From 6fdefa394f4b4f762ba71ad3ecb4747ed476af0b Mon Sep 17 00:00:00 2001
From: Chris Reiche <35380634+creiche@users.noreply.github.com>
Date: Mon, 8 Mar 2021 10:25:57 -0500
Subject: [PATCH] fix(iam): oidc-provider can't pull from hosts requiring SNI
 (#13397)

This enables SNI when the oidcProvider tries to pull the thumbprint from a server in the downloadThumbprint function.  This fixes issues when trying to add an oidcProvider that is using SNI.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts b/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
index d926caf405e22..4ad18aed4f17d 100644
--- a/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
+++ b/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
@@ -28,7 +28,7 @@ async function downloadThumbprint(issuerUrl: string) {
     if (!purl.host) {
       return ko(new Error(`unable to determine host from issuer url ${issuerUrl}`));
     }
-    const socket = tls.connect(port, purl.host, { rejectUnauthorized: false });
+    const socket = tls.connect(port, purl.host, { rejectUnauthorized: false, servername: purl.host });
     socket.once('error', ko);
     socket.once('secureConnect', () => {
       const cert = socket.getPeerCertificate();