tls: normalize hostname for server identity checks

mcollina · aduh95 · commit ebda73470df5 · 2026-06-17T18:50:53.000+02:00
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#869 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48618 Refs: https://hackerone.com/reports/3688064
diff --git a/lib/tls.js b/lib/tls.js
@@ -68,6 +68,7 @@ const { Buffer } = require('buffer');
 const { canonicalizeIP } = internalBinding('cares_wrap');
 const tlsCommon = require('internal/tls/common');
 const tlsWrap = require('internal/tls/wrap');
+const { domainToASCII } = require('internal/url');
 const { validateString } = require('internal/validators');
 
 const {
@@ -403,6 +404,11 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
   const ips = [];
 
   hostname = '' + hostname;
+  const hostnameASCII = domainToASCII(hostname);
+
+  // Remove trailing dots for error messages and matching.
+  hostname = unfqdn(hostname);
+  const hostnameASCIIWithoutFQDN = unfqdn(hostnameASCII);
 
   if (altNames) {
     const splitAltNames = altNames.includes('"') ?
@@ -420,14 +426,14 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
   let valid = false;
   let reason = 'Unknown reason';
 
-  hostname = unfqdn(hostname);  // Remove trailing dot for error messages.
-
-  if (net.isIP(hostname)) {
-    valid = ips.includes(canonicalizeIP(hostname));
-    if (!valid)
-      reason = `IP: ${hostname} is not in the cert's list: ` + ips.join(', ');
+  if (net.isIP(hostnameASCIIWithoutFQDN)) {
+    valid = ips.includes(canonicalizeIP(hostnameASCIIWithoutFQDN));
+    if (!valid) {
+      reason =
+        `IP: ${hostname} is not in the cert's list: ` + ips.join(', ');
+    }
   } else if (dnsNames.length > 0 || subject?.CN) {
-    const hostParts = splitHost(hostname);
+    const hostParts = splitHost(hostnameASCIIWithoutFQDN);
     const wildcard = (pattern) => check(hostParts, pattern, true);
 
     if (dnsNames.length > 0) {
diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js
@@ -381,6 +381,15 @@ const tests = [
     error: 'Host: localhost. is not in the cert\'s altnames: ' +
            'DNS:a.com'
   },
+  {
+    host: 'foo&#12290;bar.example.com',
+    cert: {
+      subjectaltname: 'DNS:*.example.com',
+      subject: {}
+    },
+    error: 'Host: foo&#12290;bar.example.com. is not in the cert\'s altnames: ' +
+           'DNS:*.example.com'
+  },
   // IDNA
   {
     host: 'xn--bcher-kva.example.com',
