tls: add unsupported renegotiation error#63161
Open
panva wants to merge 2 commits intonodejs:mainfrom
Open
Conversation
Map BoringSSL's native renegotiation failure to ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is called. This avoids exposing an implementation-specific OpenSSL error when the TLS backend does not support caller-initiated renegotiation. Signed-off-by: Filip Skokan <[email protected]>
Signed-off-by: Filip Skokan <[email protected]>
panva
added
the
commit-queue-rebase
Collaborator
|
Review requested:
|
nodejs-github-bot
added
errors
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #63161 +/- ##
==========================================
- Coverage 90.04% 90.02% -0.02%
==========================================
Files 713 713
Lines 224484 224505 +21
Branches 42430 42436 +6
==========================================
- Hits 202134 202110 -24
- Misses 14156 14224 +68
+ Partials 8194 8171 -23
🚀 New features to boost your workflow:
|
pimterry
approved these changes
May 7, 2026
panva
added
the
author ready
github-actions
Bot
removed
the
request-ci
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
addaleax
reviewed
May 7, 2026
Member
There was a problem hiding this comment.
Is it intentional that all these test additions are in this PR?
Member
Author
There was a problem hiding this comment.
yes, the main point is the boringssl test behaviour adjustments, but in order to do them i wanted to hide the ugly internal error
| } else { | ||
| assert.throws(() => tls.createServer(options, common.mustNotCall()), | ||
| /no[_ ]cipher[_ ]match/i); | ||
| } |
Member
There was a problem hiding this comment.
This seems like it's the point of the test – is there a way to align the behavior instead of adjusting the test?
Member
Author
There was a problem hiding this comment.
There isn't a value i can use starting with TLS_ (which is what this case is about) that would make BoringSSL reject.
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
tls: add unsupported renegotiation errorMap BoringSSL's native renegotiation failure to
ERR_TLS_RENEGOTIATION_UNSUPPORTEDwhenTLSSocket#renegotiate()is called. This avoids exposing a rather uglyERR_SSL_FUNCTION_SHOULD_NOT_HAVE_BEEN_CALLED.test: update tls/crypto behaviour expectations when using BoringSSLI've been testing the BoringSSL coverage in #63125, as I slowly drain that stack we'll be able to add BoringSSL to the
test-shared.ymlworkflow such that embedders do not have to disable tests or float patches.