Haraka 3.0.3 → 3.0.5

package/tls_socket.js

@@ -1,25 +1,20 @@
 'use strict';
-/*--------------------------------------------------------------------------*/
-/* Obtained and modified from http://js.5sh.net/starttls.js on 8/18/2011.   */
-/*--------------------------------------------------------------------------*/
-
-// node.js built-ins
-const cluster   = require('cluster');
-const net       = require('net');
-const path      = require('path');
-const { spawn } = require('child_process');
-const stream    = require('stream');
-const tls       = require('tls');
-const util      = require('util');
+
+const cluster   = require('node:cluster');
+const net       = require('node:net');
+const path      = require('node:path');
+const { spawn } = require('node:child_process');
+const stream    = require('node:stream');
+const tls       = require('node:tls');
+const util      = require('node:util');
 
 // npm packages
-const async     = require('async');
-const openssl   = require('openssl-wrapper').exec;
 exports.config  = require('haraka-config');  // exported for tests
+const Notes = require('haraka-notes')
 
 const log       = require('./logger');
 
-const certsByHost = {};
+const certsByHost = new Notes();
 const ctxByHost = {};
 let ocsp;
 let ocspCache;
@@ -64,13 +59,7 @@ class pluggableStream extends stream.Stream {
             this.emit('secureConnect', a, b);
             this.emit('secure', a, b);
         });
-        this.targetsocket.on('secureConnection', (a, b) => {
-            // investigate this for removal, see #2743
-            this.emit('secureConnection', a, b);
-            this.emit('secure', a, b);
-        });
         this.targetsocket.on('secure', (a, b) => {
-            this.emit('secureConnection', a, b);
             this.emit('secure', a, b);
         });
         this.targetsocket.on('end', () => {
@@ -105,13 +94,12 @@ class pluggableStream extends stream.Stream {
             this.localAddress = this.targetsocket.localAddress;
         }
     }
+
     clean (data) {
         if (this.targetsocket?.removeAllListeners) {
-            [   'data', 'secure', 'secureConnect', 'secureConnection',
-                'end', 'close', 'error', 'drain'
-            ].forEach((name) => {
+            for (const name of ['data', 'secure', 'secureConnect', 'end', 'close', 'error', 'drain']) {
                 this.targetsocket.removeAllListeners(name);
-            })
+            }
         }
         this.targetsocket = {};
         this.targetsocket.write = () => {};
@@ -168,63 +156,44 @@ class pluggableStream extends stream.Stream {
     }
 }
 
-exports.parse_x509_names = string => {
-    // receives the text value of a x509 certificate and returns an array of
-    // of names extracted from the Subject CN and the v3 Subject Alternate Names
-    const names_found = [];
-
-    // log.loginfo(string);
-
-    let match = /Subject:.*?CN=([^/\s]+)/.exec(string);
-    if (match) {
-        // log.loginfo(match[0]);
-        if (match[1]) {
-            // log.loginfo(match[1]);
-            names_found.push(match[1]);
-        }
-    }
-
-    match = /X509v3 Subject Alternative Name:[^]*X509/.exec(string);
-    if (match) {
-        let dns_name;
-        const re = /DNS:([^,]+)[,\n]/g;
-        while ((dns_name = re.exec(match[0])) !== null) {
-            // log.loginfo(dns_name);
-            if (names_found.includes(dns_name[1])) continue; // ignore dupes
-            names_found.push(dns_name[1]);
-        }
-    }
+exports.parse_x509 = async (string) => {
+    const res = {};
+    if (!string) return res
 
-    return names_found;
-}
+    const keyRe  = new RegExp('([-]+BEGIN (?:\\w+ )?PRIVATE KEY[-]+[^-]*[-]+END (?:\\w+ )?PRIVATE KEY[-]+)', 'gm')
+    res.keys = string.match(keyRe)
 
-exports.parse_x509_expire = (file, string) => {
+    const certRe = new RegExp('([-]+BEGIN CERTIFICATE[-]+[^-]*[-]+END CERTIFICATE[-]+)', 'gm')
+    res.chain = string.match(certRe)
 
-    const dateMatch = /Not After : (.*)/.exec(string);
-    if (!dateMatch) return;
+    if (res.chain?.length) {
+        const opensslArgs = [res.chain[0], 'x509', '-noout']
+        // shush openssl, https://github.com/openssl/openssl/issues/22893
+        // if (['darwin','linux','freebsd'].includes(process.platform))
+        //     opensslArgs.push('-in', '/dev/stdin')
 
-    // log.loginfo(dateMatch[1]);
-    return new Date(dateMatch[1]);
-}
+        // it's cleaner to call openssl with each of -enddate, -subject, etc, but it costs
+        // 40-50ms per spawn with node v21 on a M1 MBP
+        const raw = await openssl(...opensslArgs, '-enddate', '-subject', '-ext', 'subjectAltName')
+        if (!raw) return res
 
-exports.parse_x509 = string => {
-    const res = {};
-    if (!string) return res
+        res.expire = new Date(raw.match(/notAfter=(.* [A-Z]{3})/)[1])
 
-    const keyRe  = new RegExp('([-]+BEGIN (?:\\w+ )?PRIVATE KEY[-]+[^-]*[-]+END (?:\\w+ )?PRIVATE KEY[-]+)', 'gm')
-    const keys = string.match(keyRe)
-    if (keys) res.key = Buffer.from(keys.join('\n'));
+        const match = /CN\s*=\s*([^/\s,]+)/.exec(raw);
+        if (match && match[1]) res.names = [ match[1] ]
 
-    const certRe = new RegExp('([-]+BEGIN CERTIFICATE[-]+[^-]*[-]+END CERTIFICATE[-]+)', 'gm')
-    const certs = string.match(certRe)
-    if (certs) res.cert = Buffer.from(certs.join('\n'));
+        for (let name of Array.from(raw.matchAll(/DNS:([^\s,]+)/gm), (m) => m[0])) {
+            name = name.replace('DNS:', '')
+            if (!res.names.includes(name)) res.names.push(name)
+        }
+    }
 
     return res;
 }
 
 exports.load_tls_ini = (opts) => {
 
-    log.loginfo(`loading tls.ini`); // from ${this.config.root_path}`);
+    log.info(`loading tls.ini`); // from ${this.config.root_path}`);
 
     const cfg = exports.config.get('tls.ini', {
         booleans: [
@@ -253,18 +222,18 @@ exports.load_tls_ini = (opts) => {
     if (cfg.mutual_auth_hosts_exclude === undefined) cfg.mutual_auth_hosts_exclude = {};
 
     if (cfg.main.enableOCSPStapling !== undefined) {
-        log.logerror('deprecated setting enableOCSPStapling in tls.ini');
+        log.error('deprecated setting enableOCSPStapling in tls.ini');
         cfg.main.requestOCSP = cfg.main.enableOCSPStapling;
     }
 
     if (ocsp === undefined && cfg.main.requestOCSP) {
         try {
             ocsp = require('ocsp');
-            log.logdebug('ocsp loaded');
+            log.debug('ocsp loaded');
             ocspCache = new ocsp.Cache();
         }
         catch (ignore) {
-            log.lognotice("OCSP Stapling not available.");
+            log.notice("OCSP Stapling not available.");
         }
     }
 
@@ -287,15 +256,8 @@ exports.load_tls_ini = (opts) => {
     return cfg;
 }
 
-exports.saveOpt = (name, opt, val) => {
-    if (certsByHost[name] === undefined) certsByHost[name] = {};
-    certsByHost[name][opt] = val;
-}
-
 exports.applySocketOpts = name => {
 
-    if (!certsByHost[name]) certsByHost[name] = {};
-
     // https://nodejs.org/api/tls.html#tls_new_tls_tlssocket_socket_options
     const TLSSocketOptions = [
         // 'server'        // manually added
@@ -311,43 +273,38 @@ exports.applySocketOpts = name => {
         'ecdhCurve', 'secureProtocol', 'secureOptions', 'sessionIdContext'
     ];
 
-    const allOpts = TLSSocketOptions.concat(createSecureContextOptions);
-
-    for (const opt of allOpts) {
+    for (const opt of [ ...TLSSocketOptions, ...createSecureContextOptions ]) {
 
         if (this.cfg[name] && this.cfg[name][opt] !== undefined) {
             // if the setting exists in tls.ini [name]
-            this.saveOpt(name, opt, this.cfg[name][opt]);
-            continue;
+            certsByHost.set([name, opt], this.cfg[name][opt])
         }
-
-        if (this.cfg.main[opt] !== undefined) {
-            // if the setting exists in tls.ini [main]
-            // then save it to the certsByHost options
-            this.saveOpt(name, opt, this.cfg.main[opt]);
-            continue;
+        else if (this.cfg.main[opt] !== undefined) {
+            // save settings in tls.ini [main] to each CN
+            certsByHost.set([name, opt], this.cfg.main[opt])
         }
-
-        // defaults
-        switch (opt) {
-            case 'sessionIdContext':
-                this.saveOpt(name, opt, 'haraka');
-                break;
-            case 'isServer':
-                this.saveOpt(name, opt, true);
-                break;
-            case 'key':
-                this.saveOpt(name, opt, 'tls_key.pem');
-                break;
-            case 'cert':
-                this.saveOpt(name, opt, 'tls_cert.pem');
-                break;
-            case 'dhparam':
-                this.saveOpt(name, opt, 'dhparams.pem');
-                break;
-            case 'SNICallback':
-                this.saveOpt(name, opt, SNICallback);
-                break;
+        else {
+            // defaults
+            switch (opt) {
+                case 'sessionIdContext':
+                    certsByHost.set([name, opt], 'haraka')
+                    break;
+                case 'isServer':
+                    certsByHost.set([name, opt], true)
+                    break;
+                case 'key':
+                    certsByHost.set([name, opt], 'tls_key.pem')
+                    break;
+                case 'cert':
+                    certsByHost.set([name, opt], 'tls_cert.pem')
+                    break;
+                case 'dhparam':
+                    certsByHost.set([name, opt], 'dhparams.pem')
+                    break;
+                case 'SNICallback':
+                    certsByHost.set([name, opt], exports.SNICallback)
+                    break;
+            }
         }
     }
 }
@@ -357,13 +314,13 @@ exports.load_default_opts = () => {
     const cfg = certsByHost['*'];
 
     if (cfg.dhparam && typeof cfg.dhparam === 'string') {
-        log.logdebug(`loading dhparams from ${cfg.dhparam}`);
-        this.saveOpt('*', 'dhparam', this.config.get(cfg.dhparam, 'binary'));
+        log.debug(`loading dhparams from ${cfg.dhparam}`);
+        certsByHost.set('*.dhparam', this.config.get(cfg.dhparam, 'binary'))
     }
 
     if (cfg.ca && typeof cfg.ca === 'string') {
-        log.loginfo(`loading CA certs from ${cfg.ca}`);
-        this.saveOpt('*', 'ca', this.config.get(cfg.ca, 'binary'));
+        log.info(`loading CA certs from ${cfg.ca}`);
+        certsByHost.set('*.ca', this.config.get(cfg.ca, 'binary'))
     }
 
     // make non-array key/cert option into Arrays with one entry
@@ -371,7 +328,7 @@ exports.load_default_opts = () => {
     if (!(Array.isArray(cfg.cert))) cfg.cert = [cfg.cert];
 
     if (cfg.key.length != cfg.cert.length) {
-        log.logerror(`number of keys (${cfg.key.length}) not equal to certs (${cfg.cert.length}).`);
+        log.error(`number of keys (${cfg.key.length}) not equal to certs (${cfg.cert.length}).`);
     }
 
     // if key file has already been loaded, it'll be a Buffer.
@@ -381,11 +338,11 @@ exports.load_default_opts = () => {
             if (!keyFileName) return;
             const key = this.config.get(keyFileName, 'binary');
             if (!key) {
-                log.logerror(`tls key ${path.join(this.config.root_path, keyFileName)} could not be loaded.`);
+                log.error(`tls key ${path.join(this.config.root_path, keyFileName)} could not be loaded.`);
             }
             return key;
         })
-        this.saveOpt('*', 'key', asArray);
+        certsByHost.set('*.key', asArray)
     }
 
     if (typeof cfg.cert[0] === 'string') {
@@ -393,11 +350,11 @@ exports.load_default_opts = () => {
             if (!certFileName) return;
             const cert = this.config.get(certFileName, 'binary');
             if (!cert) {
-                log.logerror(`tls cert ${path.join(this.config.root_path, certFileName)} could not be loaded.`);
+                log.error(`tls cert ${path.join(this.config.root_path, certFileName)} could not be loaded.`);
             }
             return cert;
         })
-        this.saveOpt('*', 'cert', asArray);
+        certsByHost.set('*.cert', asArray)
     }
 
     if (cfg.cert[0] && cfg.key[0]) {
@@ -410,110 +367,122 @@ exports.load_default_opts = () => {
     }
 }
 
-function SNICallback (servername, sniDone) {
-    log.logdebug(`SNI servername: ${servername}`);
-
-    if (ctxByHost[servername] === undefined) servername = '*';
+exports.SNICallback = function (servername, sniDone) {
+    log.debug(`SNI servername: ${servername}`);
 
-    sniDone(null, ctxByHost[servername]);
+    sniDone(null, ctxByHost[servername] || ctxByHost['*']);
 }
 
-exports.get_certs_dir = (tlsDir, done) => {
+exports.get_certs_dir = async (tlsDir) => {
+    const r = {}
+    const watcher = async () => {
+        exports.get_certs_dir(tlsDir)
+    }
+    const dirOpts = { type: 'binary', watchCb: watcher }
+
+    const files = await this.config.getDir(tlsDir, dirOpts)
+    for (const file of files) {
+        try {
+            r[file.path] = await exports.parse_x509(file.data.toString());
+        }
+        catch (err) {
+            log.debug(err.message)
+        }
+    }
+
+    log.debug(`found ${Object.keys(r).length} files in config/tls`);
+    if (Object.keys(r).length === 0) return
 
-    this.config.getDir(tlsDir, {}, (iterErr, files) => {
-        if (iterErr) return done(iterErr);
+    const s = {} // certs by name (CN)
 
-        async.map(files, (file, iter_done) => {
+    for (const fp in r) {
 
-            const parsed = exports.parse_x509(file.data.toString());
-            if (!parsed.key) {
-                return iter_done(null, {
-                    err: new Error(`no PRIVATE key in ${file.path}`),
-                    file
-                });
-            }
-            if (!parsed.cert) {
-                return iter_done(null, {
-                    err: new Error(`no CERT in ${file.path}`),
-                    file
-                });
+        if (r[fp].expire && r[fp].expire < new Date()) {
+            log.error(`${fp} expired on ${r[fp].expire}`)
+        }
+
+        // a file with a key and no cert, get name from file
+        if (!r[fp].names) r[fp].names = [ path.parse(fp).name ]
+
+        for (let name of r[fp].names) {
+            if (name[0] === '_') name = name.replace('_', '*') // windows
+            if (s[name] === undefined) s[name] = {}
+            if (!s[name].key && r[fp].keys) s[name].key = r[fp].keys[0]
+            if (!s[name].cert && r[fp].chain) {
+                s[name].cert = r[fp].chain[0]
+                s[name].file = fp
             }
+        }
+    }
 
-            const x509args = { noout: true, text: true };
-
-            openssl('x509', parsed.cert, x509args, (e, as_str) => {
-                if (e) {
-                    log.logerror(`BAD TLS in ${file.path}`);
-                    log.logerror(e);
-                }
-
-                const expire = this.parse_x509_expire(file, as_str);
-                if (expire && expire < new Date()) {
-                    log.logerror(`${file.path} expired on ${expire}`);
-                }
-
-                iter_done(null, {
-                    err: e,
-                    file: path.basename(file.path),
-                    key: parsed.key,
-                    cert: parsed.cert,
-                    names: this.parse_x509_names(as_str),
-                    expires: expire,
-                })
-            })
-        },
-        (finalErr, certs) => {
+    for (const cn in s) {
+        if (!s[cn].cert || !s[cn].key) {
+            delete s[cn]
+            continue
+        }
 
-            if (finalErr) log.logerror(finalErr);
+        this.applySocketOpts(cn) // from tls.ini
+        certsByHost.set([cn, 'cert'], Buffer.from(s[cn].cert))
+        certsByHost.set([cn, 'key'], Buffer.from(s[cn].key))
+        certsByHost.set([cn, 'dhparam'], certsByHost['*'].dhparam, true);
 
-            if (!certs || !certs.length) {
-                log.loginfo('found 0 TLS certs in config/tls');
-                return done(null, certs);
-            }
+        // all opts are applied, generate TLS context
+        try {
+            ctxByHost[cn] = tls.createSecureContext(certsByHost.get([cn]));
+        }
+        catch (err) {
+            log.error(`CN '${cn}' loading got: ${err.message}`)
+            delete ctxByHost[cn]
+            delete certsByHost[cn]
+        }
+    }
 
-            log.loginfo(`found ${certs.length} TLS certs in config/tls`);
-            certs.forEach(cert => {
-                if (undefined === cert) return;
-                if (cert.err) {
-                    log.logerror(`${cert.file} had error: ${cert.err.message}`);
-                    return;
-                }
-
-                // log.logdebug(cert);  // DANGER: Also logs private key!
-                cert.names.forEach(name => {
-                    this.applySocketOpts(name);
-
-                    this.saveOpt(name, 'cert', cert.cert);
-                    this.saveOpt(name, 'key', cert.key);
-                    if (certsByHost['*'] !== undefined && certsByHost['*'].dhparam) {
-                        // copy in dhparam from default '*' TLS config
-                        this.saveOpt(name, 'dhparam', certsByHost['*'].dhparam);
-                    }
-
-                    // now that all opts are applied, generate TLS context
-                    ctxByHost[name] = tls.createSecureContext(certsByHost[name]);
-                })
-            })
+    log.info(`found ${Object.keys(s).length} TLS certs in config/tls`);
+
+    return certsByHost // used only by tests
+}
+
+function openssl (crt, ...params) {
+    return new Promise((resolve) => {
+        let crtTxt = ''
 
-            // log.loginfo(exports.certsByHost);
-            done(null, exports.certsByHost);
+        const o = spawn('openssl', [...params], { timeout: 1000 });
+        o.stdout.on('data', data => {
+            crtTxt += data
         })
+
+        o.stderr.on('data', data => {
+            log.debug(`err: ${data.toString().trim()}`)
+        })
+
+        o.on('close', code => {
+            if (code !== 0) {
+                if (code) console.error(code)
+            }
+            resolve(crtTxt)
+        })
+
+        o.stdin.write(crt)
+        o.stdin.write('\n')
     })
 }
 
-exports.getSocketOpts = (name, done) => {
+exports.getSocketOpts = async (name) => {
 
     // startup time, load the config/tls dir
     if (!certsByHost['*']) this.load_tls_ini();
 
-    this.get_certs_dir('tls', () => {
-        if (certsByHost[name]) {
-            // log.logdebug(certsByHost[name]);
-            return done(certsByHost[name]);
+    try {
+        await this.get_certs_dir('tls')
+    }
+    catch (err) {
+        if (err.code !== 'ENOENT') {
+            console.error(err.messsage)
+            log.error(err)
         }
-        // log.logdebug(certsByHost['*']);
-        done(certsByHost['*']);
-    });
+    }
+
+    return certsByHost[name] || certsByHost['*']
 }
 
 function pipe (cleartext, socket) {
@@ -543,12 +512,12 @@ exports.ensureDhparams = done => {
     const filePath = this.cfg.main.dhparam || 'dhparams.pem';
     const fpResolved = path.resolve(exports.config.root_path, filePath);
 
-    log.loginfo(`Generating a 2048 bit dhparams file at ${fpResolved}`);
+    log.info(`Generating a 2048 bit dhparams file at ${fpResolved}`);
 
     const o = spawn('openssl', ['dhparam', '-out', `${fpResolved}`, '2048']);
     o.stdout.on('data', data => {
         // normally empty output
-        log.logdebug(data);
+        log.debug(data);
     })
 
     o.stderr.on('data', data => {
@@ -560,52 +529,48 @@ exports.ensureDhparams = done => {
             return done(`Error code: ${code}`);
         }
 
-        log.loginfo(`Saved to ${fpResolved}`);
+        log.info(`Saved to ${fpResolved}`);
         const content = this.config.get(filePath, 'binary');
 
-        this.saveOpt('*', 'dhparam', content);
+        certsByHost.set('*.dhparam', content)
         done(null, certsByHost['*'].dhparam);
     });
 }
 
 exports.addOCSP = server => {
     if (!ocsp) {
-        log.logdebug('addOCSP: not available');
+        log.debug(`addOCSP: 'ocsp' not available`);
         return;
     }
 
     if (server.listenerCount('OCSPRequest') > 0) {
-        log.logdebug('OCSPRequest already listening');
+        log.debug('OCSPRequest already listening');
         return;
     }
 
-    log.logdebug('adding OCSPRequest listener');
+    log.debug('adding OCSPRequest listener');
     server.on('OCSPRequest', (cert, issuer, ocr_cb) => {
-        log.logdebug(`OCSPRequest: ${cert}`);
-        ocsp.getOCSPURI(cert, (err, uri) => {
-            log.logdebug(`OCSP Request, URI: ${uri  }, err=${ err}`);
+        log.debug(`OCSPRequest: ${cert}`);
+        ocsp.getOCSPURI(cert, async (err, uri) => {
+            log.debug(`OCSP Request, URI: ${uri}, err=${err}`);
             if (err) return ocr_cb(err);
             if (uri === null) return ocr_cb();  // not working OCSP server
 
             const req = ocsp.request.generate(cert, issuer);
+            const cached = await ocspCache.probe(req.id)
 
-            // look for a cached value first
-            ocspCache.probe(req.id, (err2, cached) => {
-                if (err2) return ocr_cb(err2);
-
-                if (cached) {
-                    log.logdebug(`OCSP cache: ${util.inspect(cached)}`);
-                    return ocr_cb(err2, cached.response);
-                }
+            if (cached) {
+                log.debug(`OCSP cache: ${util.inspect(cached)}`);
+                return ocr_cb(null, cached.response);
+            }
 
-                const options = {
-                    url: uri,
-                    ocsp: req.data
-                };
+            const options = {
+                url: uri,
+                ocsp: req.data
+            };
 
-                log.logdebug(`OCSP req:${util.inspect(req)}`);
-                ocspCache.request(req.id, options, ocr_cb);
-            })
+            log.debug(`OCSP req:${util.inspect(req)}`);
+            ocspCache.request(req.id, options, ocr_cb);
         })
     })
 }
@@ -615,7 +580,7 @@ exports.shutdown = () => {
 }
 
 function cleanOcspCache () {
-    log.logdebug(`Cleaning ocspCache. How many keys? ${Object.keys(ocspCache.cache).length}`);
+    log.debug(`Cleaning ocspCache. How many keys? ${Object.keys(ocspCache.cache).length}`);
     Object.keys(ocspCache.cache).forEach((key) => {
         clearTimeout(ocspCache.cache[key].timer);
     });
@@ -640,7 +605,7 @@ function createServer (cb) {
         exports.addOCSP(server);
 
         socket.upgrade = cb2 => {
-            log.logdebug('Upgrading to TLS');
+            log.debug('Upgrading to TLS');
 
             socket.clean();
 
@@ -661,7 +626,7 @@ function createServer (cb) {
                     socket.emit('error', exception);
                 })
                 .on('secure', () => {
-                    log.logdebug('TLS secured.');
+                    log.debug('TLS secured.');
                     socket.emit('secure');
                     const cipher = cleartext.getCipher();
                     cipher.version = cleartext.getProtocol();
@@ -695,18 +660,10 @@ function getCertFor (host) {
     return certsByHost['*'];  // the default TLS cert
 }
 
-function connect (port, host) {
-    let conn_options = {};
-    if (typeof port === 'object') {
-        conn_options = port;
-    }
-    else {
-        conn_options.port = port;
-        conn_options.host = host;
-    }
+function connect (conn_options = {}) {
+    // called by outbound/client_pool, smtp_client, plugins/spamassassin,avg,clamd
 
     const cryptoSocket = net.connect(conn_options);
-
     const socket = new pluggableStream(cryptoSocket);
 
     socket.upgrade = (options, cb2) => {
@@ -714,12 +671,7 @@ function connect (port, host) {
         cryptoSocket.removeAllListeners('data');
 
         if (exports.tls_valid) {
-            /* SUNSET notice: code added 2021-01. We've changed the default to not
-               send TLS client certificates. The mutual_tls flag switches them back
-               on. If no need for these settings surfaces in 2 years, nuke this block
-               of code. If you care about these options, create a PR removing this
-               comment. See #2693.
-            */
+            const host = conn_options.host
             if (exports.cfg === undefined) exports.load_tls_ini();
             if (exports.cfg.mutual_auth_hosts[host]) {
                 options = Object.assign(options, getCertFor(exports.cfg.mutual_auth_hosts[host]));
@@ -738,13 +690,11 @@ function connect (port, host) {
         pipe(cleartext, cryptoSocket);
 
         cleartext.on('error', err => {
-            if (err.reason) {
-                log.logerror(`client TLS error: ${err}`);
-            }
+            if (err.reason) log.error(`client TLS error: ${err}`);
         })
 
         cleartext.once('secureConnect', () => {
-            log.logdebug('client TLS secured.');
+            log.debug('client TLS secured.');
             const cipher = cleartext.getCipher();
             cipher.version = cleartext.getProtocol();
             if (cb2) cb2(
@@ -765,7 +715,7 @@ function connect (port, host) {
 
         socket.attach(socket.cleartext);
 
-        log.logdebug('client TLS upgrade in progress, awaiting secured.');
+        log.debug('client TLS upgrade in progress, awaiting secured.');
     }
 
     return socket;