tls: set tlsSocket.servername as early as possible

This commit makes `TLSSocket` set the `servername` property on `SSL_CTX_set_tlsext_servername_callback` so that we could get it later even if errors happen. Fixes: nodejs#27699
oyyd · May 18, 2019 · cfb8898 · cfb8898
1 parent 03d4353
commit cfb8898
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 0 deletions.
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
@@ -774,6 +774,7 @@ TLSSocket.prototype._finishInit = function() {
     return;
 
   this.alpnProtocol = this._handle.getALPNNegotiatedProtocol();
+  // The servername could be set by TLSWrap.
   this.servername = this._handle.getServername();
 
   debug('%s _finishInit',

diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
@@ -1033,6 +1033,11 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg) {
   Local<Object> object = p->object();
   Local<Value> ctx;
 
+  // Set the servername as early as possible
+  Local<Object> owner = p->GetOwner();
+  USE(owner->Set(env->context(), env->servername_string(),
+      OneByteString(env->isolate(), servername)));
+
   if (!object->Get(env->context(), env->sni_context_string()).ToLocal(&ctx))
     return SSL_TLSEXT_ERR_NOACK;
 

diff --git a/test/parallel/test-tls-sni-servername.js b/test/parallel/test-tls-sni-servername.js
@@ -0,0 +1,56 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+// We could get the `tlsSocket.servername` even if the event of "tlsClientError"
+// is emitted.
+
+const serverOptions = {
+  requestCert: true,
+  rejectUnauthorized: false,
+  SNICallback: function(servername, callback) {
+    if (servername === 'c.another.com') {
+      callback(null, {});
+    } else {
+      callback(new Error('Invalid SNI context'), null);
+    }
+  }
+};
+
+function test(options) {
+  const server = tls.createServer(serverOptions, common.mustNotCall());
+
+  server.on('tlsClientError', common.mustCall((err, socket) => {
+    assert.strictEqual(err.message, 'Invalid SNI context');
+    // The `servername` should match.
+    assert.strictEqual(socket.servername, options.servername);
+  }));
+
+  server.listen(0, () => {
+    options.port = server.address().port;
+    const client = tls.connect(options, common.mustNotCall());
+
+    client.on('error', common.mustCall((err) => {
+      assert.strictEqual(err.message, 'Client network socket' +
+      ' disconnected before secure TLS connection was established');
+    }));
+
+    client.on('close', common.mustCall(() => server.close()));
+  });
+}
+
+test({
+  port: undefined,
+  servername: 'c.another.com',
+  rejectUnauthorized: false
+});
+
+test({
+  port: undefined,
+  servername: 'c.wrong.com',
+  rejectUnauthorized: false
+});