From b44b14d831d0f08b58116912086675d75c87e15e Mon Sep 17 00:00:00 2001
From: Michael Lumish <mlumish@google.com>
Date: Fri, 14 Feb 2025 13:06:08 -0800
Subject: [PATCH] Handle unauthorized TLS connections correctly

---
 packages/grpc-js/src/channel-credentials.ts | 8 ++++++++
 packages/grpc-js/src/transport.ts           | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/packages/grpc-js/src/channel-credentials.ts b/packages/grpc-js/src/channel-credentials.ts
index c608ebe3..6242505e 100644
--- a/packages/grpc-js/src/channel-credentials.ts
+++ b/packages/grpc-js/src/channel-credentials.ts
@@ -262,6 +262,10 @@ class SecureConnectorImpl implements SecureConnector {
     };
     return new Promise<SecureConnectResult>((resolve, reject) => {
       const tlsSocket = tlsConnect(tlsConnectOptions, () => {
+        if (!tlsSocket.authorized) {
+          reject(tlsSocket.authorizationError);
+          return;
+        }
         resolve({
           socket: tlsSocket,
           secure: true
@@ -340,6 +344,10 @@ class CertificateProviderChannelCredentialsImpl extends ChannelCredentials {
           ...connnectionOptions
         }
         const tlsSocket = tlsConnect(tlsConnectOptions, () => {
+          if (!tlsSocket.authorized) {
+            reject(tlsSocket.authorizationError);
+            return;
+          }
           resolve({
             socket: tlsSocket,
             secure: true
diff --git a/packages/grpc-js/src/transport.ts b/packages/grpc-js/src/transport.ts
index 055fb9dd..bfb3f95b 100644
--- a/packages/grpc-js/src/transport.ts
+++ b/packages/grpc-js/src/transport.ts
@@ -225,8 +225,8 @@ class Http2Transport implements Transport {
       this.handleDisconnect();
     });
 
-    session.socket.once('close', () => {
-      this.trace('connection closed');
+    session.socket.once('close', (hadError) => {
+      this.trace('connection closed. hadError=' + hadError);
       this.handleDisconnect();
     });