fix(iam): oidc-provider can't pull from hosts requiring SNI (#13397)

creiche · web-flow · commit 90dbfb5eec19 · 2021-03-08T15:25:57.000Z
This enables SNI when the oidcProvider tries to pull the thumbprint from a server in the downloadThumbprint function.  This fixes issues when trying to add an oidcProvider that is using SNI.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts b/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
@@ -28,7 +28,7 @@ async function downloadThumbprint(issuerUrl: string) {
     if (!purl.host) {
       return ko(new Error(`unable to determine host from issuer url ${issuerUrl}`));
     }
-    const socket = tls.connect(port, purl.host, { rejectUnauthorized: false });
+    const socket = tls.connect(port, purl.host, { rejectUnauthorized: false, servername: purl.host });
     socket.once('error', ko);
     socket.once('secureConnect', () => {
       const cert = socket.getPeerCertificate();

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ async function downloadThumbprint(issuerUrl: string) {`
`28`	`28`	`if (!purl.host) {`
`29`	`29`	return ko(new Error(`unable to determine host from issuer url ${issuerUrl}`));
`30`	`30`	`}`
`31`		`- const socket = tls.connect(port, purl.host, { rejectUnauthorized: false });`
	`31`	`+ const socket = tls.connect(port, purl.host, { rejectUnauthorized: false, servername: purl.host });`
`32`	`32`	`socket.once('error', ko);`
`33`	`33`	`socket.once('secureConnect', () => {`
`34`	`34`	`const cert = socket.getPeerCertificate();`