tls: move IP-address servername deprecation to eol

Has been deprecated for six years. It's time to remove it.

PR-URL: https://github.com/nodejs/node/pull/58533
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Dario Piotrowicz <dario.piotrowicz@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>

doc/api/deprecations.md

@@ -2608,15 +2608,18 @@ Please use `Server.prototype.setSecureContext()` instead.
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/58533
+    description: End-of-Life.
   - version: v12.0.0
     pr-url: https://github.com/nodejs/node/pull/23329
     description: Runtime deprecation.
 -->
 
-Type: Runtime
+Type: End-of-Life
 
 Setting the TLS ServerName to an IP address is not permitted by
-[RFC 6066][]. This will be ignored in a future version.
+[RFC 6066][].
 
 ### DEP0124: using `REPLServer.rli`
 

lib/internal/tls/wrap.js

@@ -112,7 +112,6 @@ const kIsVerified = Symbol('verified');
 
 const noop = () => {};
 
-let ipServernameWarned = false;
 let tlsTracingWarned = false;
 
 // Server side times how long a handshake is taking to protect against slow
@@ -1715,6 +1714,14 @@ exports.connect = function connect(...args) {
 
   const context = options.secureContext || tls.createSecureContext(options);
 
+  if (options.servername && net.isIP(options.servername)) {
+    throw new ERR_INVALID_ARG_VALUE(
+      'options.servername',
+      options.servername,
+      'Setting the TLS ServerName to an IP address is not permitted.',
+    );
+  }
+
   const tlssock = new TLSSocket(options.socket, {
     allowHalfOpen: options.allowHalfOpen,
     pipe: !!options.path,
@@ -1760,15 +1767,6 @@ exports.connect = function connect(...args) {
     tlssock.setSession(options.session);
 
   if (options.servername) {
-    if (!ipServernameWarned && net.isIP(options.servername)) {
-      process.emitWarning(
-        'Setting the TLS ServerName to an IP address is not permitted by ' +
-        'RFC 6066. This will be ignored in a future version.',
-        'DeprecationWarning',
-        'DEP0123',
-      );
-      ipServernameWarned = true;
-    }
     tlssock.setServername(options.servername);
   }
 

test/parallel/test-tls-ip-servername-deprecation.js

@@ -1,41 +0,0 @@
-'use strict';
-
-const common = require('../common');
-const fixtures = require('../common/fixtures');
-
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-const tls = require('tls');
-
-// This test expects `tls.connect()` to emit a warning when
-// `servername` of options is an IP address.
-common.expectWarning(
-  'DeprecationWarning',
-  'Setting the TLS ServerName to an IP address is not permitted by ' +
-  'RFC 6066. This will be ignored in a future version.',
-  'DEP0123'
-);
-
-{
-  const options = {
-    key: fixtures.readKey('agent1-key.pem'),
-    cert: fixtures.readKey('agent1-cert.pem')
-  };
-
-  const server = tls.createServer(options, function(s) {
-    s.end('hello');
-  }).listen(0, function() {
-    const client = tls.connect({
-      port: this.address().port,
-      rejectUnauthorized: false,
-      servername: '127.0.0.1',
-    }, function() {
-      client.end();
-    });
-  });
-
-  server.on('connection', common.mustCall(function(socket) {
-    server.close();
-  }));
-}

test/parallel/test-tls-ip-servername-forbidden.js

@@ -0,0 +1,18 @@
+'use strict';
+
+const common = require('../common');
+const { throws } = require('assert');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const tls = require('tls');
+
+// Verify that passing an IP address the the servername option
+// throws an error.
+throws(() => tls.connect({
+  port: 1234,
+  servername: '127.0.0.1',
+}, common.mustNotCall()), {
+  code: 'ERR_INVALID_ARG_VALUE',
+});