tls: reapply servername on happy eyeballs connect

When establishing a TLS connection to a server with `autoSelectFamily` set to `true`, the `net.Socket` will call `[kWrapConnectedHandle]()` to reinitialize the socket (in case if it got broken during previous connect attempts). Unfortunately, prior to this patch this resulted in a brand new `TLSWrap` instance being created for the socket. While most of the configuration of `TLSWrap` is restored, the `servername` was sadly dropped and not reinitalized. With this patch `servername` will be reinitialized if there are `tls.connect` options present on the `TLSSocket` instance, making it possible to connect with "Happy Eyeballs" to TLS servers that require the servername extension. PR-URL: #48255 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
nodejs · Jul 6, 2023 · e049ce2 · e049ce2
1 parent 033d0bb
commit e049ce2
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
@@ -814,6 +814,14 @@ TLSSocket.prototype._init = function(socket, wrap) {
     }
   }
 
+  // We can only come here via [kWrapConnectedHandle]() call that happens
+  // if the connection is established with `autoSelectFamily` set to `true`.
+  const connectOptions = this[kConnectOptions];
+  if (!options.isServer && connectOptions) {
+    if (connectOptions.servername) {
+      this.setServername(connectOptions.servername);
+    }
+  }
 
   if (options.handshakeTimeout > 0)
     this.setTimeout(options.handshakeTimeout, this._handleTimeout);

diff --git a/test/parallel/test-https-happy-eyeballs.js b/test/parallel/test-https-happy-eyeballs.js
@@ -80,7 +80,8 @@ function createDnsServer(ipv6Addr, ipv4Addr, cb) {
 // Test that IPV4 is reached if IPV6 is not reachable
 {
   createDnsServer('::1', '127.0.0.1', common.mustCall(function({ dnsServer, lookup }) {
-    const ipv4Server = createServer(options, common.mustCall((_, res) => {
+    const ipv4Server = createServer(options, common.mustCall((req, res) => {
+      assert.strictEqual(req.socket.servername, 'example.org');
       res.writeHead(200, { Connection: 'close' });
       res.end('response-ipv4');
     }));
@@ -92,7 +93,8 @@ function createDnsServer(ipv6Addr, ipv4Addr, cb) {
           lookup,
           rejectUnauthorized: false,
           autoSelectFamily: true,
-          autoSelectFamilyAttemptTimeout
+          autoSelectFamilyAttemptTimeout,
+          servername: 'example.org',
         },
         (res) => {
           assert.strictEqual(res.statusCode, 200);
@@ -118,12 +120,14 @@ function createDnsServer(ipv6Addr, ipv4Addr, cb) {
 // Test that IPV4 is NOT reached if IPV6 is reachable
 if (common.hasIPv6) {
   createDnsServer('::1', '127.0.0.1', common.mustCall(function({ dnsServer, lookup }) {
-    const ipv4Server = createServer(options, common.mustNotCall((_, res) => {
+    const ipv4Server = createServer(options, common.mustNotCall((req, res) => {
+      assert.strictEqual(req.socket.servername, 'example.org');
       res.writeHead(200, { Connection: 'close' });
       res.end('response-ipv4');
     }));
 
-    const ipv6Server = createServer(options, common.mustCall((_, res) => {
+    const ipv6Server = createServer(options, common.mustCall((req, res) => {
+      assert.strictEqual(req.socket.servername, 'example.org');
       res.writeHead(200, { Connection: 'close' });
       res.end('response-ipv6');
     }));
@@ -139,6 +143,7 @@ if (common.hasIPv6) {
             rejectUnauthorized: false,
             autoSelectFamily: true,
             autoSelectFamilyAttemptTimeout,
+            servername: 'example.org',
           },
           (res) => {
             assert.strictEqual(res.statusCode, 200);