tls: set tlsSocket.servername as early as possible

This commit makes `TLSSocket` set the `servername` property on `SSL_CTX_set_tlsext_servername_callback` so that we could get it later even if errors happen. Fixes: #27699 PR-URL: #27759 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Rich Trott <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Sam Roberts <[email protected]>

Author: oyyd

lib/_tls_wrap.js

@@ -774,7 +774,10 @@ TLSSocket.prototype._finishInit = function(){
 return;
 
 this.alpnProtocol=this._handle.getALPNNegotiatedProtocol();
-this.servername=this._handle.getServername();
+// The servername could be set by TLSWrap::SelectSNIContextCallback().
+if(this.servername===null){
+this.servername=this._handle.getServername();
+}
 
 debug('%s _finishInit',
 this._tlsOptions.isServer ? 'server' : 'client',

src/tls_wrap.cc

@@ -1033,6 +1033,14 @@ int TLSWrap::SelectSNIContextCallback(SSL* s, int* ad, void* arg){
  Local<Object> object = p->object();
  Local<Value> ctx;
 
+// Set the servername as early as possible
+ Local<Object> owner = p->GetOwner();
+if (!owner->Set(env->context(),
+ env->servername_string(),
+OneByteString(env->isolate(), servername)).FromMaybe(false)){
+return SSL_TLSEXT_ERR_NOACK;
+ }
+
 if (!object->Get(env->context(), env->sni_context_string()).ToLocal(&ctx))
 return SSL_TLSEXT_ERR_NOACK;
 

test/parallel/test-tls-sni-servername.js

@@ -0,0 +1,56 @@
+'use strict';
+constcommon=require('../common');
+if(!common.hasCrypto)
+common.skip('missing crypto');
+
+constassert=require('assert');
+consttls=require('tls');
+
+// We could get the `tlsSocket.servername` even if the event of "tlsClientError"
+// is emitted.
+
+constserverOptions={
+requestCert: true,
+rejectUnauthorized: false,
+SNICallback: function(servername,callback){
+if(servername==='c.another.com'){
+callback(null,{});
+}else{
+callback(newError('Invalid SNI context'),null);
+}
+}
+};
+
+functiontest(options){
+constserver=tls.createServer(serverOptions,common.mustNotCall());
+
+server.on('tlsClientError',common.mustCall((err,socket)=>{
+assert.strictEqual(err.message,'Invalid SNI context');
+// The `servername` should match.
+assert.strictEqual(socket.servername,options.servername);
+}));
+
+server.listen(0,()=>{
+options.port=server.address().port;
+constclient=tls.connect(options,common.mustNotCall());
+
+client.on('error',common.mustCall((err)=>{
+assert.strictEqual(err.message,'Client network socket'+
+' disconnected before secure TLS connection was established');
+}));
+
+client.on('close',common.mustCall(()=>server.close()));
+});
+}
+
+test({
+port: undefined,
+servername: 'c.another.com',
+rejectUnauthorized: false
+});
+
+test({
+port: undefined,
+servername: 'c.wrong.com',
+rejectUnauthorized: false
+});