tls: move IP-address servername deprecation to eol

jasnell · web-flow · commit 790acc8689d7 · 2025-06-02T19:01:00.000Z
Has been deprecated for six years. It's time to remove it. PR-URL: #58533 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Dario Piotrowicz <dario.piotrowicz@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md
@@ -2608,15 +2608,18 @@ Please use `Server.prototype.setSecureContext()` instead.
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/58533
+    description: End-of-Life.
   - version: v12.0.0
     pr-url: https://github.com/nodejs/node/pull/23329
     description: Runtime deprecation.
 -->
 
-Type: Runtime
+Type: End-of-Life
 
 Setting the TLS ServerName to an IP address is not permitted by
-[RFC 6066][]. This will be ignored in a future version.
+[RFC 6066][].
 
 ### DEP0124: using `REPLServer.rli`
 
diff --git a/lib/internal/tls/wrap.js b/lib/internal/tls/wrap.js
@@ -112,7 +112,6 @@ const kIsVerified = Symbol('verified');
 
 const noop = () => {};
 
-let ipServernameWarned = false;
 let tlsTracingWarned = false;
 
 // Server side times how long a handshake is taking to protect against slow
@@ -1715,6 +1714,14 @@ exports.connect = function connect(...args) {
 
   const context = options.secureContext || tls.createSecureContext(options);
 
+  if (options.servername && net.isIP(options.servername)) {
+    throw new ERR_INVALID_ARG_VALUE(
+      'options.servername',
+      options.servername,
+      'Setting the TLS ServerName to an IP address is not permitted.',
+    );
+  }
+
   const tlssock = new TLSSocket(options.socket, {
     allowHalfOpen: options.allowHalfOpen,
     pipe: !!options.path,
@@ -1760,15 +1767,6 @@ exports.connect = function connect(...args) {
     tlssock.setSession(options.session);
 
   if (options.servername) {
-    if (!ipServernameWarned && net.isIP(options.servername)) {
-      process.emitWarning(
-        'Setting the TLS ServerName to an IP address is not permitted by ' +
-        'RFC 6066. This will be ignored in a future version.',
-        'DeprecationWarning',
-        'DEP0123',
-      );
-      ipServernameWarned = true;
-    }
     tlssock.setServername(options.servername);
   }
 
diff --git a/test/parallel/test-tls-ip-servername-deprecation.js b/test/parallel/test-tls-ip-servername-deprecation.js
diff --git a/test/parallel/test-tls-ip-servername-forbidden.js b/test/parallel/test-tls-ip-servername-forbidden.js
@@ -0,0 +1,18 @@
+'use strict';
+
+const common = require('../common');
+const { throws } = require('assert');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+// Verify that passing an IP address the the servername option
+// throws an error.
+throws(() => tls.connect({
+  port: 1234,
+  servername: '127.0.0.1',
+}, common.mustNotCall()), {
+  code: 'ERR_INVALID_ARG_VALUE',
+});
