From f882c9b09bacb9759a0ec6d88bbd6851c9169726 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Fri, 19 Apr 2019 15:51:24 -0400 Subject: [PATCH] http: `servername === false` should disable SNI There is no way to disable SNI extension when sending a request to HTTPS server. Setting `options.servername` to a falsy value would make Node.js core override it with either hostname or ip address. This change introduces a way to disable SNI completely if this is required for user's application. Setting `options.servername` to `` in `https.request` would disable overrides and thus disable the extension. PR-URL: https://github.com/nodejs/node/pull/27316 Reviewed-By: Steven R Loomis Reviewed-By: Luigi Pinca Reviewed-By: Ruben Bridgewater Reviewed-By: Anatoli Papirovski Reviewed-By: Ben Noordhuis Reviewed-By: Rich Trott Reviewed-By: Sam Roberts Reviewed-By: Trivikram Kamat --- doc/api/https.md | 5 +++++ lib/_http_agent.js | 4 ++-- test/parallel/test-https-agent-sni.js | 21 +++++++++++++++++---- 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/doc/api/https.md b/doc/api/https.md index 95e7e715c32ca5..9b6ec83a6e7796 100644 --- a/doc/api/https.md +++ b/doc/api/https.md @@ -29,6 +29,10 @@ An [`Agent`][] object for HTTPS similar to [`http.Agent`][]. See Can have the same fields as for [`http.Agent(options)`][], and * `maxCachedSessions` {number} maximum number of TLS cached sessions. Use `0` to disable TLS session caching. **Default:** `100`. + * `servername` {string} the value of + [Server Name Indication extension][sni wiki] to be sent to the server. Use + empty string `''` to disable sending the extension. + **Default:** hostname or IP address of the target server. See [`Session Resumption`][] for infomation about TLS session reuse. @@ -406,3 +410,4 @@ headers: max-age=0; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; p [`tls.createSecureContext()`]: tls.html#tls_tls_createsecurecontext_options [`tls.createServer()`]: tls.html#tls_tls_createserver_options_secureconnectionlistener [`Session Resumption`]: tls.html#tls_session_resumption +[sni wiki]: https://en.wikipedia.org/wiki/Server_Name_Indication diff --git a/lib/_http_agent.js b/lib/_http_agent.js index 32dbf27abc0dff..eb98f2b0bd1ca4 100644 --- a/lib/_http_agent.js +++ b/lib/_http_agent.js @@ -151,7 +151,7 @@ Agent.prototype.addRequest = function addRequest(req, options, port/* legacy */, if (options.socketPath) options.path = options.socketPath; - if (!options.servername) + if (!options.servername && options.servername !== '') options.servername = calculateServerName(options, req); const name = this.getName(options); @@ -198,7 +198,7 @@ Agent.prototype.createSocket = function createSocket(req, options, cb) { if (options.socketPath) options.path = options.socketPath; - if (!options.servername) + if (!options.servername && options.servername !== '') options.servername = calculateServerName(options, req); const name = this.getName(options); diff --git a/test/parallel/test-https-agent-sni.js b/test/parallel/test-https-agent-sni.js index 80278ed2d8fe96..1ddeff7ce205d9 100644 --- a/test/parallel/test-https-agent-sni.js +++ b/test/parallel/test-https-agent-sni.js @@ -18,9 +18,12 @@ let waiting = TOTAL; const server = https.Server(options, function(req, res) { if (--waiting === 0) server.close(); - res.writeHead(200, { - 'x-sni': req.socket.servername - }); + const servername = req.socket.servername; + + if (servername !== false) { + res.setHeader('x-sni', servername); + } + res.end('hello world'); }); @@ -28,7 +31,8 @@ server.listen(0, function() { function expectResponse(id) { return common.mustCall(function(res) { res.resume(); - assert.strictEqual(res.headers['x-sni'], `sni.${id}`); + assert.strictEqual(res.headers['x-sni'], + id === false ? undefined : `sni.${id}`); }); } @@ -46,4 +50,13 @@ server.listen(0, function() { rejectUnauthorized: false }, expectResponse(j)); } + https.get({ + agent: agent, + + path: '/', + port: this.address().port, + host: '127.0.0.1', + servername: '', + rejectUnauthorized: false + }, expectResponse(false)); });