Skip to content

tls: add unsupported renegotiation error #63161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
panva wants to merge 2 commits into
base: main
Choose a base branch
from
Open

tls: add unsupported renegotiation error #63161

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ba7ff6b
tls: add unsupported renegotiation error
panva May 5, 2026
a536db8
test: update tls/crypto behaviour expectations when using BoringSSL
panva May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions doc/api/errors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3132,6 +3132,13 @@ Failed to set PSK identity hint. Hint may be too long.
An attempt was made to renegotiate TLS on a socket instance with renegotiation
disabled.

<a id="ERR_TLS_RENEGOTIATION_UNSUPPORTED"></a>

### `ERR_TLS_RENEGOTIATION_UNSUPPORTED`

An attempt was made to renegotiate TLS, but the TLS implementation does not
support caller-initiated renegotiation.

<a id="ERR_TLS_REQUIRED_SERVER_NAME"></a>

### `ERR_TLS_REQUIRED_SERVER_NAME`
Expand Down
2 changes: 2 additions & 0 deletions lib/internal/errors.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1843,6 +1843,8 @@ E('ERR_TLS_PROTOCOL_VERSION_CONFLICT',
'TLS protocol version %j conflicts with secureProtocol %j', TypeError);
E('ERR_TLS_RENEGOTIATION_DISABLED',
'TLS session renegotiation disabled for this socket', Error);
E('ERR_TLS_RENEGOTIATION_UNSUPPORTED',
'TLS session renegotiation is unsupported by this TLS implementation', Error);

// This should probably be a `TypeError`.
E('ERR_TLS_REQUIRED_SERVER_NAME',
Expand Down
8 changes: 7 additions & 1 deletion lib/internal/tls/wrap.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ const {
ERR_TLS_INVALID_CONTEXT,
ERR_TLS_INVALID_STATE,
ERR_TLS_RENEGOTIATION_DISABLED,
ERR_TLS_RENEGOTIATION_UNSUPPORTED,
ERR_TLS_REQUIRED_SERVER_NAME,
ERR_TLS_SESSION_ATTACK,
ERR_TLS_SNI_FROM_SERVER,
Expand Down Expand Up @@ -1014,8 +1015,13 @@ TLSSocket.prototype.renegotiate = function(options, callback) {
try {
this._handle.renegotiate();
} catch (err) {
const isBoringSSLRenegotiationUnsupported =
process.features.openssl_is_boringssl &&
err?.code === 'ERR_SSL_FUNCTION_SHOULD_NOT_HAVE_BEEN_CALLED';
const error = isBoringSSLRenegotiationUnsupported ?
new ERR_TLS_RENEGOTIATION_UNSUPPORTED() : err;
if (callback) {
process.nextTick(callback, err);
process.nextTick(callback, error);
}
return false;
}
Expand Down
10 changes: 5 additions & 5 deletions test/addons/openssl-get-ssl-ctx/binding.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,12 @@ void GetSSLCtx(const v8::FunctionCallbackInfo<v8::Value>& args) {
return;
}

// Verify the pointer is a valid SSL_CTX by calling an OpenSSL function.
const SSL_METHOD* method = SSL_CTX_get_ssl_method(ctx);
if (method == nullptr) {
// Verify the pointer is a valid SSL_CTX by calling a function available
// across OpenSSL-compatible TLS backends and checking context-owned state.
STACK_OF(SSL_CIPHER)* ciphers = SSL_CTX_get_ciphers(ctx);
if (ciphers == nullptr) {
isolate->ThrowException(v8::Exception::Error(
v8::String::NewFromUtf8(isolate,
"SSL_CTX_get_ssl_method returned nullptr")
v8::String::NewFromUtf8(isolate, "SSL_CTX_get_ciphers returned nullptr")
.ToLocalChecked()));
return;
}
Expand Down
Loading
Loading