net,tls: fix session reuse with provided sockets#64430
Draft
harjothkhara wants to merge 1 commit into
Draft
Conversation
Preserve literal IP hosts on net.Socket before connection. This keeps wrapped TLS sessions bound to the correct peer when tls.connect() uses a provided socket. Fixes: nodejs#64402 Signed-off-by: harjoth <harjoth.khara@gmail.com>
Collaborator
|
Review requested:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #64402
TLS sessions are bound to the authenticated server identity. When
tls.connect()wrapped anet.Socketconnected to a literal IP address,the socket did not retain its requested host and the TLS layer could fall
back to
localhost. The offered session was then rejected because itsstored identity did not match. This surfaced after the host-binding
hardening in
9cc4e32375(CVE-2026-48934).Preserve the requested host for literal-IP socket connections before the
connection begins.
Add TLS 1.2 and TLS 1.3 regression coverage for both already-connected and
still-connecting provided sockets. Also verify that a session captured for
one literal-IP peer is rejected for another peer, hostname-based reuse stays
intact, and explicit
servernamecontinues to take precedence. The host isrecorded before both the literal-IP and DNS/
autoSelectFamilybranches.Tests:
python3 tools/test.py --mode=release parallel/test-tls-session-reuse-provided-socket parallel/test-tls-session-reuse-different-servername parallel/test-tls-secure-session parallel/test-https-agent-session-reuse parallel/test-net-connect-options-fdmake lint