From 77d19604f449ac65092e232c93d28f9e686df161 Mon Sep 17 00:00:00 2001
From: James Tucker <james@tailscale.com>
Date: Wed, 2 Jul 2025 14:32:21 -0700
Subject: [PATCH] derp/derphttp: fix DERP TLS client server name inclusion in
 URL form

When dialed with just an URL and no node, the recent proxy fixes caused
a regression where there was no TLS server name being included.

Updates #16222
Updates #16223

Signed-off-by: James Tucker <james@tailscale.com>
Co-Authored-by: Jordan Whited <jwhited@tailscale.com>
---
 derp/derphttp/derphttp_client.go |  4 +++-
 derp/derphttp/derphttp_test.go   | 36 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/derp/derphttp/derphttp_client.go b/derp/derphttp/derphttp_client.go
index 7385f0ad1..704b8175d 100644
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -648,12 +648,14 @@ func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.C
 
 func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 	tlsConf := tlsdial.Config(c.HealthTracker, c.TLSConfig)
+	// node is allowed to be nil here, tlsServerName falls back to using the URL
+	// if node is nil.
+	tlsConf.ServerName = c.tlsServerName(node)
 	if node != nil {
 		if node.InsecureForTests {
 			tlsConf.InsecureSkipVerify = true
 			tlsConf.VerifyConnection = nil
 		}
-		tlsConf.ServerName = c.tlsServerName(node)
 		if node.CertName != "" {
 			if suf, ok := strings.CutPrefix(node.CertName, "sha256-raw:"); ok {
 				tlsdial.SetConfigExpectedCertHash(tlsConf, suf)
diff --git a/derp/derphttp/derphttp_test.go b/derp/derphttp/derphttp_test.go
index 7f0a7e333..bb33e6023 100644
--- a/derp/derphttp/derphttp_test.go
+++ b/derp/derphttp/derphttp_test.go
@@ -590,3 +590,39 @@ func TestManualDial(t *testing.T) {
 		t.Fatalf("rc.Connect: %v", err)
 	}
 }
+
+func TestURLDial(t *testing.T) {
+	if !*liveNetworkTest {
+		t.Skip("skipping live network test without --live-net-tests")
+	}
+	dm := &tailcfg.DERPMap{}
+	res, err := http.Get("https://controlplane.tailscale.com/derpmap/default")
+	if err != nil {
+		t.Fatalf("fetching DERPMap: %v", err)
+	}
+	defer res.Body.Close()
+	if err := json.NewDecoder(res.Body).Decode(dm); err != nil {
+		t.Fatalf("decoding DERPMap: %v", err)
+	}
+
+	// find a valid target DERP host to test against
+	var hostname string
+	for _, reg := range dm.Regions {
+		for _, node := range reg.Nodes {
+			if !node.STUNOnly && node.CanPort80 && node.CertName == "" || node.CertName == node.HostName {
+				hostname = node.HostName
+				break
+			}
+		}
+		if hostname != "" {
+			break
+		}
+	}
+	netMon := netmon.NewStatic()
+	c, err := NewClient(key.NewNode(), "https://"+hostname+"/", t.Logf, netMon)
+	defer c.Close()
+
+	if err := c.Connect(context.Background()); err != nil {
+		t.Fatalf("rc.Connect: %v", err)
+	}
+}