Skip to content

tls: preserve servername on resumed sessions#62067

Open
jorgitin02 wants to merge 1 commit intonodejs:mainfrom
jorgitin02:fix/57175-tls-session-servername
Open

tls: preserve servername on resumed sessions#62067
jorgitin02 wants to merge 1 commit intonodejs:mainfrom
jorgitin02:fix/57175-tls-session-servername

Conversation

@jorgitin02
Copy link

@jorgitin02 jorgitin02 commented Mar 1, 2026
edited
Loading

Summary

  • Persist the server-side SNI hostname on the OpenSSL session so resumed handshakes retain the original hostname.
  • Fall back to SSL_SESSION_get0_hostname() when SSL_get_servername() returns NULL on resumed TLS 1.3 sessions.
  • Validate the fix with a focused regression test for resumed sessions plus TLS 1.2 coverage to avoid regressions.

Fixes: #57175

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 1, 2026

Review requested:

  • @nodejs/crypto
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 1, 2026
anonrig
anonrig requested changes Mar 2, 2026
View reviewed changes
Copy link
Member

@anonrig anonrig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can't land without a single test.

@jorgitin02 jorgitin02 force-pushed the fix/57175-tls-session-servername branch from a9cecb6 to 5487a28 Compare March 2, 2026 00:49
@jorgitin02 @claude
tls: preserve servername on resumed TLS 1.3 sessions
74166da 
OpenSSL's SSL_get_servername() returns NULL on server-side TLS 1.3
resumed sessions because it reads from ssl->ext.hostname rather than the
session hostname persisted for resumption.

Fix this by explicitly storing the SNI hostname on the SSL session in the
server-side SNI callback when the handshake provides a hostname, then
falling back to SSL_SESSION_get0_hostname() when SSL_get_servername()
returns NULL on resumed sessions.

Add a regression test that verifies servername is preserved across resumed
TLS 1.3 sessions and that the fallback does not regress TLS 1.2 behavior.

Fixes: nodejs#57175

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jorgitin02 jorgitin02 force-pushed the fix/57175-tls-session-servername branch from 5487a28 to 74166da Compare March 5, 2026 22:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anonrig anonrig anonrig requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Reusing TLS sessions causes to socket.servername being false with Repro

3 participants

@jorgitin02 @nodejs-github-bot @anonrig