Skip to content

doc: clarify tlsSocket.authorized on resumption#64584

Open
soreavis wants to merge 1 commit into
nodejs:mainfrom
soreavis:doc-tls-authorized-resumption
Open

doc: clarify tlsSocket.authorized on resumption#64584
soreavis wants to merge 1 commit into
nodejs:mainfrom
soreavis:doc-tls-authorized-resumption

Conversation

@soreavis

Copy link
Copy Markdown

In #35317, @bnoordhuis diagnosed that session resumption cuts out the client-certificate exchange and invited exactly this change: "I do feel the documentation for socket.authorized should mention that caveat… I've added the doc label. Pull request welcome!" The tlsSocket.authorized section still describes only the full-handshake behavior.

Before writing the text I measured all six scenarios on current main (TLS 1.2/1.3 × trusted/untrusted/no client cert; deterministic, reproduced with two independent harnesses): when a certificate was presented in the original handshake, the verification result — including any error — is carried with the session on both protocol versions (SSL_get_verify_result reads the session-stored result; deps/ncrypto/ncrypto.cc verifyPeerCertificate). The one case that still flips is TLS 1.3 with no client certificate: the full handshake reports authorized === false, but a resumed connection reports authorized === true with getPeerCertificate() empty — the deliberate carve-out shared with PSK (TLS1_3_VERSION && SSL_session_reusedX509_V_OK, from #23188). The added paragraph states the carry-over rule, that exception, and the practical check for servers that authorize manually with rejectUnauthorized: false.

I used an AI assistant while researching and drafting this change; I've verified the behavior with live repros and against the source myself and take full responsibility for it.

Fixes: #35317

The peer certificate is not verified again when a connection resumes a
TLS session. When the original handshake included a client certificate,
authorized and authorizationError carry the verification result stored
with the session; on TLS 1.3, a client that sent no certificate can
resume a session and report authorized as true. Document this and point
manual-authorization servers at isSessionReused() and
getPeerCertificate().

Fixes: nodejs#35317
Signed-off-by: Julian Soreavis <julian.soreavis@gmail.com>
@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. tls Issues and PRs related to the tls subsystem. labels Jul 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

doc Issues and PRs related to the documentations. tls Issues and PRs related to the tls subsystem.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reloading page bypasses TLS client authentication

2 participants