From c02bc29b60e80fa03a1242f4584d0cf90732e5e5 Mon Sep 17 00:00:00 2001 From: Piotr Bulawa Date: Mon, 25 Sep 2023 12:56:34 +0200 Subject: [PATCH] SNOW-872482: Fix getPeerCertificate (#645) --- lib/agent/socket_util.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/agent/socket_util.js b/lib/agent/socket_util.js index 2d67a6daa..fbeb9dfca 100644 --- a/lib/agent/socket_util.js +++ b/lib/agent/socket_util.js @@ -18,6 +18,8 @@ const ocspFailOpenWarning = 'without OCSP based Certificated Revocation checking as it could not obtain a valid OCSP Response to use from ' + 'the CA OCSP responder. Details: '; +const socketSecuredEvent = 'secureConnect'; + const rawOcspFlag = process.env.SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED; @@ -72,7 +74,7 @@ exports.secureSocket = function (socket, host, agent, mock) const validate = function () { // stop listening for the secure event - socket.removeListener('secure', validate); + socket.removeListener(socketSecuredEvent, validate); Logger.getInstance().trace('socket reused = %s', socket.isSessionReused()); @@ -86,10 +88,11 @@ exports.secureSocket = function (socket, host, agent, mock) { if (!socket.authorized) { - return socket; + Logger.getInstance().warn('Socket is not authorized: %s', socket.authorizationError); + return socket.destroy(socket.authorizationError); } // use ocsp to make sure the entire certificate chain can be trusted - const certChain = socket.ssl.getPeerCertificate(true); + const certChain = socket.getPeerCertificate(true); const vcc = mock ? mock.validateCertChain : validateCertChain; vcc(certChain, function (err) @@ -111,7 +114,7 @@ exports.secureSocket = function (socket, host, agent, mock) }; // when the socket is secure, perform additional validation - socket.on('secure', validate); + socket.on(socketSecuredEvent, validate); // block all writes until validation is complete socket.cork();