https: do not automatically use invalid servername

sam-github · BridgeAR · commit 53cc16c7ddd6 · 2019-06-17T21:12:36.000+02:00
Stop automatically setting servername in https.request() if the target host is specified with an IP address. Doing so is invalid, and triggers a deprecation warning. It is still possible to send an IP address as a servername if its required, but it needs to be explicity configured, it won't happen automatically. PR-URL: #28209 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
diff --git a/doc/api/https.md b/doc/api/https.md
@@ -24,15 +24,23 @@ An [`Agent`][] object for HTTPS similar to [`http.Agent`][]. See
 [`https.request()`][] for more information.
 
 ### new Agent([options])
-
+<!-- YAML
+changes:
+ - version: REPLACEME
+ pr-url: https://github.com/nodejs/node/pull/28209
+ description: do not automatically set servername if the target host was
+ specified using an IP address.
+-->
 * `options`{Object} Set of configurable options to set on the agent.
 Can have the same fields as for [`http.Agent(options)`][], and
 * `maxCachedSessions`{number} maximum number of TLS cached sessions.
 Use `0` to disable TLS session caching. **Default:** `100`.
 * `servername`{string} the value of
 [Server Name Indication extension][sni wiki] to be sent to the server. Use
 empty string `''` to disable sending the extension.
- **Default:** hostname or IP address of the target server.
+ **Default:** hostname of the target server, unless the target server
+ is specified using an IP address, in which case the default is `''` (no
+ extension).
 
 See [`Session Resumption`][] for infomation about TLS session reuse.
 
diff --git a/lib/_http_agent.js b/lib/_http_agent.js
@@ -256,6 +256,9 @@ function calculateServerName(options, req){
 servername = hostHeader.split(':', 1)[0];
 }
 }
+ // Don't implicitly set invalid (IP) servernames.
+ if (net.isIP(servername))
+ servername = '';
 return servername;
 }
 
diff --git a/test/parallel/test-https-simple.js b/test/parallel/test-https-simple.js
@@ -29,6 +29,9 @@ if (!common.hasCrypto)
 const assert = require('assert');
 const https = require('https');
 
+// Assert that the IP-as-servername deprecation warning does not occur.
+process.on('warning', common.mustNotCall());
+
 const options ={
 key: fixtures.readKey('agent1-key.pem'),
 cert: fixtures.readKey('agent1-cert.pem')

Original file line number	Diff line number	Diff line change
`@@ -256,6 +256,9 @@ function calculateServerName(options, req){`
`256`	`256`	`servername=hostHeader.split(':',1)[0];`
`257`	`257`	`}`
`258`	`258`	`}`
	`259`	`+// Don't implicitly set invalid (IP) servernames.`
	`260`	`+if(net.isIP(servername))`
	`261`	`+servername='';`
`259`	`262`	`returnservername;`
`260`	`263`	`}`
`261`	`264`
-Original file line number
+Diff line change
 constassert=require('assert');
 consthttps=require('https');
 +// Assert that the IP-as-servername deprecation warning does not occur.
 +process.on('warning',common.mustNotCall());
++
 constoptions={
 key: fixtures.readKey('agent1-key.pem'),
 cert: fixtures.readKey('agent1-cert.pem')