denoland · littledivy · Aug 23, 2025 · Aug 14, 2025 · Aug 14, 2025 · Aug 15, 2025
diff --git a/cli/main.rs b/cli/main.rs
@@ -915,11 +915,14 @@ async fn initialize_tunnel(
   let root_cert_store = cert_store_provider.get_or_try_init()?.clone();
 
   let tls_config = deno_runtime::deno_tls::create_client_config(
-    Some(root_cert_store),
-    vec![],
-    None,
-    deno_runtime::deno_tls::TlsKeys::Null,
-    deno_runtime::deno_tls::SocketUse::GeneralSsl,
+    deno_runtime::deno_tls::TlsClientConfigOptions {
+      root_cert_store: Some(root_cert_store),
+      ca_certs: vec![],
+      unsafely_ignore_certificate_errors: None,
+      unsafely_disable_hostname_verification: false,
+      cert_chain_and_key: deno_runtime::deno_tls::TlsKeys::Null,
+      socket_use: deno_runtime::deno_tls::SocketUse::GeneralSsl,
+    },
   )?;
 
   let mut metadata = HashMap::new();

diff --git a/cli/tsc/dts/lib.deno_net.d.ts b/cli/tsc/dts/lib.deno_net.d.ts
@@ -456,6 +456,15 @@ declare namespace Deno {
      * TLS handshake.
      */
     alpnProtocols?: string[];
+    /** If true, the certificate's common name or subject alternative names will not be
+     * checked against the hostname provided in the options.
+     *
+     * This disables hostname verification but still validates the certificate chain.
+     * Use with caution and only when connecting to known servers.
+     *
+     * @default {false}
+     */
+    unsafelyDisableHostnameVerification?: boolean;
   }
 
   /** Establishes a secure connection over TLS (transport layer security) using
@@ -505,6 +514,15 @@ declare namespace Deno {
      * TLS handshake.
      */
     alpnProtocols?: string[];
+    /** If true, the certificate's common name or subject alternative names will not be
+     * checked against the hostname provided in the options.
+     *
+     * This disables hostname verification but still validates the certificate chain.
+     * Use with caution and only when connecting to known servers.
+     *
+     * @default {false}
+     */
+    unsafelyDisableHostnameVerification?: boolean;
   }
 
   /** Start TLS handshake from an existing connection using an optional list of

diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs
@@ -1055,14 +1055,17 @@ pub fn create_http_client(
   user_agent: &str,
   options: CreateHttpClientOptions,
 ) -> Result<Client, HttpClientCreateError> {
-  let mut tls_config = deno_tls::create_client_config(
-    options.root_cert_store,
-    options.ca_certs,
-    options.unsafely_ignore_certificate_errors,
-    options.client_cert_chain_and_key.into(),
-    deno_tls::SocketUse::Http,
-  )
-  .map_err(HttpClientCreateError::Tls)?;
+  let mut tls_config =
+    deno_tls::create_client_config(deno_tls::TlsClientConfigOptions {
+      root_cert_store: options.root_cert_store,
+      ca_certs: options.ca_certs,
+      unsafely_ignore_certificate_errors: options
+        .unsafely_ignore_certificate_errors,
+      unsafely_disable_hostname_verification: false,
+      cert_chain_and_key: options.client_cert_chain_and_key.into(),
+      socket_use: deno_tls::SocketUse::Http,
+    })
+    .map_err(HttpClientCreateError::Tls)?;
 
   // Proxy TLS should not send ALPN
   tls_config.alpn_protocols.clear();

diff --git a/ext/net/02_tls.js b/ext/net/02_tls.js
@@ -58,6 +58,7 @@ async function connectTls({
   keyFormat = undefined,
   cert = undefined,
   key = undefined,
+  unsafelyDisableHostnameVerification = false,
 }) {
   if (transport !== "tcp") {
     throw new TypeError(`Unsupported transport: '${transport}'`);
@@ -73,7 +74,7 @@ async function connectTls({
   const serverName = arguments[0][serverNameSymbol] ?? null;
   const { 0: rid, 1: localAddr, 2: remoteAddr } = await op_net_connect_tls(
     { hostname, port },
-    { caCerts, alpnProtocols, serverName },
+    { caCerts, alpnProtocols, serverName, unsafelyDisableHostnameVerification },
     keyPair,
   );
   localAddr.transport = "tcp";
@@ -188,12 +189,14 @@ async function startTls(
     hostname = "127.0.0.1",
     caCerts = [],
     alpnProtocols = undefined,
+    unsafelyDisableHostnameVerification = false,
   } = { __proto__: null },
 ) {
   return startTlsInternal(conn, {
     hostname,
     caCerts,
     alpnProtocols,
+    unsafelyDisableHostnameVerification,
   });
 }
 
@@ -205,6 +208,7 @@ function startTlsInternal(
     alpnProtocols = undefined,
     keyPair = null,
     rejectUnauthorized,
+    unsafelyDisableHostnameVerification,
   },
 ) {
   const { 0: rid, 1: localAddr, 2: remoteAddr } = op_tls_start({
@@ -213,6 +217,7 @@ function startTlsInternal(
     caCerts,
     alpnProtocols,
     rejectUnauthorized,
+    unsafelyDisableHostnameVerification,
   }, keyPair);
   return new TlsConn(rid, remoteAddr, localAddr);
 }

diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs
@@ -28,6 +28,7 @@ use deno_error::JsErrorBox;
 use deno_permissions::OpenAccessKind;
 use deno_tls::ServerConfigProvider;
 use deno_tls::SocketUse;
+use deno_tls::TlsClientConfigOptions;
 use deno_tls::TlsKey;
 use deno_tls::TlsKeyLookup;
 use deno_tls::TlsKeys;
@@ -232,6 +233,7 @@ pub struct ConnectTlsArgs {
   ca_certs: Vec<String>,
   alpn_protocols: Option<Vec<String>>,
   server_name: Option<String>,
+  unsafely_disable_hostname_verification: Option<bool>,
 }
 
 #[derive(Deserialize)]
@@ -242,6 +244,7 @@ pub struct StartTlsArgs {
   hostname: String,
   alpn_protocols: Option<Vec<String>>,
   reject_unauthorized: Option<bool>,
+  unsafely_disable_hostname_verification: Option<bool>,
 }
 
 #[op2]
@@ -343,6 +346,9 @@ where
     Some(Vec::new())
   };
 
+  let unsafely_disable_hostname_verification =
+    args.unsafely_disable_hostname_verification.unwrap_or(false);
+
   let root_cert_store = state
     .borrow()
     .borrow::<DefaultTlsOptions>()
@@ -367,13 +373,14 @@ where
 
   let tls_null = TlsKeysHolder::from(TlsKeys::Null);
   let key_pair = key_pair.unwrap_or(&tls_null);
-  let mut tls_config = create_client_config(
+  let mut tls_config = create_client_config(TlsClientConfigOptions {
     root_cert_store,
     ca_certs,
     unsafely_ignore_certificate_errors,
-    key_pair.take(),
-    SocketUse::GeneralSsl,
-  )?;
+    unsafely_disable_hostname_verification,
+    cert_chain_and_key: key_pair.take(),
+    socket_use: SocketUse::GeneralSsl,
+  })?;
 
   if let Some(alpn_protocols) = args.alpn_protocols {
     tls_config.alpn_protocols =
@@ -413,6 +420,8 @@ where
     .borrow()
     .try_borrow::<UnsafelyIgnoreCertificateErrors>()
     .and_then(|it| it.0.clone());
+  let unsafely_disable_hostname_verification =
+    args.unsafely_disable_hostname_verification.unwrap_or(false);
 
   let cert_file = {
     let mut s = state.borrow_mut();
@@ -466,13 +475,14 @@ where
   let local_addr = tcp_stream.local_addr()?;
   let remote_addr = tcp_stream.peer_addr()?;
 
-  let mut tls_config = create_client_config(
+  let mut tls_config = create_client_config(TlsClientConfigOptions {
     root_cert_store,
     ca_certs,
     unsafely_ignore_certificate_errors,
-    key_pair.take(),
-    SocketUse::GeneralSsl,
-  )?;
+    unsafely_disable_hostname_verification,
+    cert_chain_and_key: key_pair.take(),
+    socket_use: SocketUse::GeneralSsl,
+  })?;
 
   if let Some(alpn_protocols) = args.alpn_protocols {
     tls_config.alpn_protocols =

diff --git a/ext/net/quic.rs b/ext/net/quic.rs
@@ -35,6 +35,7 @@ use deno_error::JsError;
 use deno_error::JsErrorBox;
 use deno_permissions::PermissionCheckError;
 use deno_tls::SocketUse;
+use deno_tls::TlsClientConfigOptions;
 use deno_tls::TlsError;
 use deno_tls::TlsKeys;
 use deno_tls::TlsKeysHolder;
@@ -574,13 +575,14 @@ where
       ))
       .with_no_client_auth()
   } else {
-    create_client_config(
+    create_client_config(TlsClientConfigOptions {
       root_cert_store,
       ca_certs,
       unsafely_ignore_certificate_errors,
-      key_pair.take(),
-      SocketUse::GeneralSsl,
-    )?
+      unsafely_disable_hostname_verification: false,
+      cert_chain_and_key: key_pair.take(),
+      socket_use: SocketUse::GeneralSsl,
+    })?
   };
 
   if let Some(alpn_protocols) = args.alpn_protocols {

diff --git a/ext/node/polyfills/_tls_wrap.js b/ext/node/polyfills/_tls_wrap.js
@@ -113,6 +113,17 @@ export class TLSSocket extends net.Socket {
     tlsOptions.alpnProtocols = opts.ALPNProtocols;
     tlsOptions.rejectUnauthorized = opts.rejectUnauthorized !== false;
 
+    try {
+      if (
+        opts.checkServerIdentity &&
+        typeof opts.checkServerIdentity == "function" &&
+        opts.checkServerIdentity() == undefined
+      ) {
+        // If checkServerIdentity is no-op, we disable hostname verification.
+        tlsOptions.unsafelyDisableHostnameVerification = true;
+      }
+    } catch { /* pass */ }
+
     super({
       handle: _wrapHandle(tlsOptions, socket),
       ...opts,

diff --git a/ext/telemetry/lib.rs b/ext/telemetry/lib.rs
@@ -798,7 +798,14 @@ mod hyper_client {
         };
 
         let tls_config =
-          create_client_config(None, ca_certs, None, keys, SocketUse::Http)?;
+          create_client_config(deno_tls::TlsClientConfigOptions {
+            root_cert_store: None,
+            ca_certs,
+            unsafely_ignore_certificate_errors: None,
+            unsafely_disable_hostname_verification: false,
+            cert_chain_and_key: keys,
+            socket_use: SocketUse::Http,
+          })?;
         let mut http_connector = HttpConnector::new();
         http_connector.enforce_http(false);
         let connector = HttpsConnector::from((http_connector, tls_config));