diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index c0f762c54860a6..0854d0651cb005 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -2605,15 +2605,18 @@ Please use `Server.prototype.setSecureContext()` instead. -Type: Runtime +Type: End-of-Life Setting the TLS ServerName to an IP address is not permitted by -[RFC 6066][]. This will be ignored in a future version. +[RFC 6066][]. ### DEP0124: using `REPLServer.rli` diff --git a/lib/internal/tls/wrap.js b/lib/internal/tls/wrap.js index 4f1351f3e3e907..ceb770ab336646 100644 --- a/lib/internal/tls/wrap.js +++ b/lib/internal/tls/wrap.js @@ -112,7 +112,6 @@ const kIsVerified = Symbol('verified'); const noop = () => {}; -let ipServernameWarned = false; let tlsTracingWarned = false; // Server side times how long a handshake is taking to protect against slow @@ -1715,6 +1714,14 @@ exports.connect = function connect(...args) { const context = options.secureContext || tls.createSecureContext(options); + if (options.servername && net.isIP(options.servername)) { + throw new ERR_INVALID_ARG_VALUE( + 'options.servername', + options.servername, + 'Setting the TLS ServerName to an IP address is not permitted.', + ); + } + const tlssock = new TLSSocket(options.socket, { allowHalfOpen: options.allowHalfOpen, pipe: !!options.path, @@ -1760,15 +1767,6 @@ exports.connect = function connect(...args) { tlssock.setSession(options.session); if (options.servername) { - if (!ipServernameWarned && net.isIP(options.servername)) { - process.emitWarning( - 'Setting the TLS ServerName to an IP address is not permitted by ' + - 'RFC 6066. This will be ignored in a future version.', - 'DeprecationWarning', - 'DEP0123', - ); - ipServernameWarned = true; - } tlssock.setServername(options.servername); } diff --git a/test/parallel/test-tls-ip-servername-deprecation.js b/test/parallel/test-tls-ip-servername-deprecation.js deleted file mode 100644 index b747caa03d57c4..00000000000000 --- a/test/parallel/test-tls-ip-servername-deprecation.js +++ /dev/null @@ -1,41 +0,0 @@ -'use strict'; - -const common = require('../common'); -const fixtures = require('../common/fixtures'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -// This test expects `tls.connect()` to emit a warning when -// `servername` of options is an IP address. -common.expectWarning( - 'DeprecationWarning', - 'Setting the TLS ServerName to an IP address is not permitted by ' + - 'RFC 6066. This will be ignored in a future version.', - 'DEP0123' -); - -{ - const options = { - key: fixtures.readKey('agent1-key.pem'), - cert: fixtures.readKey('agent1-cert.pem') - }; - - const server = tls.createServer(options, function(s) { - s.end('hello'); - }).listen(0, function() { - const client = tls.connect({ - port: this.address().port, - rejectUnauthorized: false, - servername: '127.0.0.1', - }, function() { - client.end(); - }); - }); - - server.on('connection', common.mustCall(function(socket) { - server.close(); - })); -} diff --git a/test/parallel/test-tls-ip-servername-forbidden.js b/test/parallel/test-tls-ip-servername-forbidden.js new file mode 100644 index 00000000000000..87f098bdd97c57 --- /dev/null +++ b/test/parallel/test-tls-ip-servername-forbidden.js @@ -0,0 +1,18 @@ +'use strict'; + +const common = require('../common'); +const { throws } = require('assert'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +// Verify that passing an IP address the the servername option +// throws an error. +throws(() => tls.connect({ + port: 1234, + servername: '127.0.0.1', +}, common.mustNotCall()), { + code: 'ERR_INVALID_ARG_VALUE', +});