Skip to content

net,tls: fix session reuse with provided sockets#64430

Open
harjothkhara wants to merge 1 commit into
nodejs:mainfrom
harjothkhara:codex/fix-tls-wrapped-session-reuse
Open

net,tls: fix session reuse with provided sockets#64430
harjothkhara wants to merge 1 commit into
nodejs:mainfrom
harjothkhara:codex/fix-tls-wrapped-session-reuse

Conversation

@harjothkhara

@harjothkhara harjothkhara commented Jul 11, 2026

Copy link
Copy Markdown

Fixes: #64402

TLS sessions are bound to the authenticated server identity. When
tls.connect() wrapped a net.Socket connected to a literal IP address,
the socket did not retain its requested host and the TLS layer could fall
back to localhost. The offered session was then rejected because its
stored identity did not match. This surfaced after the host-binding
hardening in 9cc4e32375 (CVE-2026-48934).

Preserve the requested host for literal-IP socket connections before the
connection begins.
Add TLS 1.2 and TLS 1.3 regression coverage for both already-connected and
still-connecting provided sockets. Also verify that a session captured for
one literal-IP peer is rejected for another peer, hostname-based reuse stays
intact, and explicit servername continues to take precedence. The host is
recorded before both the literal-IP and DNS/autoSelectFamily branches.

Note: the same identity chain also feeds checkServerIdentity, so
certificate verification for wrapped literal-IP sockets now checks the
actual IP address instead of the historical localhost fallback,
matching what a direct tls.connect({ host }) connection already does.

Tests:

  • python3 tools/test.py --mode=release parallel/test-tls-session-reuse-provided-socket parallel/test-tls-session-reuse-different-servername parallel/test-tls-secure-session parallel/test-https-agent-session-reuse parallel/test-net-connect-options-fd
  • make lint

Preserve literal IP hosts on net.Socket before connection. This keeps
wrapped TLS sessions bound to the correct peer when tls.connect() uses a
provided socket.

Fixes: nodejs#64402
Signed-off-by: harjoth <harjoth.khara@gmail.com>
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. net Issues and PRs related to the net subsystem. labels Jul 11, 2026
@harjothkhara harjothkhara marked this pull request as ready for review July 12, 2026 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ci PRs that need a full CI run. net Issues and PRs related to the net subsystem.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tls.connect() ignores the session option when socket is provided (regression v22.22.3 → v22.23.1)

2 participants