From f104e920e0d006e9d569f9d0e6fd8190e2ffcd26 Mon Sep 17 00:00:00 2001 From: Max Schmitt Date: Fri, 19 Jul 2024 12:55:20 +0200 Subject: [PATCH] fix(client-certificates): pass TLS servername for SNI (#31761) --- .../src/server/socksClientCertificatesInterceptor.ts | 6 +++++- tests/library/client-certificates.spec.ts | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts b/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts index e8cc30ae49..daadd8b5cc 100644 --- a/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts +++ b/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts @@ -14,7 +14,7 @@ * limitations under the License. */ -import type net from 'net'; +import net from 'net'; import path from 'path'; import type https from 'https'; import fs from 'fs'; @@ -100,9 +100,13 @@ class SocksProxyConnection { const tlsOptions: tls.ConnectionOptions = { socket: this.target, + host: this.host, + port: this.port, rejectUnauthorized: !this.socksProxy.ignoreHTTPSErrors, ...clientCertificatesToTLSOptions(this.socksProxy.clientCertificates, `https://${this.host}:${this.port}/`), }; + if (!net.isIP(this.host)) + tlsOptions.servername = this.host; if (process.env.PWTEST_UNSUPPORTED_CUSTOM_CA && isUnderTest()) tlsOptions.ca = [fs.readFileSync(process.env.PWTEST_UNSUPPORTED_CUSTOM_CA)]; const targetTLS = tls.connect(tlsOptions); diff --git a/tests/library/client-certificates.spec.ts b/tests/library/client-certificates.spec.ts index 11fd6712cd..a8d36ca41c 100644 --- a/tests/library/client-certificates.spec.ts +++ b/tests/library/client-certificates.spec.ts @@ -31,7 +31,10 @@ const test = base.extend<{ serverURL: string, serverURLRewrittenToLocalhost: str requestCert: true, rejectUnauthorized: false, }, (req, res) => { - const cert = (req.socket as import('tls').TLSSocket).getPeerCertificate(); + const tlsSocket = req.socket as import('tls').TLSSocket; + // @ts-expect-error + expect(['localhost', 'local.playwright'].includes((tlsSocket).servername)).toBe(true); + const cert = tlsSocket.getPeerCertificate(); if ((req as any).client.authorized) { res.writeHead(200, { 'Content-Type': 'text/html' }); res.end(`Hello ${cert.subject.CN}, your certificate was issued by ${cert.issuer.CN}!`);