Skip to content

[v24.x] lib: backport _tls_common and _tls_wrap refactors#61044

Merged
aduh95 merged 3 commits intonodejs:v24.x-stagingfrom
targos:backport-tls-v24
Feb 4, 2026
Merged

[v24.x] lib: backport _tls_common and _tls_wrap refactors#61044
aduh95 merged 3 commits intonodejs:v24.x-stagingfrom
targos:backport-tls-v24

Conversation

@targos
Copy link
Member

@targos targos commented Dec 13, 2025

This is the same as the original change, minus the process.emitWarning calls and unit tests that expect the deprecation warnings.

Refs: #57643

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Dec 13, 2025

Review requested:

  • @nodejs/crypto
  • @nodejs/net
  • @nodejs/startup

@targos targos mentioned this pull request Dec 13, 2025
Merged
@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch. labels Dec 13, 2025
@targos
Copy link
Member Author

targos commented Dec 23, 2025

/cc @dario-piotrowicz

@targos targos added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 1, 2026
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 1, 2026
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 1, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/70646/

@targos
Copy link
Member Author

targos commented Jan 23, 2026

To be transparent: I rebased, ignored the conflict in lib/_tls_wrap.js (keep full deletion of the code) and reapplied the security fixes by cherry-picking them from the v25.x branch.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 3, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71183/

@codecov
Copy link

codecov bot commented Feb 3, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 95.23327% with 94 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.10%. Comparing base (4606233) to head (065c9b0).
⚠️ Report is 7 commits behind head on v24.x-staging.

Files with missing lines Patch % Lines
lib/internal/tls/wrap.js 95.00% 88 Missing and 2 partials ⚠️
lib/internal/tls/common.js 97.43% 4 Missing ⚠️
Additional details and impacted files 
@@                Coverage Diff                @@
##           v24.x-staging   #61044      +/-   ##
=================================================
+ Coverage          90.07%   90.10%   +0.03%     
=================================================
  Files                665      667       +2     
  Lines             199008   199019      +11     
  Branches           38909    38911       +2     
=================================================
+ Hits              179247   179335      +88     
+ Misses             12133    12040      -93     
- Partials            7628     7644      +16
Files with missing lines Coverage Δ
lib/_tls_common.js 100.00% <100.00%> (+2.56%) ⬆️
lib/_tls_wrap.js 100.00% <100.00%> (+5.00%) ⬆️
lib/internal/crypto/x509.js 91.66% <100.00%> (ø)
lib/tls.js 93.10% <100.00%> (ø)
src/node_builtins.cc 79.56% <ø> (-0.25%) ⬇️
lib/internal/tls/common.js 97.43% <97.43%> (ø)
lib/internal/tls/wrap.js 95.00% <95.00%> (ø)

... and 37 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 4, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71193/

aduh95 pushed a commit to targos/node that referenced this pull request Feb 4, 2026
@dario-piotrowicz @aduh95
lib: backport _tls_common and _tls_wrap refactors
5d12fe2 
This is the same as the original change, minus the `process.emitWarning`
calls and unit tests that expect the deprecation warnings, plus
re-application of the fixes for CVE-2025-59465 and CVE-2026-21637.

Original commit message:
    lib: deprecate _tls_common and _tls_wrap

    runtime deprecate the _tls_common and _tls_wrap
    modules, users should use nust node:tls insteal
    and internally internal/tls/commond and
    internal/tls/wrap should be used instead

PR-URL: nodejs#57643
Backport-PR-URL: nodejs#61044
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
aduh95 pushed a commit to targos/node that referenced this pull request Feb 4, 2026
@RafaelGSS @aduh95
lib: add TLSSocket default error handler
b7fa7e2 
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#750
Backport-PR-URL: nodejs#61044
Fixes: nodejs#44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
Refs: nodejs#57643
aduh95 pushed a commit to targos/node that referenced this pull request Feb 4, 2026
@mcollina @aduh95
tls: route callback exceptions through error handlers
c6215d7 
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
Backport-PR-URL: nodejs#61044
CVE-ID: CVE-2026-21637
Refs: nodejs#57643
dario-piotrowicz and others added 3 commits February 4, 2026 12:22
@dario-piotrowicz @targos @aduh95
lib: backport _tls_common and _tls_wrap refactors
203dcfc 
This is the same as the original change, minus the `process.emitWarning`
calls and unit tests that expect the deprecation warnings, plus
re-application of the fixes for CVE-2025-59465 and CVE-2026-21637.

Original commit message:
    lib: deprecate _tls_common and _tls_wrap

    runtime deprecate the _tls_common and _tls_wrap
    modules, users should use nust node:tls insteal
    and internally internal/tls/commond and
    internal/tls/wrap should be used instead

PR-URL: nodejs#57643
Backport-PR-URL: nodejs#61044
Co-authored-by: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
@RafaelGSS @aduh95
lib: add TLSSocket default error handler
ba70a6d 
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#750
Backport-PR-URL: nodejs#61044
Fixes: nodejs#44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
Refs: nodejs#57643
@mcollina @aduh95
tls: route callback exceptions through error handlers
065c9b0 
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
Backport-PR-URL: nodejs#61044
CVE-ID: CVE-2026-21637
Refs: nodejs#57643
@aduh95 aduh95 merged commit 065c9b0 into nodejs:v24.x-staging Feb 4, 2026
19 of 20 checks passed
@aduh95
Copy link
Contributor

aduh95 commented Feb 4, 2026

Landed in 736dce3...065c9b0

aduh95 pushed a commit that referenced this pull request Feb 6, 2026
@dario-piotrowicz @targos @aduh95
lib: backport _tls_common and _tls_wrap refactors
4ef7a6c 
This is the same as the original change, minus the `process.emitWarning`
calls and unit tests that expect the deprecation warnings, plus
re-application of the fixes for CVE-2025-59465 and CVE-2026-21637.

Original commit message:
    lib: deprecate _tls_common and _tls_wrap

    runtime deprecate the _tls_common and _tls_wrap
    modules, users should use nust node:tls insteal
    and internally internal/tls/commond and
    internal/tls/wrap should be used instead

PR-URL: #57643
Backport-PR-URL: #61044
Co-authored-by: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
aduh95 pushed a commit that referenced this pull request Feb 6, 2026
@RafaelGSS @aduh95
lib: add TLSSocket default error handler
32b03d0 
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: nodejs-private/node-private#750
Backport-PR-URL: #61044
Fixes: #44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
Refs: #57643
aduh95 pushed a commit that referenced this pull request Feb 6, 2026
@mcollina @aduh95
tls: route callback exceptions through error handlers
36e29bf 
Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: nodejs-private/node-private#782
Backport-PR-URL: #61044
CVE-ID: CVE-2026-21637
Refs: #57643
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avivkeller avivkeller avivkeller approved these changes

Assignees

No one assigned

Labels

lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@targos @nodejs-github-bot @aduh95 @avivkeller @dario-piotrowicz @RafaelGSS @mcollina