
-const cipher_version_pattern = /TLS|SSL/;
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
- ciphers: cipher_list.join(':'),
- honorCipherOrder: true
-};
-
-const server = tls.createServer(options,
- common.mustCall(function(cleartextStream) {}));
-
-server.listen(0, '127.0.0.1', common.mustCall(function() {
- const client = tls.connect({
- host: '127.0.0.1',
- port: this.address().port,
- ciphers: cipher_list.join(':'),
- rejectUnauthorized: false
- }, common.mustCall(function() {
- const cipher = client.getCipher();
- assert.strictEqual(cipher.name, cipher_list[0]);
- assert(cipher_version_pattern.test(cipher.version));
- client.end();
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js
deleted file mode 100644
index dd96aa6..0000000
--- a/test/parallel/test-tls-getprotocol.js
+++ /dev/null
@@ -1,40 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const clientConfigs = [
- { secureProtocol: 'TLSv1_method', version: 'TLSv1' },
- { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' },
- { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' }
-];
-
-const serverConfig = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
-};
-
-const server = tls.createServer(serverConfig, common.mustCall(function() {
-
-}, clientConfigs.length)).listen(0, common.localhostIPv4, function() {
- let connected = 0;
- clientConfigs.forEach(function(v) {
- tls.connect({
- host: common.localhostIPv4,
- port: server.address().port,
- rejectUnauthorized: false,
- secureProtocol: v.secureProtocol
- }, common.mustCall(function() {
- assert.strictEqual(this.getProtocol(), v.version);
- this.on('end', common.mustCall(function() {
- assert.strictEqual(this.getProtocol(), null);
- })).end();
- if (++connected === clientConfigs.length)
- server.close();
- }));
- });
-});
diff --git a/test/parallel/test-tls-handshake-error.js b/test/parallel/test-tls-handshake-error.js
deleted file mode 100644
index 9ae1f31..0000000
--- a/test/parallel/test-tls-handshake-error.js
+++ /dev/null
@@ -1,32 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
- rejectUnauthorized: true
-}, function(c) {
-}).listen(0, common.mustCall(function() {
- const c = tls.connect({
- port: this.address().port,
- ciphers: 'RC4'
- }, function() {
- assert(false, 'should not be called');
- });
-
- c.on('error', common.mustCall(function(err) {
- assert.notStrictEqual(err.code, 'ECONNRESET');
- }));
-
- c.on('close', common.mustCall(function(err) {
- assert.ok(err);
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-handshake-nohang.js b/test/parallel/test-tls-handshake-nohang.js
deleted file mode 100644
index 5c65ca4..0000000
--- a/test/parallel/test-tls-handshake-nohang.js
+++ /dev/null
@@ -1,11 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-// neither should hang
-tls.createSecurePair(null, false, false, false);
-tls.createSecurePair(null, true, false, false);
diff --git a/test/parallel/test-tls-hello-parser-failure.js b/test/parallel/test-tls-hello-parser-failure.js
deleted file mode 100644
index a6659d4..0000000
--- a/test/parallel/test-tls-hello-parser-failure.js
+++ /dev/null
@@ -1,41 +0,0 @@
-'use strict';
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const net = require('net');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`)
-};
-
-const bonkers = Buffer.alloc(1024 * 1024, 42);
-
-const server = tls.createServer(options, function(c) {
-
-}).listen(0, common.mustCall(function() {
- const client = net.connect(this.address().port, common.mustCall(function() {
- client.write(bonkers);
- }));
-
- const writeAgain = setImmediate(function() {
- client.write(bonkers);
- });
-
- client.once('error', common.mustCall(function(err) {
- clearImmediate(writeAgain);
- client.destroy();
- server.close();
- }));
-
- client.on('close', common.mustCall(function(hadError) {
- assert.strictEqual(hadError, true, 'Client never errored');
- }));
-}));
diff --git a/test/parallel/test-tls-honorcipherorder.js b/test/parallel/test-tls-honorcipherorder.js
deleted file mode 100644
index a9d35a0..0000000
--- a/test/parallel/test-tls-honorcipherorder.js
+++ /dev/null
@@ -1,97 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-let nconns = 0;
-
-// We explicitly set TLS version to 1.2 so as to be safe when the
-// default method is updated in the future
-const SSL_Method = 'TLSv1_2_method';
-const localhost = '127.0.0.1';
-
-process.on('exit', function() {
- assert.strictEqual(nconns, 6);
-});
-
-function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
- const soptions = {
- secureProtocol: SSL_Method,
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
- ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' +
- 'ECDHE-RSA-AES128-GCM-SHA256',
- honorCipherOrder: !!honorCipherOrder
- };
-
- const server = tls.createServer(soptions, function(cleartextStream) {
- nconns++;
-
- // End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise
- // it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX).
- cleartextStream.end();
- });
- server.listen(0, localhost, function() {
- const coptions = {
- rejectUnauthorized: false,
- secureProtocol: SSL_Method
- };
- if (clientCipher) {
- coptions.ciphers = clientCipher;
- }
- const port = this.address().port;
- const client = tls.connect(port, localhost, coptions, function() {
- const cipher = client.getCipher();
- client.end();
- server.close();
- assert.strictEqual(cipher.name, expectedCipher);
- if (cb) cb();
- });
- });
-}
-
-test1();
-
-function test1() {
- // Client has the preference of cipher suites by default
- test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
- 'AES128-GCM-SHA256', test2);
-}
-
-function test2() {
- // Server has the preference of cipher suites, and AES256-SHA256 is
- // the server's top choice.
- test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256',
- 'AES256-SHA256', test3);
-}
-
-function test3() {
- // Server has the preference of cipher suites. AES128-GCM-SHA256 is given
- // higher priority over AES128-SHA256 among client cipher suites.
- test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4);
-
-}
-
-function test4() {
- // As client has only one cipher, server has no choice, irrespective
- // of honorCipherOrder.
- test(true, 'AES128-SHA256', 'AES128-SHA256', test5);
-}
-
-function test5() {
- // Client did not explicitly set ciphers and client offers
- // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the
- // default list so the negotiated cipher is selected according to the
- // server's top preference of AES256-SHA256.
- test(true, null, 'AES256-SHA256', test6);
-}
-
-function test6() {
- // Ensure that `tls.DEFAULT_CIPHERS` is used
- tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256';
- test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256');
-}
diff --git a/test/parallel/test-tls-inception.js b/test/parallel/test-tls-inception.js
deleted file mode 100644
index 50debbc..0000000
--- a/test/parallel/test-tls-inception.js
+++ /dev/null
@@ -1,66 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const fs = require('fs');
-const path = require('path');
-const net = require('net');
-
-const options = {
- key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
- cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
-};
-
-const body = 'A'.repeat(40000);
-
-// the "proxy" server
-const a = tls.createServer(options, function(socket) {
- const myOptions = {
- host: '127.0.0.1',
- port: b.address().port,
- rejectUnauthorized: false
- };
- const dest = net.connect(myOptions);
- dest.pipe(socket);
- socket.pipe(dest);
-
- dest.on('end', function() {
- socket.destroy();
- });
-});
-
-// the "target" server
-const b = tls.createServer(options, function(socket) {
- socket.end(body);
-});
-
-a.listen(0, function() {
- b.listen(0, function() {
- const myOptions = {
- host: '127.0.0.1',
- port: a.address().port,
- rejectUnauthorized: false
- };
- const socket = tls.connect(myOptions);
- const ssl = tls.connect({
- socket: socket,
- rejectUnauthorized: false
- });
- ssl.setEncoding('utf8');
- let buf = '';
- ssl.on('data', function(data) {
- buf += data;
- });
- ssl.on('end', common.mustCall(function() {
- assert.strictEqual(buf, body);
- ssl.end();
- a.close();
- b.close();
- }));
- });
-});
diff --git a/test/parallel/test-tls-interleave.js b/test/parallel/test-tls-interleave.js
deleted file mode 100644
index 15d617c..0000000
--- a/test/parallel/test-tls-interleave.js
+++ /dev/null
@@ -1,55 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-
-const tls = require('tls');
-
-const fs = require('fs');
-
-const dir = common.fixturesDir;
-const options = { key: fs.readFileSync(`${dir}/test_key.pem`),
- cert: fs.readFileSync(`${dir}/test_cert.pem`),
- ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] };
-
-const writes = [
- 'some server data',
- 'and a separate packet',
- 'and one more',
-];
-let receivedWrites = 0;
-
-const server = tls.createServer(options, function(c) {
- writes.forEach(function(str) {
- c.write(str);
- });
-}).listen(0, common.mustCall(function() {
- const connectOpts = { rejectUnauthorized: false };
- const c = tls.connect(this.address().port, connectOpts, function() {
- c.write('some client data');
- c.on('readable', function() {
- let data = c.read();
- if (data === null)
- return;
-
- data = data.toString();
- while (data.length !== 0) {
- assert(data.startsWith(writes[receivedWrites]));
- data = data.slice(writes[receivedWrites].length);
-
- if (++receivedWrites === writes.length) {
- c.end();
- server.close();
- }
- }
- });
- });
-}));
-
-
-process.on('exit', function() {
- assert.strictEqual(receivedWrites, writes.length);
-});
diff --git a/test/parallel/test-tls-invoke-queued.js b/test/parallel/test-tls-invoke-queued.js
deleted file mode 100644
index 3d4cb8b..0000000
--- a/test/parallel/test-tls-invoke-queued.js
+++ /dev/null
@@ -1,37 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const fs = require('fs');
-const tls = require('tls');
-
-let received = '';
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-}, common.mustCall(function(c) {
- c._write('hello ', null, common.mustCall(function() {
- c._write('world!', null, common.mustCall(function() {
- c.destroy();
- }));
- // Data on next _write() will be written but callback will not be invoked
- c._write(' gosh', null, common.mustNotCall());
- }));
-
- server.close();
-})).listen(0, common.mustCall(function() {
- const c = tls.connect(this.address().port, {
- rejectUnauthorized: false
- }, common.mustCall(function() {
- c.on('data', function(chunk) {
- received += chunk;
- });
- c.on('end', common.mustCall(function() {
- assert.strictEqual(received, 'hello world! gosh');
- }));
- }));
-}));
diff --git a/test/parallel/test-tls-js-stream.js b/test/parallel/test-tls-js-stream.js
deleted file mode 100644
index 56f62ae..0000000
--- a/test/parallel/test-tls-js-stream.js
+++ /dev/null
@@ -1,73 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const stream = require('stream');
-const fs = require('fs');
-const net = require('net');
-
-const connected = {
- client: 0,
- server: 0
-};
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-}, function(c) {
- console.log('new client');
- connected.server++;
- c.end('ohai');
-}).listen(0, function() {
- const raw = net.connect(this.address().port);
-
- let pending = false;
- raw.on('readable', function() {
- if (pending)
- p._read();
- });
-
- let p = new stream.Duplex({
- read: function read() {
- pending = false;
-
- const chunk = raw.read();
- if (chunk) {
- console.log('read', chunk);
- this.push(chunk);
- } else {
- pending = true;
- }
- },
- write: function write(data, enc, cb) {
- console.log('write', data, enc);
- raw.write(data, enc, cb);
- }
- });
-
- const socket = tls.connect({
- socket: p,
- rejectUnauthorized: false
- }, function() {
- console.log('client secure');
-
- connected.client++;
-
- socket.end('hello');
- socket.resume();
- socket.destroy();
- });
-
- socket.once('close', function() {
- console.log('client close');
- server.close();
- });
-});
-
-process.once('exit', function() {
- assert.strictEqual(connected.client, 1);
- assert.strictEqual(connected.server, 1);
-});
diff --git a/test/parallel/test-tls-junk-closes-server.js b/test/parallel/test-tls-junk-closes-server.js
deleted file mode 100644
index 33b0583..0000000
--- a/test/parallel/test-tls-junk-closes-server.js
+++ /dev/null
@@ -1,28 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const fs = require('fs');
-const net = require('net');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
-};
-
-const server = tls.createServer(options, common.mustNotCall());
-
-server.listen(0, common.mustCall(function() {
- const c = net.createConnection(this.address().port);
-
- c.on('connect', common.mustCall(function() {
- c.write('blah\nblah\nblah\n');
- }));
-
- c.on('end', common.mustCall(function() {
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-junk-server.js b/test/parallel/test-tls-junk-server.js
deleted file mode 100644
index 3270dec..0000000
--- a/test/parallel/test-tls-junk-server.js
+++ /dev/null
@@ -1,27 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const https = require('https');
-const net = require('net');
-
-const server = net.createServer(function(s) {
- s.once('data', function() {
- s.end('I was waiting for you, hello!', function() {
- s.destroy();
- });
- });
-});
-
-server.listen(0, function() {
- const req = https.request({ port: this.address().port });
- req.end();
-
- req.once('error', common.mustCall(function(err) {
- assert(/unknown protocol/.test(err.message));
- server.close();
- }));
-});
diff --git a/test/parallel/test-tls-key-mismatch.js b/test/parallel/test-tls-key-mismatch.js
deleted file mode 100644
index c301646..0000000
--- a/test/parallel/test-tls-key-mismatch.js
+++ /dev/null
@@ -1,20 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const errorMessageRegex =
- /^Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch$/;
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
-};
-
-assert.throws(function() {
- tls.createSecureContext(options);
-}, errorMessageRegex);
diff --git a/test/parallel/test-tls-legacy-onselect.js b/test/parallel/test-tls-legacy-onselect.js
deleted file mode 100644
index 4b66f31..0000000
--- a/test/parallel/test-tls-legacy-onselect.js
+++ /dev/null
@@ -1,27 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const net = require('net');
-
-const server = net.Server(common.mustCall(function(raw) {
- const pair = tls.createSecurePair(null, true, false, false);
- pair.on('error', () => {});
- pair.ssl.setSNICallback(common.mustCall(function() {
- raw.destroy();
- server.close();
- }));
- require('_tls_legacy').pipe(pair, raw);
-})).listen(0, function() {
- tls.connect({
- port: this.address().port,
- rejectUnauthorized: false,
- servername: 'server'
- }, function() {
- }).on('error', function() {
- // Just ignore
- });
-});
diff --git a/test/parallel/test-tls-max-send-fragment.js b/test/parallel/test-tls-max-send-fragment.js
deleted file mode 100644
index 1f9dd33..0000000
--- a/test/parallel/test-tls-max-send-fragment.js
+++ /dev/null
@@ -1,42 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const buf = Buffer.allocUnsafe(10000);
-let received = 0;
-const maxChunk = 768;
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-}, function(c) {
- // Lower and upper limits
- assert(!c.setMaxSendFragment(511));
- assert(!c.setMaxSendFragment(16385));
-
- // Correct fragment size
- assert(c.setMaxSendFragment(maxChunk));
-
- c.end(buf);
-}).listen(0, common.mustCall(function() {
- const c = tls.connect(this.address().port, {
- rejectUnauthorized: false
- }, common.mustCall(function() {
- c.on('data', function(chunk) {
- assert(chunk.length <= maxChunk);
- received += chunk.length;
- });
-
- // Ensure that we receive 'end' event anyway
- c.on('end', common.mustCall(function() {
- c.destroy();
- server.close();
- assert.strictEqual(received, buf.length);
- }));
- }));
-}));
diff --git a/test/parallel/test-tls-multi-key.js b/test/parallel/test-tls-multi-key.js
deleted file mode 100644
index ca2517c..0000000
--- a/test/parallel/test-tls-multi-key.js
+++ /dev/null
@@ -1,51 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: [
- fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`),
- fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- ],
- cert: [
- fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
- fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`)
- ]
-};
-
-const ciphers = [];
-
-const server = tls.createServer(options, function(conn) {
- conn.end('ok');
-}).listen(0, function() {
- const ecdsa = tls.connect(this.address().port, {
- ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384',
- rejectUnauthorized: false
- }, function() {
- ciphers.push(ecdsa.getCipher());
- const rsa = tls.connect(server.address().port, {
- ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
- rejectUnauthorized: false
- }, function() {
- ciphers.push(rsa.getCipher());
- ecdsa.end();
- rsa.end();
- server.close();
- });
- });
-});
-
-process.on('exit', function() {
- assert.deepStrictEqual(ciphers, [{
- name: 'ECDHE-ECDSA-AES256-GCM-SHA384',
- version: 'TLSv1/SSLv3'
- }, {
- name: 'ECDHE-RSA-AES256-GCM-SHA384',
- version: 'TLSv1/SSLv3'
- }]);
-});
diff --git a/test/parallel/test-tls-no-cert-required.js b/test/parallel/test-tls-no-cert-required.js
deleted file mode 100644
index 7f3d1b8..0000000
--- a/test/parallel/test-tls-no-cert-required.js
+++ /dev/null
@@ -1,29 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-// Omitting the cert or pfx option to tls.createServer() should not throw.
-// AECDH-NULL-SHA is a no-authentication/no-encryption cipher and hence
-// doesn't need a certificate.
-tls.createServer({ ciphers: 'AECDH-NULL-SHA' })
- .listen(0, common.mustCall(close));
-
-tls.createServer(assert.fail)
- .listen(0, common.mustCall(close));
-
-tls.createServer({})
- .listen(0, common.mustCall(close));
-
-assert.throws(() => tls.createServer('this is not valid'),
- /^TypeError: options must be an object$/);
-
-tls.createServer()
- .listen(0, common.mustCall(close));
-
-function close() {
- this.close();
-}
diff --git a/test/parallel/test-tls-no-rsa-key.js b/test/parallel/test-tls-no-rsa-key.js
deleted file mode 100644
index 07a3ea4..0000000
--- a/test/parallel/test-tls-no-rsa-key.js
+++ /dev/null
@@ -1,33 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`)
-};
-
-const server = tls.createServer(options, function(conn) {
- conn.end('ok');
-}).listen(0, common.mustCall(function() {
- const c = tls.connect(this.address().port, {
- rejectUnauthorized: false
- }, common.mustCall(function() {
- c.on('end', common.mustCall(function() {
- c.end();
- server.close();
- }));
-
- c.on('data', function(data) {
- assert.strictEqual(data.toString(), 'ok');
- });
-
- const cert = c.getPeerCertificate();
- assert.strictEqual(cert.subject.C, 'US');
- }));
-}));
diff --git a/test/parallel/test-tls-no-sslv23.js b/test/parallel/test-tls-no-sslv23.js
deleted file mode 100644
index 737f42b..0000000
--- a/test/parallel/test-tls-no-sslv23.js
+++ /dev/null
@@ -1,55 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'blargh' });
-}, /Unknown method/);
-
-const errMessageSSLv2 = /SSLv2 methods disabled/;
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'SSLv2_method' });
-}, errMessageSSLv2);
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' });
-}, errMessageSSLv2);
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' });
-}, errMessageSSLv2);
-
-const errMessageSSLv3 = /SSLv3 methods disabled/;
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'SSLv3_method' });
-}, errMessageSSLv3);
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' });
-}, errMessageSSLv3);
-
-assert.throws(function() {
- tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' });
-}, errMessageSSLv3);
-
-// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are
-// still accepted. They are OpenSSL's way of saying that all known protocols
-// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.)
-tls.createSecureContext({ secureProtocol: 'SSLv23_method' });
-tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' });
-tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' });
-tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' });
diff --git a/test/parallel/test-tls-no-sslv3.js b/test/parallel/test-tls-no-sslv3.js
deleted file mode 100644
index 0a118db..0000000
--- a/test/parallel/test-tls-no-sslv3.js
+++ /dev/null
@@ -1,51 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (common.opensslCli === false)
- common.skip('node compiled without OpenSSL CLI.');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const spawn = require('child_process').spawn;
-
-const cert = fs.readFileSync(`${common.fixturesDir}/test_cert.pem`);
-const key = fs.readFileSync(`${common.fixturesDir}/test_key.pem`);
-const server = tls.createServer({ cert: cert, key: key }, common.mustNotCall());
-const errors = [];
-let stderr = '';
-
-server.listen(0, '127.0.0.1', function() {
- const address = `${this.address().address}:${this.address().port}`;
- const args = ['s_client',
- '-ssl3',
- '-connect', address];
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- args.push('-no_rand_screen');
-
- const client = spawn(common.opensslCli, args, { stdio: 'pipe' });
- client.stdout.pipe(process.stdout);
- client.stderr.pipe(process.stderr);
- client.stderr.setEncoding('utf8');
- client.stderr.on('data', (data) => stderr += data);
-
- client.once('exit', common.mustCall(function(exitCode) {
- assert.strictEqual(exitCode, 1);
- server.close();
- }));
-});
-
-server.on('tlsClientError', (err) => errors.push(err));
-
-process.on('exit', function() {
- if (/unknown option -ssl3/.test(stderr)) {
- common.printSkipMessage('`openssl s_client -ssl3` not supported.');
- } else {
- assert.strictEqual(errors.length, 1);
- assert(/:wrong version number/.test(errors[0].message));
- }
-});
diff --git a/test/parallel/test-tls-npn-server-client.js b/test/parallel/test-tls-npn-server-client.js
deleted file mode 100644
index 22491c1..0000000
--- a/test/parallel/test-tls-npn-server-client.js
+++ /dev/null
@@ -1,104 +0,0 @@
-'use strict';
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!process.features.tls_npn)
- common.skip('Skipping because node compiled without NPN feature of OpenSSL.');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const serverOptions = {
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert'),
- crl: loadPEM('ca2-crl'),
- SNICallback: function(servername, cb) {
- cb(null, tls.createSecureContext({
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert'),
- crl: loadPEM('ca2-crl'),
- }));
- },
- NPNProtocols: ['a', 'b', 'c']
-};
-
-const clientsOptions = [{
- port: undefined,
- key: serverOptions.key,
- cert: serverOptions.cert,
- crl: serverOptions.crl,
- NPNProtocols: ['a', 'b', 'c'],
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: serverOptions.key,
- cert: serverOptions.cert,
- crl: serverOptions.crl,
- NPNProtocols: ['c', 'b', 'e'],
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: serverOptions.key,
- cert: serverOptions.cert,
- crl: serverOptions.crl,
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: serverOptions.key,
- cert: serverOptions.cert,
- crl: serverOptions.crl,
- NPNProtocols: ['first-priority-unsupported', 'x', 'y'],
- rejectUnauthorized: false
-}];
-
-const serverResults = [];
-const clientsResults = [];
-
-const server = tls.createServer(serverOptions, function(c) {
- serverResults.push(c.npnProtocol);
-});
-server.listen(0, startTest);
-
-function startTest() {
- function connectClient(options, callback) {
- options.port = server.address().port;
- const client = tls.connect(options, function() {
- clientsResults.push(client.npnProtocol);
- client.destroy();
-
- callback();
- });
- }
-
- connectClient(clientsOptions[0], function() {
- connectClient(clientsOptions[1], function() {
- connectClient(clientsOptions[2], function() {
- connectClient(clientsOptions[3], function() {
- server.close();
- });
- });
- });
- });
-}
-
-process.on('exit', function() {
- assert.strictEqual(serverResults[0], clientsResults[0]);
- assert.strictEqual(serverResults[1], clientsResults[1]);
- assert.strictEqual(serverResults[2], 'http/1.1');
- assert.strictEqual(clientsResults[2], false);
- assert.strictEqual(serverResults[3], 'first-priority-unsupported');
- assert.strictEqual(clientsResults[3], false);
-});
diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js
deleted file mode 100644
index 673b69e..0000000
--- a/test/parallel/test-tls-ocsp-callback.js
+++ /dev/null
@@ -1,126 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!process.features.tls_ocsp)
- common.skip('node compiled without OpenSSL or with old OpenSSL version.');
-
-if (!common.opensslCli)
- common.skip('node compiled without OpenSSL CLI.');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-const assert = require('assert');
-const fs = require('fs');
-const join = require('path').join;
-
-const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET;
-
-const pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));
-
-function test(testOptions, cb) {
-
- const keyFile = join(common.fixturesDir, 'keys', 'agent1-key.pem');
- const certFile = join(common.fixturesDir, 'keys', 'agent1-cert.pem');
- const caFile = join(common.fixturesDir, 'keys', 'ca1-cert.pem');
- const key = fs.readFileSync(keyFile);
- const cert = fs.readFileSync(certFile);
- const ca = fs.readFileSync(caFile);
- const options = {
- key: key,
- cert: cert,
- ca: [ca]
- };
- let requestCount = 0;
- let clientSecure = 0;
- let ocspCount = 0;
- let ocspResponse;
-
- if (testOptions.pfx) {
- delete options.key;
- delete options.cert;
- options.pfx = testOptions.pfx;
- options.passphrase = testOptions.passphrase;
- }
-
- const server = tls.createServer(options, function(cleartext) {
- cleartext.on('error', function(er) {
- // We're ok with getting ECONNRESET in this test, but it's
- // timing-dependent, and thus unreliable. Any other errors
- // are just failures, though.
- if (er.code !== 'ECONNRESET')
- throw er;
- });
- ++requestCount;
- cleartext.end();
- });
- server.on('OCSPRequest', function(cert, issuer, callback) {
- ++ocspCount;
- assert.ok(Buffer.isBuffer(cert));
- assert.ok(Buffer.isBuffer(issuer));
-
- // Just to check that async really works there
- setTimeout(function() {
- callback(null,
- testOptions.response ? Buffer.from(testOptions.response) : null);
- }, 100);
- });
- server.listen(0, function() {
- const client = tls.connect({
- port: this.address().port,
- requestOCSP: testOptions.ocsp !== false,
- secureOptions: testOptions.ocsp === false ?
- SSL_OP_NO_TICKET : 0,
- rejectUnauthorized: false
- }, function() {
- clientSecure++;
- });
- client.on('OCSPResponse', function(resp) {
- ocspResponse = resp;
- if (resp)
- client.destroy();
- });
- client.on('close', function() {
- server.close(cb);
- });
- });
-
- process.on('exit', function() {
- if (testOptions.ocsp === false) {
- assert.strictEqual(requestCount, clientSecure);
- assert.strictEqual(requestCount, 1);
- return;
- }
-
- if (testOptions.response) {
- assert.strictEqual(ocspResponse.toString(), testOptions.response);
- } else {
- assert.strictEqual(ocspResponse, null);
- }
- assert.strictEqual(requestCount, testOptions.response ? 0 : 1);
- assert.strictEqual(clientSecure, requestCount);
- assert.strictEqual(ocspCount, 1);
- });
-}
-
-const tests = [
- { response: false },
- { response: 'hello world' },
- { ocsp: false }
-];
-
-if (!common.hasFipsCrypto) {
- tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' });
-}
-
-function runTests(i) {
- if (i === tests.length) return;
-
- test(tests[i], common.mustCall(function() {
- runTests(i + 1);
- }));
-}
-
-runTests(0);
diff --git a/test/parallel/test-tls-on-empty-socket.js b/test/parallel/test-tls-on-empty-socket.js
deleted file mode 100644
index 5b66edd..0000000
--- a/test/parallel/test-tls-on-empty-socket.js
+++ /dev/null
@@ -1,41 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const fs = require('fs');
-const net = require('net');
-
-let out = '';
-
-const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-}, function(c) {
- c.end('hello');
-}).listen(0, function() {
- const socket = new net.Socket();
-
- const s = tls.connect({
- socket: socket,
- rejectUnauthorized: false
- }, function() {
- s.on('data', function(chunk) {
- out += chunk;
- });
- s.on('end', function() {
- s.destroy();
- server.close();
- });
- });
-
- socket.connect(this.address().port);
-});
-
-process.on('exit', function() {
- assert.strictEqual(out, 'hello');
-});
diff --git a/test/parallel/test-tls-over-http-tunnel.js b/test/parallel/test-tls-over-http-tunnel.js
deleted file mode 100644
index ae9c8e0..0000000
--- a/test/parallel/test-tls-over-http-tunnel.js
+++ /dev/null
@@ -1,155 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const https = require('https');
-const fs = require('fs');
-const net = require('net');
-const http = require('http');
-
-let gotRequest = false;
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
-
-const options = {
- key: key,
- cert: cert
-};
-
-const server = https.createServer(options, function(req, res) {
- console.log('SERVER: got request');
- res.writeHead(200, {
- 'content-type': 'text/plain'
- });
- console.log('SERVER: sending response');
- res.end('hello world\n');
-});
-
-const proxy = net.createServer(function(clientSocket) {
- console.log('PROXY: got a client connection');
-
- let serverSocket = null;
-
- clientSocket.on('data', function(chunk) {
- if (!serverSocket) {
- // Verify the CONNECT request
- assert.strictEqual(`CONNECT localhost:${server.address().port} ` +
- 'HTTP/1.1\r\n' +
- 'Proxy-Connections: keep-alive\r\n' +
- `Host: localhost:${proxy.address().port}\r\n` +
- 'Connection: close\r\n\r\n',
- chunk.toString());
-
- console.log('PROXY: got CONNECT request');
- console.log('PROXY: creating a tunnel');
-
- // create the tunnel
- serverSocket = net.connect(server.address().port, function() {
- console.log('PROXY: replying to client CONNECT request');
-
- // Send the response
- clientSocket.write('HTTP/1.1 200 OK\r\nProxy-Connections: keep' +
- '-alive\r\nConnections: keep-alive\r\nVia: ' +
- `localhost:${proxy.address().port}\r\n\r\n`);
- });
-
- serverSocket.on('data', function(chunk) {
- clientSocket.write(chunk);
- });
-
- serverSocket.on('end', function() {
- clientSocket.destroy();
- });
- } else {
- serverSocket.write(chunk);
- }
- });
-
- clientSocket.on('end', function() {
- serverSocket.destroy();
- });
-});
-
-server.listen(0);
-
-proxy.listen(0, function() {
- console.log('CLIENT: Making CONNECT request');
-
- const req = http.request({
- port: this.address().port,
- method: 'CONNECT',
- path: `localhost:${server.address().port}`,
- headers: {
- 'Proxy-Connections': 'keep-alive'
- }
- });
- req.useChunkedEncodingByDefault = false; // for v0.6
- req.on('response', onResponse); // for v0.6
- req.on('upgrade', onUpgrade); // for v0.6
- req.on('connect', onConnect); // for v0.7 or later
- req.end();
-
- function onResponse(res) {
- // Very hacky. This is necessary to avoid http-parser leaks.
- res.upgrade = true;
- }
-
- function onUpgrade(res, socket, head) {
- // Hacky.
- process.nextTick(function() {
- onConnect(res, socket, head);
- });
- }
-
- function onConnect(res, socket, header) {
- assert.strictEqual(200, res.statusCode);
- console.log('CLIENT: got CONNECT response');
-
- // detach the socket
- socket.removeAllListeners('data');
- socket.removeAllListeners('close');
- socket.removeAllListeners('error');
- socket.removeAllListeners('drain');
- socket.removeAllListeners('end');
- socket.ondata = null;
- socket.onend = null;
- socket.ondrain = null;
-
- console.log('CLIENT: Making HTTPS request');
-
- https.get({
- path: '/foo',
- key: key,
- cert: cert,
- socket: socket, // reuse the socket
- agent: false,
- rejectUnauthorized: false
- }, function(res) {
- assert.strictEqual(200, res.statusCode);
-
- res.on('data', function(chunk) {
- assert.strictEqual('hello world\n', chunk.toString());
- console.log('CLIENT: got HTTPS response');
- gotRequest = true;
- });
-
- res.on('end', function() {
- proxy.close();
- server.close();
- });
- }).on('error', function(er) {
- // We're ok with getting ECONNRESET in this test, but it's
- // timing-dependent, and thus unreliable. Any other errors
- // are just failures, though.
- if (er.code !== 'ECONNRESET')
- throw er;
- }).end();
- }
-});
-
-process.on('exit', function() {
- assert.ok(gotRequest);
-});
diff --git a/test/parallel/test-tls-parse-cert-string.js b/test/parallel/test-tls-parse-cert-string.js
deleted file mode 100644
index bbe098b..0000000
--- a/test/parallel/test-tls-parse-cert-string.js
+++ /dev/null
@@ -1,36 +0,0 @@
-'use strict';
-
-require('../common');
-const assert = require('assert');
-const tls = require('tls');
-
-{
- const singles = 'C=US\nST=CA\nL=SF\nO=Node.js Foundation\nOU=Node.js\n' +
- 'CN=ca1\nemailAddress=ry@clouds.org';
- const singlesOut = tls.parseCertString(singles);
- assert.deepStrictEqual(singlesOut, {
- C: 'US',
- ST: 'CA',
- L: 'SF',
- O: 'Node.js Foundation',
- OU: 'Node.js',
- CN: 'ca1',
- emailAddress: 'ry@clouds.org'
- });
-}
-
-{
- const doubles = 'OU=Domain Control Validated\nOU=PositiveSSL Wildcard\n' +
- 'CN=*.nodejs.org';
- const doublesOut = tls.parseCertString(doubles);
- assert.deepStrictEqual(doublesOut, {
- OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ],
- CN: '*.nodejs.org'
- });
-}
-
-{
- const invalid = 'fhqwhgads';
- const invalidOut = tls.parseCertString(invalid);
- assert.deepStrictEqual(invalidOut, {});
-}
diff --git a/test/parallel/test-tls-passphrase.js b/test/parallel/test-tls-passphrase.js
deleted file mode 100644
index 0092dbd..0000000
--- a/test/parallel/test-tls-passphrase.js
+++ /dev/null
@@ -1,275 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const path = require('path');
-
-const passKey = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem'));
-const rawKey = fs.readFileSync(path.join(common.fixturesDir, 'raw-key.pem'));
-const cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem'));
-
-assert(Buffer.isBuffer(passKey));
-assert(Buffer.isBuffer(cert));
-assert.strictEqual(typeof passKey.toString(), 'string');
-assert.strictEqual(typeof cert.toString(), 'string');
-
-const server = tls.Server({
- key: passKey,
- passphrase: 'passphrase',
- cert: cert,
- ca: [cert],
- requestCert: true,
- rejectUnauthorized: true
-}, function(s) {
- s.end();
-});
-
-server.listen(0, common.mustCall(function() {
- // Buffer
- tls.connect({
- port: this.address().port,
- key: passKey,
- passphrase: 'passphrase',
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: rawKey,
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: rawKey,
- passphrase: 'ignored',
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- // Buffer[]
- tls.connect({
- port: this.address().port,
- key: [passKey],
- passphrase: 'passphrase',
- cert: [cert],
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [rawKey],
- cert: [cert],
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [rawKey],
- passphrase: 'ignored',
- cert: [cert],
- rejectUnauthorized: false
- }, common.mustCall());
-
- // string
- tls.connect({
- port: this.address().port,
- key: passKey.toString(),
- passphrase: 'passphrase',
- cert: cert.toString(),
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: rawKey.toString(),
- cert: cert.toString(),
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: rawKey.toString(),
- passphrase: 'ignored',
- cert: cert.toString(),
- rejectUnauthorized: false
- }, common.mustCall());
-
- // String[]
- tls.connect({
- port: this.address().port,
- key: [passKey.toString()],
- passphrase: 'passphrase',
- cert: [cert.toString()],
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [rawKey.toString()],
- cert: [cert.toString()],
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [rawKey.toString()],
- passphrase: 'ignored',
- cert: [cert.toString()],
- rejectUnauthorized: false
- }, common.mustCall());
-
- // Object[]
- tls.connect({
- port: this.address().port,
- key: [{pem: passKey, passphrase: 'passphrase'}],
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: passKey, passphrase: 'passphrase'}],
- passphrase: 'ignored',
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: passKey}],
- passphrase: 'passphrase',
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: passKey.toString(), passphrase: 'passphrase'}],
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: rawKey, passphrase: 'ignored'}],
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: rawKey.toString(), passphrase: 'ignored'}],
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: rawKey}],
- passphrase: 'ignored',
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: rawKey.toString()}],
- passphrase: 'ignored',
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: rawKey}],
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-
- tls.connect({
- port: this.address().port,
- key: [{pem: rawKey.toString()}],
- cert: cert,
- rejectUnauthorized: false
- }, common.mustCall());
-})).unref();
-
-const errMessagePassword = /bad password read/;
-
-// Missing passphrase
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: passKey,
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessagePassword);
-
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: [passKey],
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessagePassword);
-
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: [{pem: passKey}],
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessagePassword);
-
-const errMessageDecrypt = /bad decrypt/;
-
-// Invalid passphrase
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: passKey,
- passphrase: 'invalid',
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessageDecrypt);
-
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: [passKey],
- passphrase: 'invalid',
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessageDecrypt);
-
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: [{pem: passKey}],
- passphrase: 'invalid',
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessageDecrypt);
-
-assert.throws(function() {
- tls.connect({
- port: server.address().port,
- key: [{pem: passKey, passphrase: 'invalid'}],
- passphrase: 'passphrase', // Valid but unused
- cert: cert,
- rejectUnauthorized: false
- });
-}, errMessageDecrypt);
diff --git a/test/parallel/test-tls-pause.js b/test/parallel/test-tls-pause.js
deleted file mode 100644
index 4aded19..0000000
--- a/test/parallel/test-tls-pause.js
+++ /dev/null
@@ -1,70 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const path = require('path');
-
-const options = {
- key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')),
- cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))
-};
-
-const bufSize = 1024 * 1024;
-let sent = 0;
-let received = 0;
-
-const server = tls.Server(options, function(socket) {
- socket.pipe(socket);
- socket.on('data', function(c) {
- console.error('data', c.length);
- });
-});
-
-server.listen(0, function() {
- let resumed = false;
- const client = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- }, function() {
- console.error('connected');
- client.pause();
- console.error('paused');
- send();
- function send() {
- console.error('sending');
- const ret = client.write(Buffer.allocUnsafe(bufSize));
- console.error('write => %j', ret);
- if (false !== ret) {
- console.error('write again');
- sent += bufSize;
- assert.ok(sent < 100 * 1024 * 1024); // max 100MB
- return process.nextTick(send);
- }
- sent += bufSize;
- console.error(`sent: ${sent}`);
- resumed = true;
- client.resume();
- console.error('resumed', client);
- }
- });
- client.on('data', function(data) {
- console.error('data');
- assert.ok(resumed);
- received += data.length;
- console.error('received', received);
- console.error('sent', sent);
- if (received >= sent) {
- console.error(`received: ${received}`);
- client.end();
- server.close();
- }
- });
-});
-
-process.on('exit', function() {
- assert.strictEqual(sent, received);
-});
diff --git a/test/parallel/test-tls-peer-certificate-encoding.js b/test/parallel/test-tls-peer-certificate-encoding.js
deleted file mode 100644
index d6e920a..0000000
--- a/test/parallel/test-tls-peer-certificate-encoding.js
+++ /dev/null
@@ -1,33 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const util = require('util');
-const join = require('path').join;
-
-const options = {
- key: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-key.pem')),
- cert: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-cert.pem')),
- ca: [ fs.readFileSync(join(common.fixturesDir, 'keys', 'ca2-cert.pem')) ]
-};
-
-const server = tls.createServer(options, function(cleartext) {
- cleartext.end('World');
-});
-server.listen(0, common.mustCall(function() {
- const socket = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- }, common.mustCall(function() {
- const peerCert = socket.getPeerCertificate();
-
- console.error(util.inspect(peerCert));
- assert.strictEqual(peerCert.subject.CN, 'Ádám Lippai');
- server.close();
- }));
- socket.end('Hello');
-}));
diff --git a/test/parallel/test-tls-peer-certificate-multi-keys.js b/test/parallel/test-tls-peer-certificate-multi-keys.js
deleted file mode 100644
index ed5566f..0000000
--- a/test/parallel/test-tls-peer-certificate-multi-keys.js
+++ /dev/null
@@ -1,34 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const util = require('util');
-const join = require('path').join;
-
-const options = {
- key: fs.readFileSync(join(common.fixturesDir, 'agent.key')),
- cert: fs.readFileSync(join(common.fixturesDir, 'multi-alice.crt'))
-};
-
-const server = tls.createServer(options, function(cleartext) {
- cleartext.end('World');
-});
-server.listen(0, common.mustCall(function() {
- const socket = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- }, common.mustCall(function() {
- const peerCert = socket.getPeerCertificate();
- console.error(util.inspect(peerCert));
- assert.deepStrictEqual(
- peerCert.subject.OU,
- ['Information Technology', 'Engineering', 'Marketing']
- );
- server.close();
- }));
- socket.end('Hello');
-}));
diff --git a/test/parallel/test-tls-peer-certificate.js b/test/parallel/test-tls-peer-certificate.js
deleted file mode 100644
index eb5be6d..0000000
--- a/test/parallel/test-tls-peer-certificate.js
+++ /dev/null
@@ -1,39 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Verify that detailed getPeerCertificate() return value has all certs.
-
-const join = require('path').join;
-const {
- assert, connect, debug, keys
-} = require(join(common.fixturesDir, 'tls-connect'))();
-
-connect({
- client: {rejectUnauthorized: false},
- server: keys.agent1,
-}, function(err, pair, cleanup) {
- assert.ifError(err);
- const socket = pair.client.conn;
- let peerCert = socket.getPeerCertificate();
- assert.ok(!peerCert.issuerCertificate);
-
- peerCert = socket.getPeerCertificate(true);
- debug('peerCert:\n', peerCert);
-
- assert.ok(peerCert.issuerCertificate);
- assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
- assert.strictEqual(peerCert.serialNumber, '9A84ABCFB8A72AC0');
- assert.strictEqual(peerCert.exponent, '0x10001');
- assert.strictEqual(
- peerCert.fingerprint,
- '8D:06:3A:B3:E5:8B:85:29:72:4F:7D:1B:54:CD:95:19:3C:EF:6F:AA'
- );
- assert.deepStrictEqual(peerCert.infoAccess['OCSP - URI'],
- [ 'http://ocsp.nodejs.org/' ]);
-
- const issuer = peerCert.issuerCertificate;
- assert.strictEqual(issuer.issuerCertificate, issuer);
- assert.strictEqual(issuer.serialNumber, '8DF21C01468AF393');
-
- return cleanup();
-});
diff --git a/test/parallel/test-tls-pfx-gh-5100-regr.js b/test/parallel/test-tls-pfx-gh-5100-regr.js
deleted file mode 100644
index ba38f02..0000000
--- a/test/parallel/test-tls-pfx-gh-5100-regr.js
+++ /dev/null
@@ -1,38 +0,0 @@
-'use strict';
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('node compiled without crypto.');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const path = require('path');
-
-const pfx = fs.readFileSync(
- path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem'));
-
-const server = tls.createServer({
- pfx: pfx,
- passphrase: 'sample',
- requestCert: true,
- rejectUnauthorized: false
-}, common.mustCall(function(c) {
- assert.strictEqual(
- c.authorizationError,
- null,
- 'authorizationError must be null'
- );
- c.end();
-})).listen(0, function() {
- const client = tls.connect({
- port: this.address().port,
- pfx: pfx,
- passphrase: 'sample',
- rejectUnauthorized: false
- }, function() {
- client.end();
- server.close();
- });
-});
diff --git a/test/parallel/test-tls-regr-gh-5108.js b/test/parallel/test-tls-regr-gh-5108.js
deleted file mode 100644
index 9bb07fe..0000000
--- a/test/parallel/test-tls-regr-gh-5108.js
+++ /dev/null
@@ -1,40 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-
-const server = tls.createServer(options, function(s) {
- s.end('hello');
-}).listen(0, function() {
- const opts = {
- port: this.address().port,
- rejectUnauthorized: false
- };
- const client = tls.connect(opts, function() {
- putImmediate(client);
- });
-});
-
-
-function putImmediate(client) {
- setImmediate(function() {
- if (client.ssl) {
- const fd = client.ssl.fd;
- assert(!!fd);
- putImmediate(client);
- } else {
- server.close();
- }
- });
-}
diff --git a/test/parallel/test-tls-request-timeout.js b/test/parallel/test-tls-request-timeout.js
deleted file mode 100644
index 3989e40..0000000
--- a/test/parallel/test-tls-request-timeout.js
+++ /dev/null
@@ -1,30 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = tls.Server(options, common.mustCall(function(socket) {
- const s = socket.setTimeout(100);
- assert.ok(s instanceof tls.TLSSocket);
-
- socket.on('timeout', common.mustCall(function(err) {
- socket.end();
- server.close();
- }));
-}));
-
-server.listen(0, function() {
- tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- });
-});
diff --git a/test/parallel/test-tls-retain-handle-no-abort.js b/test/parallel/test-tls-retain-handle-no-abort.js
deleted file mode 100644
index 4be64c1..0000000
--- a/test/parallel/test-tls-retain-handle-no-abort.js
+++ /dev/null
@@ -1,40 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const util = require('util');
-
-const sent = 'hello world';
-const serverOptions = {
- isServer: true,
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-let ssl = null;
-
-process.on('exit', function() {
- assert.ok(ssl !== null);
- // If the internal pointer to stream_ isn't cleared properly then this
- // will abort.
- util.inspect(ssl);
-});
-
-const server = tls.createServer(serverOptions, function(s) {
- s.on('data', function() { });
- s.on('end', function() {
- server.close();
- s.destroy();
- });
-}).listen(0, function() {
- const c = new tls.TLSSocket();
- ssl = c.ssl;
- c.connect(this.address().port, function() {
- c.end(sent);
- });
-});
diff --git a/test/parallel/test-tls-securepair-fiftharg.js b/test/parallel/test-tls-securepair-fiftharg.js
deleted file mode 100644
index 97b563a..0000000
--- a/test/parallel/test-tls-securepair-fiftharg.js
+++ /dev/null
@@ -1,27 +0,0 @@
-'use strict';
-
-const common = require('../common');
-const assert = require('assert');
-const fs = require('fs');
-const tls = require('tls');
-
-const sslcontext = tls.createSecureContext({
- cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`),
- key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`)
-});
-
-let catchedServername;
-const pair = tls.createSecurePair(sslcontext, true, false, false, {
- SNICallback: common.mustCall(function(servername, cb) {
- catchedServername = servername;
- })
-});
-
-// captured traffic from browser's request to https://www.google.com
-const sslHello = fs.readFileSync(`${common.fixturesDir}/google_ssl_hello.bin`);
-
-pair.encrypted.write(sslHello);
-
-process.on('exit', function() {
- assert.strictEqual('www.google.com', catchedServername);
-});
diff --git a/test/parallel/test-tls-securepair-server.js b/test/parallel/test-tls-securepair-server.js
deleted file mode 100644
index d335bb2..0000000
--- a/test/parallel/test-tls-securepair-server.js
+++ /dev/null
@@ -1,133 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('missing openssl-cli');
-
-const assert = require('assert');
-const tls = require('tls');
-const join = require('path').join;
-const net = require('net');
-const fs = require('fs');
-const spawn = require('child_process').spawn;
-
-const key = fs.readFileSync(join(common.fixturesDir, 'agent.key')).toString();
-const cert = fs.readFileSync(join(common.fixturesDir, 'agent.crt')).toString();
-
-function log(a) {
- console.error(`***server*** ${a}`);
-}
-
-const server = net.createServer(common.mustCall(function(socket) {
- log(`connection fd=${socket.fd}`);
- const sslcontext = tls.createSecureContext({key: key, cert: cert});
- sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
-
- const pair = tls.createSecurePair(sslcontext, true);
-
- assert.ok(pair.encrypted.writable);
- assert.ok(pair.cleartext.writable);
-
- pair.encrypted.pipe(socket);
- socket.pipe(pair.encrypted);
-
- log('i set it secure');
-
- pair.on('secure', function() {
- log('connected+secure!');
- pair.cleartext.write('hello\r\n');
- log(pair.cleartext.getPeerCertificate());
- log(pair.cleartext.getCipher());
- });
-
- pair.cleartext.on('data', function(data) {
- log(`read bytes ${data.length}`);
- pair.cleartext.write(data);
- });
-
- socket.on('end', function() {
- log('socket end');
- });
-
- pair.cleartext.on('error', function(err) {
- log('got error: ');
- log(err);
- log(err.stack);
- socket.destroy();
- });
-
- pair.encrypted.on('error', function(err) {
- log('encrypted error: ');
- log(err);
- log(err.stack);
- socket.destroy();
- });
-
- socket.on('error', function(err) {
- log('socket error: ');
- log(err);
- log(err.stack);
- socket.destroy();
- });
-
- socket.on('close', function(err) {
- log('socket closed');
- });
-
- pair.on('error', function(err) {
- log('secure error: ');
- log(err);
- log(err.stack);
- socket.destroy();
- });
-}));
-
-let gotHello = false;
-let sentWorld = false;
-let gotWorld = false;
-
-server.listen(0, common.mustCall(function() {
- // To test use: openssl s_client -connect localhost:8000
-
- const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`];
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- args.push('-no_rand_screen');
-
- const client = spawn(common.opensslCli, args);
-
-
- let out = '';
-
- client.stdout.setEncoding('utf8');
- client.stdout.on('data', function(d) {
- out += d;
-
- if (!gotHello && /hello/.test(out)) {
- gotHello = true;
- client.stdin.write('world\r\n');
- sentWorld = true;
- }
-
- if (!gotWorld && /world/.test(out)) {
- gotWorld = true;
- client.stdin.end();
- }
- });
-
- client.stdout.pipe(process.stdout, { end: false });
-
- client.on('exit', common.mustCall(function(code) {
- assert.strictEqual(0, code);
- server.close();
- }));
-}));
-
-process.on('exit', function() {
- assert.ok(gotHello);
- assert.ok(sentWorld);
- assert.ok(gotWorld);
-});
diff --git a/test/parallel/test-tls-server-connection-server.js b/test/parallel/test-tls-server-connection-server.js
deleted file mode 100644
index 7eef14d..0000000
--- a/test/parallel/test-tls-server-connection-server.js
+++ /dev/null
@@ -1,32 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = tls.createServer(options, function(s) {
- s.end('hello');
-}).listen(0, function() {
- const opts = {
- port: this.address().port,
- rejectUnauthorized: false
- };
-
- server.on('connection', common.mustCall(function(socket) {
- assert.strictEqual(socket.server, server);
- server.close();
- }));
-
- const client = tls.connect(opts, function() {
- client.end();
- });
-});
diff --git a/test/parallel/test-tls-server-failed-handshake-emits-clienterror.js b/test/parallel/test-tls-server-failed-handshake-emits-clienterror.js
deleted file mode 100644
index 8efb4ec..0000000
--- a/test/parallel/test-tls-server-failed-handshake-emits-clienterror.js
+++ /dev/null
@@ -1,28 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const net = require('net');
-const assert = require('assert');
-
-const bonkers = Buffer.alloc(1024, 42);
-
-
-const server = tls.createServer({})
- .listen(0, function() {
- const c = net.connect({ port: this.address().port }, function() {
- c.write(bonkers);
- });
-
- }).on('tlsClientError', common.mustCall(function(e) {
- assert.ok(e instanceof Error,
- 'Instance of Error should be passed to error handler');
- assert.ok(
- /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message),
- 'Expecting SSL unknown protocol');
-
- server.close();
- }));
diff --git a/test/parallel/test-tls-server-verify.js b/test/parallel/test-tls-server-verify.js
deleted file mode 100644
index 7a106f6..0000000
--- a/test/parallel/test-tls-server-verify.js
+++ /dev/null
@@ -1,348 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!common.opensslCli)
- common.skip('node compiled without OpenSSL CLI.');
-
-// This is a rather complex test which sets up various TLS servers with node
-// and connects to them using the 'openssl s_client' command line utility
-// with various keys. Depending on the certificate authority and other
-// parameters given to the server, the various clients are
-// - rejected,
-// - accepted and "unauthorized", or
-// - accepted and "authorized".
-
-const assert = require('assert');
-const { spawn } = require('child_process');
-const { SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION } =
- require('crypto').constants;
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-const testCases =
- [{ title: 'Do not request certs. Everyone is unauthorized.',
- requestCert: false,
- rejectUnauthorized: false,
- renegotiate: false,
- CAs: ['ca1-cert'],
- clients:
- [{ name: 'agent1', shouldReject: false, shouldAuth: false },
- { name: 'agent2', shouldReject: false, shouldAuth: false },
- { name: 'agent3', shouldReject: false, shouldAuth: false },
- { name: 'nocert', shouldReject: false, shouldAuth: false }
- ]
- },
-
- { title: 'Allow both authed and unauthed connections with CA1',
- requestCert: true,
- rejectUnauthorized: false,
- renegotiate: false,
- CAs: ['ca1-cert'],
- clients:
- [{ name: 'agent1', shouldReject: false, shouldAuth: true },
- { name: 'agent2', shouldReject: false, shouldAuth: false },
- { name: 'agent3', shouldReject: false, shouldAuth: false },
- { name: 'nocert', shouldReject: false, shouldAuth: false }
- ]
- },
-
- { title: 'Do not request certs at connection. Do that later',
- requestCert: false,
- rejectUnauthorized: false,
- renegotiate: true,
- CAs: ['ca1-cert'],
- clients:
- [{ name: 'agent1', shouldReject: false, shouldAuth: true },
- { name: 'agent2', shouldReject: false, shouldAuth: false },
- { name: 'agent3', shouldReject: false, shouldAuth: false },
- { name: 'nocert', shouldReject: false, shouldAuth: false }
- ]
- },
-
- { title: 'Allow only authed connections with CA1',
- requestCert: true,
- rejectUnauthorized: true,
- renegotiate: false,
- CAs: ['ca1-cert'],
- clients:
- [{ name: 'agent1', shouldReject: false, shouldAuth: true },
- { name: 'agent2', shouldReject: true },
- { name: 'agent3', shouldReject: true },
- { name: 'nocert', shouldReject: true }
- ]
- },
-
- { title: 'Allow only authed connections with CA1 and CA2',
- requestCert: true,
- rejectUnauthorized: true,
- renegotiate: false,
- CAs: ['ca1-cert', 'ca2-cert'],
- clients:
- [{ name: 'agent1', shouldReject: false, shouldAuth: true },
- { name: 'agent2', shouldReject: true },
- { name: 'agent3', shouldReject: false, shouldAuth: true },
- { name: 'nocert', shouldReject: true }
- ]
- },
-
-
- { title: 'Allow only certs signed by CA2 but not in the CRL',
- requestCert: true,
- rejectUnauthorized: true,
- renegotiate: false,
- CAs: ['ca2-cert'],
- crl: 'ca2-crl',
- clients: [
- { name: 'agent1', shouldReject: true, shouldAuth: false },
- { name: 'agent2', shouldReject: true, shouldAuth: false },
- { name: 'agent3', shouldReject: false, shouldAuth: true },
- // Agent4 has a cert in the CRL.
- { name: 'agent4', shouldReject: true, shouldAuth: false },
- { name: 'nocert', shouldReject: true }
- ]
- }
- ];
-
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-
-const serverKey = loadPEM('agent2-key');
-const serverCert = loadPEM('agent2-cert');
-
-
-function runClient(prefix, port, options, cb) {
-
- // Client can connect in three ways:
- // - Self-signed cert
- // - Certificate, but not signed by CA.
- // - Certificate signed by CA.
-
- const args = ['s_client', '-connect', `127.0.0.1:${port}`];
-
- // for the performance issue in s_client on Windows
- if (common.isWindows)
- args.push('-no_rand_screen');
-
- console.log(`${prefix} connecting with`, options.name);
-
- switch (options.name) {
- case 'agent1':
- // Signed by CA1
- args.push('-key');
- args.push(filenamePEM('agent1-key'));
- args.push('-cert');
- args.push(filenamePEM('agent1-cert'));
- break;
-
- case 'agent2':
- // Self-signed
- // This is also the key-cert pair that the server will use.
- args.push('-key');
- args.push(filenamePEM('agent2-key'));
- args.push('-cert');
- args.push(filenamePEM('agent2-cert'));
- break;
-
- case 'agent3':
- // Signed by CA2
- args.push('-key');
- args.push(filenamePEM('agent3-key'));
- args.push('-cert');
- args.push(filenamePEM('agent3-cert'));
- break;
-
- case 'agent4':
- // Signed by CA2 (rejected by ca2-crl)
- args.push('-key');
- args.push(filenamePEM('agent4-key'));
- args.push('-cert');
- args.push(filenamePEM('agent4-cert'));
- break;
-
- case 'nocert':
- // Do not send certificate
- break;
-
- default:
- throw new Error(`${prefix}Unknown agent name`);
- }
-
- // To test use: openssl s_client -connect localhost:8000
- const client = spawn(common.opensslCli, args);
-
- let out = '';
-
- let rejected = true;
- let authed = false;
- let goodbye = false;
-
- client.stdout.setEncoding('utf8');
- client.stdout.on('data', function(d) {
- out += d;
-
- if (!goodbye && /_unauthed/.test(out)) {
- console.error(`${prefix} * unauthed`);
- goodbye = true;
- client.kill();
- authed = false;
- rejected = false;
- }
-
- if (!goodbye && /_authed/.test(out)) {
- console.error(`${prefix} * authed`);
- goodbye = true;
- client.kill();
- authed = true;
- rejected = false;
- }
- });
-
- //client.stdout.pipe(process.stdout);
-
- client.on('exit', function(code) {
- //assert.strictEqual(
- // 0, code,
- // `${prefix}${options.name}: s_client exited with error code ${code}`);
- if (options.shouldReject) {
- assert.strictEqual(
- true, rejected,
- `${prefix}${options.name} NOT rejected, but should have been`);
- } else {
- assert.strictEqual(
- false, rejected,
- `${prefix}${options.name} rejected, but should NOT have been`);
- assert.strictEqual(
- options.shouldAuth, authed,
- `${prefix}${options.name} authed is ${authed} but should have been ${
- options.shouldAuth}`);
- }
-
- cb();
- });
-}
-
-
-// Run the tests
-let successfulTests = 0;
-function runTest(port, testIndex) {
- const prefix = `${testIndex} `;
- const tcase = testCases[testIndex];
- if (!tcase) return;
-
- console.error(`${prefix}Running '%s'`, tcase.title);
-
- const cas = tcase.CAs.map(loadPEM);
-
- const crl = tcase.crl ? loadPEM(tcase.crl) : null;
-
- const serverOptions = {
- key: serverKey,
- cert: serverCert,
- ca: cas,
- crl: crl,
- requestCert: tcase.requestCert,
- rejectUnauthorized: tcase.rejectUnauthorized
- };
-
- /*
- * If renegotiating - session might be resumed and openssl won't request
- * client's certificate (probably because of bug in the openssl)
- */
- if (tcase.renegotiate) {
- serverOptions.secureOptions =
- SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
- }
-
- let renegotiated = false;
- const server = tls.Server(serverOptions, function handleConnection(c) {
- c.on('error', function(e) {
- // child.kill() leads ECONNRESET errro in the TLS connection of
- // openssl s_client via spawn(). A Test result is already
- // checked by the data of client.stdout before child.kill() so
- // these tls errors can be ignored.
- });
- if (tcase.renegotiate && !renegotiated) {
- renegotiated = true;
- setTimeout(function() {
- console.error(`${prefix}- connected, renegotiating`);
- c.write('\n_renegotiating\n');
- return c.renegotiate({
- requestCert: true,
- rejectUnauthorized: false
- }, function(err) {
- assert(!err);
- c.write('\n_renegotiated\n');
- handleConnection(c);
- });
- }, 200);
- return;
- }
-
- if (c.authorized) {
- console.error(`${prefix}- authed connection: ${
- c.getPeerCertificate().subject.CN}`);
- c.write('\n_authed\n');
- } else {
- console.error(`${prefix}- unauthed connection: %s`, c.authorizationError);
- c.write('\n_unauthed\n');
- }
- });
-
- function runNextClient(clientIndex) {
- const options = tcase.clients[clientIndex];
- if (options) {
- runClient(`${prefix}${clientIndex} `, port, options, function() {
- runNextClient(clientIndex + 1);
- });
- } else {
- server.close();
- successfulTests++;
- runTest(port, nextTest++);
- }
- }
-
- server.listen(port, function() {
- port = server.address().port;
- if (tcase.debug) {
- console.error(`${prefix}TLS server running on port ${port}`);
- } else {
- if (tcase.renegotiate) {
- runNextClient(0);
- } else {
- let clientsCompleted = 0;
- for (let i = 0; i < tcase.clients.length; i++) {
- runClient(`${prefix}${i} `, port, tcase.clients[i], function() {
- clientsCompleted++;
- if (clientsCompleted === tcase.clients.length) {
- server.close();
- successfulTests++;
- runTest(port, nextTest++);
- }
- });
- }
- }
- }
- });
-}
-
-
-let nextTest = 0;
-runTest(0, nextTest++);
-runTest(0, nextTest++);
-
-
-process.on('exit', function() {
- assert.strictEqual(successfulTests, testCases.length);
-});
diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js
deleted file mode 100644
index 326e760..0000000
--- a/test/parallel/test-tls-session-cache.js
+++ /dev/null
@@ -1,127 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.opensslCli)
- common.skip('node compiled without OpenSSL CLI.');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-doTest({ tickets: false }, function() {
- doTest({ tickets: true }, function() {
- console.error('all done');
- });
-});
-
-function doTest(testOptions, callback) {
- const assert = require('assert');
- const tls = require('tls');
- const fs = require('fs');
- const join = require('path').join;
- const spawn = require('child_process').spawn;
-
- const keyFile = join(common.fixturesDir, 'agent.key');
- const certFile = join(common.fixturesDir, 'agent.crt');
- const key = fs.readFileSync(keyFile);
- const cert = fs.readFileSync(certFile);
- const options = {
- key: key,
- cert: cert,
- ca: [cert],
- requestCert: true
- };
- let requestCount = 0;
- let resumeCount = 0;
- let session;
-
- const server = tls.createServer(options, function(cleartext) {
- cleartext.on('error', function(er) {
- // We're ok with getting ECONNRESET in this test, but it's
- // timing-dependent, and thus unreliable. Any other errors
- // are just failures, though.
- if (er.code !== 'ECONNRESET')
- throw er;
- });
- ++requestCount;
- cleartext.end();
- });
- server.on('newSession', function(id, data, cb) {
- // Emulate asynchronous store
- setTimeout(function() {
- assert.ok(!session);
- session = {
- id: id,
- data: data
- };
- cb();
- }, 1000);
- });
- server.on('resumeSession', function(id, callback) {
- ++resumeCount;
- assert.ok(session);
- assert.strictEqual(session.id.toString('hex'), id.toString('hex'));
-
- // Just to check that async really works there
- setTimeout(function() {
- callback(null, session.data);
- }, 100);
- });
-
- server.listen(0, function() {
- const args = [
- 's_client',
- '-tls1',
- '-connect', `localhost:${this.address().port}`,
- '-servername', 'ohgod',
- '-key', join(common.fixturesDir, 'agent.key'),
- '-cert', join(common.fixturesDir, 'agent.crt'),
- '-reconnect'
- ].concat(testOptions.tickets ? [] : '-no_ticket');
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- args.push('-no_rand_screen');
-
- function spawnClient() {
- const client = spawn(common.opensslCli, args, {
- stdio: [ 0, 1, 'pipe' ]
- });
- let err = '';
- client.stderr.setEncoding('utf8');
- client.stderr.on('data', function(chunk) {
- err += chunk;
- });
-
- client.on('exit', common.mustCall(function(code, signal) {
- if (code !== 0) {
- // If SmartOS and connection refused, then retry. See
- // https://github.com/nodejs/node/issues/2663.
- if (common.isSunOS && err.includes('Connection refused')) {
- requestCount = 0;
- spawnClient();
- return;
- }
- common.fail(`code: ${code}, signal: ${signal}, output: ${err}`);
- }
- assert.strictEqual(code, 0);
- server.close(common.mustCall(function() {
- setTimeout(callback, 100);
- }));
- }));
- }
-
- spawnClient();
- });
-
- process.on('exit', function() {
- if (testOptions.tickets) {
- assert.strictEqual(requestCount, 6);
- assert.strictEqual(resumeCount, 0);
- } else {
- // initial request + reconnect requests (5 times)
- assert.ok(session);
- assert.strictEqual(requestCount, 6);
- assert.strictEqual(resumeCount, 5);
- }
- });
-}
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
deleted file mode 100644
index d53029e..0000000
--- a/test/parallel/test-tls-set-ciphers.js
+++ /dev/null
@@ -1,45 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.opensslCli)
- common.skip('node compiled without OpenSSL CLI.');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const exec = require('child_process').exec;
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`),
- ciphers: 'DES-CBC3-SHA'
-};
-
-const reply = 'I AM THE WALRUS'; // something recognizable
-let response = '';
-
-process.on('exit', function() {
- assert.notStrictEqual(response.indexOf(reply), -1);
-});
-
-const server = tls.createServer(options, common.mustCall(function(conn) {
- conn.end(reply);
-}));
-
-server.listen(0, '127.0.0.1', function() {
- let cmd = `"${common.opensslCli}" s_client -cipher ${
- options.ciphers} -connect 127.0.0.1:${this.address().port}`;
-
- // for the performance and stability issue in s_client on Windows
- if (common.isWindows)
- cmd += ' -no_rand_screen';
-
- exec(cmd, function(err, stdout, stderr) {
- if (err) throw err;
- response = stdout;
- server.close();
- });
-});
diff --git a/test/parallel/test-tls-set-encoding.js b/test/parallel/test-tls-set-encoding.js
deleted file mode 100644
index 4114ee5..0000000
--- a/test/parallel/test-tls-set-encoding.js
+++ /dev/null
@@ -1,58 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`)
-};
-
-// Contains a UTF8 only character
-const messageUtf8 = 'x√ab c';
-
-// The same string above represented with ASCII
-const messageAscii = 'xb\b\u001aab c';
-
-const server = tls.Server(options, common.mustCall(function(socket) {
- socket.end(messageUtf8);
-}));
-
-
-server.listen(0, function() {
- const client = tls.connect({
- port: this.address().port,
- rejectUnauthorized: false
- });
-
- let buffer = '';
-
- client.setEncoding('ascii');
-
- client.on('data', function(d) {
- assert.ok(typeof d === 'string');
- buffer += d;
- });
-
-
- client.on('close', function() {
- // readyState is deprecated but we want to make
- // sure this isn't triggering an assert in lib/net.js
- // See issue #1069.
- assert.strictEqual('closed', client.readyState);
-
- // Confirming the buffer string is encoded in ASCII
- // and thus does NOT match the UTF8 string
- assert.notStrictEqual(buffer, messageUtf8);
-
- // Confirming the buffer string is encoded in ASCII
- // and thus does equal the ASCII string representation
- assert.strictEqual(buffer, messageAscii);
-
- server.close();
- });
-});
diff --git a/test/parallel/test-tls-sni-option.js b/test/parallel/test-tls-sni-option.js
deleted file mode 100644
index ff3e2ef..0000000
--- a/test/parallel/test-tls-sni-option.js
+++ /dev/null
@@ -1,168 +0,0 @@
-'use strict';
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!process.features.tls_sni)
- common.skip('node compiled without OpenSSL or with old OpenSSL version.');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const serverOptions = {
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert'),
- requestCert: true,
- rejectUnauthorized: false,
- SNICallback: function(servername, callback) {
- const context = SNIContexts[servername];
-
- // Just to test asynchronous callback
- setTimeout(function() {
- if (context) {
- if (context.emptyRegression)
- callback(null, {});
- else
- callback(null, tls.createSecureContext(context));
- } else {
- callback(null, null);
- }
- }, 100);
- }
-};
-
-let SNIContexts = {
- 'a.example.com': {
- key: loadPEM('agent1-key'),
- cert: loadPEM('agent1-cert'),
- ca: [ loadPEM('ca2-cert') ]
- },
- 'b.example.com': {
- key: loadPEM('agent3-key'),
- cert: loadPEM('agent3-cert')
- },
- 'c.another.com': {
- emptyRegression: true
- }
-};
-
-const clientsOptions = [{
- port: undefined,
- key: loadPEM('agent1-key'),
- cert: loadPEM('agent1-cert'),
- ca: [loadPEM('ca1-cert')],
- servername: 'a.example.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: loadPEM('agent4-key'),
- cert: loadPEM('agent4-cert'),
- ca: [loadPEM('ca1-cert')],
- servername: 'a.example.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert'),
- ca: [loadPEM('ca2-cert')],
- servername: 'b.example.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: loadPEM('agent3-key'),
- cert: loadPEM('agent3-cert'),
- ca: [loadPEM('ca1-cert')],
- servername: 'c.wrong.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- key: loadPEM('agent3-key'),
- cert: loadPEM('agent3-cert'),
- ca: [loadPEM('ca1-cert')],
- servername: 'c.another.com',
- rejectUnauthorized: false
-}];
-
-const serverResults = [];
-const clientResults = [];
-const serverErrors = [];
-const clientErrors = [];
-let serverError;
-let clientError;
-
-const server = tls.createServer(serverOptions, function(c) {
- serverResults.push({ sni: c.servername, authorized: c.authorized });
-});
-
-server.on('tlsClientError', function(err) {
- serverResults.push(null);
- serverError = err.message;
-});
-
-server.listen(0, startTest);
-
-function startTest() {
- function connectClient(i, callback) {
- const options = clientsOptions[i];
- clientError = null;
- serverError = null;
-
- options.port = server.address().port;
- const client = tls.connect(options, function() {
- clientResults.push(
- /Hostname\/IP doesn't/.test(client.authorizationError || ''));
- client.destroy();
-
- next();
- });
-
- client.on('error', function(err) {
- clientResults.push(false);
- clientError = err.message;
- next();
- });
-
- function next() {
- clientErrors.push(clientError);
- serverErrors.push(serverError);
-
- if (i === clientsOptions.length - 1)
- callback();
- else
- connectClient(i + 1, callback);
- }
- }
-
- connectClient(0, function() {
- server.close();
- });
-}
-
-process.on('exit', function() {
- assert.deepStrictEqual(serverResults, [
- { sni: 'a.example.com', authorized: false },
- { sni: 'a.example.com', authorized: true },
- { sni: 'b.example.com', authorized: false },
- { sni: 'c.wrong.com', authorized: false },
- null
- ]);
- assert.deepStrictEqual(clientResults, [true, true, true, false, false]);
- assert.deepStrictEqual(clientErrors, [
- null, null, null, null, 'socket hang up'
- ]);
- assert.deepStrictEqual(serverErrors, [
- null, null, null, null, 'Invalid SNI context'
- ]);
-});
diff --git a/test/parallel/test-tls-sni-server-client.js b/test/parallel/test-tls-sni-server-client.js
deleted file mode 100644
index ebe51f2..0000000
--- a/test/parallel/test-tls-sni-server-client.js
+++ /dev/null
@@ -1,113 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-if (!process.features.tls_sni)
- common.skip('node compiled without OpenSSL or with old OpenSSL version.');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const serverOptions = {
- key: loadPEM('agent2-key'),
- cert: loadPEM('agent2-cert')
-};
-
-const SNIContexts = {
- 'a.example.com': {
- key: loadPEM('agent1-key'),
- cert: loadPEM('agent1-cert')
- },
- 'asterisk.test.com': {
- key: loadPEM('agent3-key'),
- cert: loadPEM('agent3-cert')
- },
- 'chain.example.com': {
- key: loadPEM('agent6-key'),
- // NOTE: Contains ca3 chain cert
- cert: loadPEM('agent6-cert')
- }
-};
-
-const clientsOptions = [{
- port: undefined,
- ca: [loadPEM('ca1-cert')],
- servername: 'a.example.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- ca: [loadPEM('ca2-cert')],
- servername: 'b.test.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- ca: [loadPEM('ca2-cert')],
- servername: 'a.b.test.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- ca: [loadPEM('ca1-cert')],
- servername: 'c.wrong.com',
- rejectUnauthorized: false
-}, {
- port: undefined,
- ca: [loadPEM('ca1-cert')],
- servername: 'chain.example.com',
- rejectUnauthorized: false
-}];
-
-const serverResults = [];
-const clientResults = [];
-
-const server = tls.createServer(serverOptions, function(c) {
- serverResults.push(c.servername);
-});
-
-server.addContext('a.example.com', SNIContexts['a.example.com']);
-server.addContext('*.test.com', SNIContexts['asterisk.test.com']);
-server.addContext('chain.example.com', SNIContexts['chain.example.com']);
-
-server.listen(0, startTest);
-
-function startTest() {
- let i = 0;
- function start() {
- // No options left
- if (i === clientsOptions.length)
- return server.close();
-
- const options = clientsOptions[i++];
- options.port = server.address().port;
- const client = tls.connect(options, function() {
- clientResults.push(
- client.authorizationError &&
- /Hostname\/IP doesn't/.test(client.authorizationError));
- client.destroy();
-
- // Continue
- start();
- });
- }
-
- start();
-}
-
-process.on('exit', function() {
- assert.deepStrictEqual(serverResults, [
- 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com',
- 'chain.example.com'
- ]);
- assert.deepStrictEqual(clientResults, [true, true, false, false, true]);
-});
diff --git a/test/parallel/test-tls-socket-close.js b/test/parallel/test-tls-socket-close.js
deleted file mode 100644
index f9a77bf..0000000
--- a/test/parallel/test-tls-socket-close.js
+++ /dev/null
@@ -1,67 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const net = require('net');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`);
-
-let tlsSocket;
-// tls server
-const tlsServer = tls.createServer({ cert, key }, (socket) => {
- tlsSocket = socket;
- socket.on('error', common.mustCall((error) => {
- assert.strictEqual(error.code, 'EINVAL');
- tlsServer.close();
- netServer.close();
- }));
-});
-
-let netSocket;
-// plain tcp server
-const netServer = net.createServer((socket) => {
- // if client wants to use tls
- tlsServer.emit('connection', socket);
-
- netSocket = socket;
-}).listen(0, common.mustCall(function() {
- connectClient(netServer);
-}));
-
-function connectClient(server) {
- const tlsConnection = tls.connect({
- host: 'localhost',
- port: server.address().port,
- rejectUnauthorized: false
- });
-
- tlsConnection.write('foo', 'utf8', common.mustCall(() => {
- assert(netSocket);
- netSocket.setTimeout(1, common.mustCall(() => {
- assert(tlsSocket);
- // this breaks if TLSSocket is already managing the socket:
- netSocket.destroy();
- const interval = setInterval(() => {
- // Checking this way allows us to do the write at a time that causes a
- // segmentation fault (not always, but often) in Node.js 7.7.3 and
- // earlier. If we instead, for example, wait on the `close` event, then
- // it will not segmentation fault, which is what this test is all about.
- if (tlsSocket._handle._parent.bytesRead === 0) {
- tlsSocket.write('bar');
- clearInterval(interval);
- }
- }, 1);
- }));
- }));
- tlsConnection.on('error', (e) => {
- // Tolerate the occasional ECONNRESET.
- // Ref: https://github.com/nodejs/node/issues/13184
- if (e.code !== 'ECONNRESET')
- throw e;
- });
-}
diff --git a/test/parallel/test-tls-socket-default-options.js b/test/parallel/test-tls-socket-default-options.js
deleted file mode 100644
index 66f2689..0000000
--- a/test/parallel/test-tls-socket-default-options.js
+++ /dev/null
@@ -1,67 +0,0 @@
-'use strict';
-const common = require('../common');
-
-// Test directly created TLS sockets and options.
-
-const assert = require('assert');
-const join = require('path').join;
-const {
- connect, keys, tls
-} = require(join(common.fixturesDir, 'tls-connect'));
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-test(undefined, (err) => {
- assert.strictEqual(err.message, 'unable to verify the first certificate');
-});
-
-test({}, (err) => {
- assert.strictEqual(err.message, 'unable to verify the first certificate');
-});
-
-test({secureContext: tls.createSecureContext({ca: keys.agent1.ca})}, (err) => {
- assert.ifError(err);
-});
-
-test({ca: keys.agent1.ca}, (err) => {
- assert.ifError(err);
-});
-
-// Secure context options, like ca, are ignored if a sec ctx is explicitly
-// provided.
-test({secureContext: tls.createSecureContext(), ca: keys.agent1.ca}, (err) => {
- assert.strictEqual(err.message, 'unable to verify the first certificate');
-});
-
-function test(client, callback) {
- callback = common.mustCall(callback);
- connect({
- server: {
- key: keys.agent1.key,
- cert: keys.agent1.cert,
- },
- }, function(err, pair, cleanup) {
- assert.strictEqual(err.message, 'unable to verify the first certificate');
- let recv = '';
- pair.server.server.once('secureConnection', common.mustCall((conn) => {
- conn.on('data', (data) => recv += data);
- conn.on('end', common.mustCall(() => {
- // Server sees nothing wrong with connection, even though the client's
- // authentication of the server cert failed.
- assert.strictEqual(recv, 'hello');
- cleanup();
- }));
- }));
-
- // Client doesn't support the 'secureConnect' event, and doesn't error if
- // authentication failed. Caller must explicitly check for failure.
- (new tls.TLSSocket(null, client)).connect(pair.server.server.address().port)
- .on('connect', common.mustCall(function() {
- this.end('hello');
- }))
- .on('secure', common.mustCall(function() {
- callback(this.ssl.verifyError());
- }));
- });
-}
diff --git a/test/parallel/test-tls-socket-destroy.js b/test/parallel/test-tls-socket-destroy.js
deleted file mode 100644
index b101a87..0000000
--- a/test/parallel/test-tls-socket-destroy.js
+++ /dev/null
@@ -1,34 +0,0 @@
-'use strict';
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const fs = require('fs');
-const net = require('net');
-const tls = require('tls');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
-const secureContext = tls.createSecureContext({ key, cert });
-
-const server = net.createServer(common.mustCall((conn) => {
- const options = { isServer: true, secureContext, server };
- const socket = new tls.TLSSocket(conn, options);
- socket.once('data', common.mustCall(() => {
- socket._destroySSL(); // Should not crash.
- server.close();
- }));
-}));
-
-server.listen(0, function() {
- const options = {
- port: this.address().port,
- rejectUnauthorized: false,
- };
- tls.connect(options, function() {
- this.write('*'.repeat(1 << 20)); // Write more data than fits in a frame.
- this.on('error', this.destroy); // Server closes connection on us.
- });
-});
diff --git a/test/parallel/test-tls-socket-failed-handshake-emits-error.js b/test/parallel/test-tls-socket-failed-handshake-emits-error.js
deleted file mode 100644
index 16175b8..0000000
--- a/test/parallel/test-tls-socket-failed-handshake-emits-error.js
+++ /dev/null
@@ -1,37 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const net = require('net');
-const assert = require('assert');
-
-const bonkers = Buffer.alloc(1024, 42);
-
-const server = net.createServer(function(c) {
- setTimeout(function() {
- const s = new tls.TLSSocket(c, {
- isServer: true,
- server: server
- });
-
- s.on('error', common.mustCall(function(e) {
- assert.ok(e instanceof Error,
- 'Instance of Error should be passed to error handler');
- assert.ok(
- /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message),
- 'Expecting SSL unknown protocol');
- }));
-
- s.on('close', function() {
- server.close();
- s.destroy();
- });
- }, common.platformTimeout(200));
-}).listen(0, function() {
- const c = net.connect({port: this.address().port}, function() {
- c.write(bonkers);
- });
-});
diff --git a/test/parallel/test-tls-startcom-wosign-whitelist.js b/test/parallel/test-tls-startcom-wosign-whitelist.js
deleted file mode 100644
index 92d595e..0000000
--- a/test/parallel/test-tls-startcom-wosign-whitelist.js
+++ /dev/null
@@ -1,89 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const fs = require('fs');
-const path = require('path');
-const tls = require('tls');
-
-let finished = 0;
-
-function filenamePEM(n) {
- return path.join(common.fixturesDir, 'keys', `${n}.pem`);
-}
-
-function loadPEM(n) {
- return fs.readFileSync(filenamePEM(n));
-}
-
-const testCases = [
- { // agent8 is signed by fake-startcom-root with notBefore of
- // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check.
- serverOpts: {
- key: loadPEM('agent8-key'),
- cert: loadPEM('agent8-cert')
- },
- clientOpts: {
- ca: loadPEM('fake-startcom-root-cert'),
- port: undefined,
- rejectUnauthorized: true
- },
- errorCode: 'CERT_OK'
- },
- { // agent9 is signed by fake-startcom-root with notBefore of
- // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check.
- serverOpts: {
- key: loadPEM('agent9-key'),
- cert: loadPEM('agent9-cert')
- },
- clientOpts: {
- ca: loadPEM('fake-startcom-root-cert'),
- port: undefined,
- rejectUnauthorized: true
- },
- errorCode: 'CERT_REVOKED'
- }
-];
-
-
-function runNextTest(server, tindex) {
- server.close(function() {
- finished++;
- runTest(tindex + 1);
- });
-}
-
-
-function runTest(tindex) {
- const tcase = testCases[tindex];
-
- if (!tcase) return;
-
- const server = tls.createServer(tcase.serverOpts, function(s) {
- s.resume();
- }).listen(0, function() {
- tcase.clientOpts.port = this.address().port;
- const client = tls.connect(tcase.clientOpts);
- client.on('error', function(e) {
- assert.strictEqual(e.code, tcase.errorCode);
- runNextTest(server, tindex);
- });
-
- client.on('secureConnect', function() {
- // agent8 can pass StartCom/WoSign check so that the secureConnect
- // is established.
- assert.strictEqual(tcase.errorCode, 'CERT_OK');
- client.end();
- runNextTest(server, tindex);
- });
- });
-}
-
-
-runTest(0);
-
-process.on('exit', function() {
- assert.strictEqual(finished, testCases.length);
-});
diff --git a/test/parallel/test-tls-starttls-server.js b/test/parallel/test-tls-starttls-server.js
deleted file mode 100644
index 28d1db8..0000000
--- a/test/parallel/test-tls-starttls-server.js
+++ /dev/null
@@ -1,51 +0,0 @@
-'use strict';
-
-// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to
-// `net.Server` instead of `tls.Server`
-
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const fs = require('fs');
-const net = require('net');
-const tls = require('tls');
-
-const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
-const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
-
-const server = net.createServer(common.mustCall((s) => {
- const tlsSocket = new tls.TLSSocket(s, {
- isServer: true,
- server: server,
-
- secureContext: tls.createSecureContext({
- key: key,
- cert: cert
- }),
-
- SNICallback: common.mustCall((hostname, callback) => {
- assert.strictEqual(hostname, 'test.test');
-
- callback(null, null);
- })
- });
-
- tlsSocket.on('secure', common.mustCall(() => {
- tlsSocket.end();
- server.close();
- }));
-})).listen(0, () => {
- const opts = {
- servername: 'test.test',
- port: server.address().port,
- rejectUnauthorized: false,
- requestOCSP: true
- };
-
- tls.connect(opts, function() {
- this.end();
- });
-});
diff --git a/test/parallel/test-tls-ticket-cluster.js b/test/parallel/test-tls-ticket-cluster.js
deleted file mode 100644
index 49c4c34..0000000
--- a/test/parallel/test-tls-ticket-cluster.js
+++ /dev/null
@@ -1,108 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const cluster = require('cluster');
-const fs = require('fs');
-const join = require('path').join;
-
-const workerCount = 4;
-const expectedReqCount = 16;
-
-if (cluster.isMaster) {
- let reusedCount = 0;
- let reqCount = 0;
- let lastSession = null;
- let shootOnce = false;
- let workerPort = null;
-
- function shoot() {
- console.error('[master] connecting', workerPort);
- const c = tls.connect(workerPort, {
- session: lastSession,
- rejectUnauthorized: false
- }, function() {
- lastSession = c.getSession();
- c.end();
-
- if (++reqCount === expectedReqCount) {
- Object.keys(cluster.workers).forEach(function(id) {
- cluster.workers[id].send('die');
- });
- } else {
- shoot();
- }
- });
- }
-
- function fork() {
- const worker = cluster.fork();
- worker.on('message', function({ msg, port }) {
- console.error('[master] got %j', msg);
- if (msg === 'reused') {
- ++reusedCount;
- } else if (msg === 'listening' && !shootOnce) {
- workerPort = port || workerPort;
- shootOnce = true;
- shoot();
- }
- });
-
- worker.on('exit', function() {
- console.error('[master] worker died');
- });
- }
- for (let i = 0; i < workerCount; i++) {
- fork();
- }
-
- process.on('exit', function() {
- assert.strictEqual(reqCount, expectedReqCount);
- assert.strictEqual(reusedCount + 1, reqCount);
- });
- return;
-}
-
-const keyFile = join(common.fixturesDir, 'agent.key');
-const certFile = join(common.fixturesDir, 'agent.crt');
-const key = fs.readFileSync(keyFile);
-const cert = fs.readFileSync(certFile);
-const options = {
- key: key,
- cert: cert
-};
-
-const server = tls.createServer(options, function(c) {
- if (c.isSessionReused()) {
- process.send({ msg: 'reused' });
- } else {
- process.send({ msg: 'not-reused' });
- }
- c.end();
-});
-
-server.listen(0, function() {
- const { port } = server.address();
- process.send({
- msg: 'listening',
- port,
- });
-});
-
-process.on('message', function listener(msg) {
- console.error('[worker] got %j', msg);
- if (msg === 'die') {
- server.close(function() {
- console.error('[worker] server close');
-
- process.exit();
- });
- }
-});
-
-process.on('exit', function() {
- console.error('[worker] exit');
-});
diff --git a/test/parallel/test-tls-ticket.js b/test/parallel/test-tls-ticket.js
deleted file mode 100644
index 3d6f7a4..0000000
--- a/test/parallel/test-tls-ticket.js
+++ /dev/null
@@ -1,98 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-const net = require('net');
-const crypto = require('crypto');
-
-const keys = crypto.randomBytes(48);
-const serverLog = [];
-const ticketLog = [];
-
-let serverCount = 0;
-function createServer() {
- const id = serverCount++;
-
- let counter = 0;
- let previousKey = null;
-
- const server = tls.createServer({
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
- ticketKeys: keys
- }, function(c) {
- serverLog.push(id);
- c.end();
-
- counter++;
-
- // Rotate ticket keys
- if (counter === 1) {
- previousKey = server.getTicketKeys();
- server.setTicketKeys(crypto.randomBytes(48));
- } else if (counter === 2) {
- server.setTicketKeys(previousKey);
- } else if (counter === 3) {
- // Use keys from counter=2
- } else {
- throw new Error('UNREACHABLE');
- }
- });
-
- return server;
-}
-
-const naturalServers = [ createServer(), createServer(), createServer() ];
-
-// 3x servers
-const servers = naturalServers.concat(naturalServers).concat(naturalServers);
-
-// Create one TCP server and balance sockets to multiple TLS server instances
-const shared = net.createServer(function(c) {
- servers.shift().emit('connection', c);
-}).listen(0, function() {
- start(function() {
- shared.close();
- });
-});
-
-function start(callback) {
- let sess = null;
- let left = servers.length;
-
- function connect() {
- const s = tls.connect(shared.address().port, {
- session: sess,
- rejectUnauthorized: false
- }, function() {
- sess = sess || s.getSession();
- ticketLog.push(s.getTLSTicket().toString('hex'));
- });
- s.on('close', function() {
- if (--left === 0)
- callback();
- else
- connect();
- });
- }
-
- connect();
-}
-
-process.on('exit', function() {
- assert.strictEqual(ticketLog.length, serverLog.length);
- for (let i = 0; i < naturalServers.length - 1; i++) {
- assert.notStrictEqual(serverLog[i], serverLog[i + 1]);
- assert.strictEqual(ticketLog[i], ticketLog[i + 1]);
-
- // 2nd connection should have different ticket
- assert.notStrictEqual(ticketLog[i], ticketLog[i + naturalServers.length]);
-
- // 3rd connection should have the same ticket
- assert.strictEqual(ticketLog[i], ticketLog[i + naturalServers.length * 2]);
- }
-});
diff --git a/test/parallel/test-tls-timeout-server-2.js b/test/parallel/test-tls-timeout-server-2.js
deleted file mode 100644
index a462750..0000000
--- a/test/parallel/test-tls-timeout-server-2.js
+++ /dev/null
@@ -1,29 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = tls.createServer(options, common.mustCall(function(cleartext) {
- const s = cleartext.setTimeout(50, function() {
- cleartext.destroy();
- server.close();
- });
- assert.ok(s instanceof tls.TLSSocket);
-}));
-
-server.listen(0, common.mustCall(function() {
- tls.connect({
- host: '127.0.0.1',
- port: this.address().port,
- rejectUnauthorized: false
- });
-}));
diff --git a/test/parallel/test-tls-timeout-server.js b/test/parallel/test-tls-timeout-server.js
deleted file mode 100644
index b983e2c..0000000
--- a/test/parallel/test-tls-timeout-server.js
+++ /dev/null
@@ -1,26 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-const net = require('net');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`),
- handshakeTimeout: 50
-};
-
-const server = tls.createServer(options, common.mustNotCall());
-
-server.on('tlsClientError', common.mustCall(function(err, conn) {
- conn.destroy();
- server.close();
-}));
-
-server.listen(0, common.mustCall(function() {
- net.connect({ host: '127.0.0.1', port: this.address().port });
-}));
diff --git a/test/parallel/test-tls-two-cas-one-string.js b/test/parallel/test-tls-two-cas-one-string.js
deleted file mode 100644
index 10d626b..0000000
--- a/test/parallel/test-tls-two-cas-one-string.js
+++ /dev/null
@@ -1,34 +0,0 @@
-'use strict';
-
-const common = require('../common');
-const tls = require('tls');
-const fs = require('fs');
-
-const ca1 =
- fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`, 'utf8');
-const ca2 =
- fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`, 'utf8');
-const cert =
- fs.readFileSync(`${common.fixturesDir}/keys/agent3-cert.pem`, 'utf8');
-const key =
- fs.readFileSync(`${common.fixturesDir}/keys/agent3-key.pem`, 'utf8');
-
-function test(ca, next) {
- const server = tls.createServer({ ca, cert, key }, function(conn) {
- this.close();
- conn.end();
- });
-
- server.addContext('agent3', { ca, cert, key });
-
- const host = common.localhostIPv4;
- server.listen(0, host, function() {
- tls.connect({ servername: 'agent3', host, port: this.address().port, ca });
- });
-
- server.once('close', next);
-}
-
-const array = [ca1, ca2];
-const string = `${ca1}\n${ca2}`;
-test(array, () => test(string, () => {}));
diff --git a/test/parallel/test-tls-wrap-no-abort.js b/test/parallel/test-tls-wrap-no-abort.js
deleted file mode 100644
index a64aea0..0000000
--- a/test/parallel/test-tls-wrap-no-abort.js
+++ /dev/null
@@ -1,8 +0,0 @@
-'use strict';
-
-require('../common');
-const util = require('util');
-const TLSWrap = process.binding('tls_wrap').TLSWrap;
-
-// This will abort if internal pointer is not set to nullptr.
-util.inspect(new TLSWrap());
diff --git a/test/parallel/test-tls-wrap-timeout.js b/test/parallel/test-tls-wrap-timeout.js
deleted file mode 100644
index b4cff36..0000000
--- a/test/parallel/test-tls-wrap-timeout.js
+++ /dev/null
@@ -1,53 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const tls = require('tls');
-
-const net = require('net');
-const fs = require('fs');
-
-const options = {
- key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`),
- cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`)
-};
-
-const server = tls.createServer(options, common.mustCall((c) => {
- setImmediate(() => {
- c.write('hello', () => {
- setImmediate(() => {
- c.destroy();
- server.close();
- });
- });
- });
-}));
-
-let socket;
-let lastIdleStart;
-
-server.listen(0, () => {
- socket = net.connect(server.address().port, function() {
- const s = socket.setTimeout(Number.MAX_VALUE, function() {
- throw new Error('timeout');
- });
- assert.ok(s instanceof net.Socket);
-
- assert.notStrictEqual(socket._idleTimeout, -1);
- lastIdleStart = socket._idleStart;
-
- const tsocket = tls.connect({
- socket: socket,
- rejectUnauthorized: false
- });
- tsocket.resume();
- });
-});
-
-process.on('exit', () => {
- assert.strictEqual(socket._idleTimeout, -1);
- assert(lastIdleStart < socket._idleStart);
-});
diff --git a/test/parallel/test-tls-writewrap-leak.js b/test/parallel/test-tls-writewrap-leak.js
deleted file mode 100644
index bc09044..0000000
--- a/test/parallel/test-tls-writewrap-leak.js
+++ /dev/null
@@ -1,24 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const assert = require('assert');
-const net = require('net');
-const tls = require('tls');
-
-const server = net.createServer(common.mustCall((c) => {
- c.destroy();
-})).listen(0, common.mustCall(() => {
- const c = tls.connect({ port: server.address().port });
- c.on('error', () => {
- // Otherwise `.write()` callback won't be invoked.
- c.destroyed = false;
- });
-
- c.write('hello', common.mustCall((err) => {
- assert.strictEqual(err.code, 'ECANCELED');
- server.close();
- }));
-}));
diff --git a/test/parallel/test-tls-zero-clear-in.js b/test/parallel/test-tls-zero-clear-in.js
deleted file mode 100644
index 8192660..0000000
--- a/test/parallel/test-tls-zero-clear-in.js
+++ /dev/null
@@ -1,41 +0,0 @@
-'use strict';
-const common = require('../common');
-
-if (!common.hasCrypto)
- common.skip('missing crypto');
-
-const tls = require('tls');
-
-const fs = require('fs');
-const path = require('path');
-
-const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
-const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
-
-const server = tls.createServer({
- cert: cert,
- key: key
-}, function(c) {
- // Nop
- setTimeout(function() {
- c.end();
- server.close();
- }, 20);
-}).listen(0, common.mustCall(function() {
- const conn = tls.connect({
- cert: cert,
- key: key,
- rejectUnauthorized: false,
- port: this.address().port
- }, function() {
- setTimeout(function() {
- conn.destroy();
- }, 20);
- });
-
- // SSL_write() call's return value, when called 0 bytes, should not be
- // treated as error.
- conn.end('');
-
- conn.on('error', common.mustNotCall());
-}));
--
1.8.3.1