fix(client-certificates): pass TLS servername for SNI (#31761)

packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-import type net from 'net';
+import net from 'net';
 import path from 'path';
 import type https from 'https';
 import fs from 'fs';
@@ -100,9 +100,13 @@ class SocksProxyConnection {
 
     const tlsOptions: tls.ConnectionOptions = {
       socket: this.target,
+      host: this.host,
+      port: this.port,
       rejectUnauthorized: !this.socksProxy.ignoreHTTPSErrors,
       ...clientCertificatesToTLSOptions(this.socksProxy.clientCertificates, `https://${this.host}:${this.port}/`),
     };
+    if (!net.isIP(this.host))
+      tlsOptions.servername = this.host;
     if (process.env.PWTEST_UNSUPPORTED_CUSTOM_CA && isUnderTest())
       tlsOptions.ca = [fs.readFileSync(process.env.PWTEST_UNSUPPORTED_CUSTOM_CA)];
     const targetTLS = tls.connect(tlsOptions);

tests/library/client-certificates.spec.ts

@@ -31,7 +31,10 @@ const test = base.extend<{ serverURL: string, serverURLRewrittenToLocalhost: str
       requestCert: true,
       rejectUnauthorized: false,
     }, (req, res) => {
-      const cert = (req.socket as import('tls').TLSSocket).getPeerCertificate();
+      const tlsSocket = req.socket as import('tls').TLSSocket;
+      // @ts-expect-error
+      expect(['localhost', 'local.playwright'].includes((tlsSocket).servername)).toBe(true);
+      const cert = tlsSocket.getPeerCertificate();
       if ((req as any).client.authorized) {
         res.writeHead(200, { 'Content-Type': 'text/html' });
         res.end(`Hello ${cert.subject.CN}, your certificate was issued by ${cert.issuer.CN}!`);