Skip to content

tls: improve performance of getAllowUnauthorized #54297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

tls: improve performance of getAllowUnauthorized #54297

wants to merge 1 commit into from
+44 −8

Conversation

Uzlopak
Copy link
Contributor

@Uzlopak Uzlopak commented Aug 10, 2024

Improves the performance of getAllowUnauthorized. It is called on every call of tls connect.

before:

aras@aras-Lenovo-Legion-5-17ARH05H:~/workspace/node$ node ./benchmark/tls/get-allow-unauthorized.js 
tls/get-allow-unauthorized.js n=16777216: 4,760,304.7689979095

after:

aras@aras-Lenovo-Legion-5-17ARH05H:~/workspace/node$ ./node ./benchmark/tls/get-allow-unauthorized.js 
tls/get-allow-unauthorized.js n=16777216: 169,041,177.4754851

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Aug 10, 2024
H4ad
H4ad reviewed Aug 10, 2024
View reviewed changes
lib/internal/options.js
Comment on lines 52 to +54
warnOnAllowUnauthorized = false;
process.emitWarning(
'Setting the NODE_TLS_REJECT_UNAUTHORIZED ' +
'environment variable to \'0\' makes TLS connections ' +
'and HTTPS requests insecure by disabling ' +
'certificate verification.');
allowUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0';
if (allowUnauthorized) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

warnOnAllowUnauthorized should only be set false when both conditions are true, otherwise we will not emit the warning when the NODE_TLS_REJECT_UNAUTHORIZED is turned on.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this is exactly what it does?!

on initial warnOnAllowUnauthorized is set to true. so the if in line 51 is entered. we set warnOnAllowUnauthorized to false, as we are only interested into warning once. We check if allowUnauthorized is set to 0, and cache it.. If it is true, we enter the if block in line 54. we emit the warning. anyhow we cached the value and return it.

The second time we cal getAllowUnauthorized warnOnAllowUnauthorized is set to false. We dont need to check anything else as we dont need to emit a warning anymore. we return the cached result.

ANd imho NODE_TLS_REJECT_UNAUTHORIZED should only be set, at start up and not at runtime, as this could mean, that a malicious package could turn off the tls check.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we set warnOnAllowUnauthorized to false, as we are only interested into warning once.

This code basically emits a warning when that flag is enabled for the first time, whether it is during startup or runtime.

ANd imho NODE_TLS_REJECT_UNAUTHORIZED should only be set, at start up and not at runtime

Ideally, yes, practically, people do things very differently than we expect, anyway, I don't feel comfortable approving in the current way (breaking the old behavior) but let's see if we can get more people who have more knowledge on this topic.

Somehow, this is also something related to security, so I don't think hiding the warning when the flag is enabled runtime is a good thing.

@avivkeller avivkeller added tls Issues and PRs related to the tls subsystem. performance Issues and PRs related to the performance of Node.js. labels Aug 10, 2024
@codecov Codecov
Copy link

codecov bot commented Aug 10, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.09%. Comparing base (3cbeed8) to head (f2bddcc).
Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #54297      +/-   ##
==========================================
- Coverage   87.11%   87.09%   -0.02%     
==========================================
  Files         647      647              
  Lines      181773   181799      +26     
  Branches    34889    34885       -4     
==========================================
- Hits       158347   158335      -12     
- Misses      16739    16773      +34     
- Partials     6687     6691       +4
Files Coverage Δ
lib/internal/options.js 100.00% <100.00%> (ø)

... and 30 files with indirect coverage changes

@Uzlopak
Copy link
Contributor Author

Uzlopak commented Sep 6, 2024

@nodejs/security

Can this be discussed on the security perspective?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@H4ad H4ad H4ad left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
needs-ci PRs that need a full CI run. performance Issues and PRs related to the performance of Node.js. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Uzlopak @H4ad @nodejs-github-bot @avivkeller