SNOW-872482: Fix getPeerCertificate (#645)

snowflakedb · Sep 25, 2023 · c02bc29 · c02bc29
1 parent 5dcb8fc
commit c02bc29
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/lib/agent/socket_util.js b/lib/agent/socket_util.js
@@ -18,6 +18,8 @@ const ocspFailOpenWarning =
   'without OCSP based Certificated Revocation checking as it could not obtain a valid OCSP Response to use from ' +
   'the CA OCSP responder. Details: ';
 
+const socketSecuredEvent = 'secureConnect';
+
 const rawOcspFlag =
   process.env.SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED;
 
@@ -72,7 +74,7 @@ exports.secureSocket = function (socket, host, agent, mock)
   const validate = function ()
   {
     // stop listening for the secure event
-    socket.removeListener('secure', validate);
+    socket.removeListener(socketSecuredEvent, validate);
 
     Logger.getInstance().trace('socket reused = %s', socket.isSessionReused());
 
@@ -86,10 +88,11 @@ exports.secureSocket = function (socket, host, agent, mock)
     {
       if (!socket.authorized)
       {
-        return socket;
+        Logger.getInstance().warn('Socket is not authorized: %s', socket.authorizationError);
+        return socket.destroy(socket.authorizationError);
       }
       // use ocsp to make sure the entire certificate chain can be trusted
-      const certChain = socket.ssl.getPeerCertificate(true);
+      const certChain = socket.getPeerCertificate(true);
       const vcc = mock ? mock.validateCertChain : validateCertChain;
 
       vcc(certChain, function (err)
@@ -111,7 +114,7 @@ exports.secureSocket = function (socket, host, agent, mock)
   };
 
   // when the socket is secure, perform additional validation
-  socket.on('secure', validate);
+  socket.on(socketSecuredEvent, validate);
 
   // block all writes until validation is complete
   socket.cork();