@@ -84,6 +84,30 @@ fun sslContextFromPEMs(
8484return sslContext
8585}
8686
87+ /* *
88+ * Netflix TLS Workaround — SNI & Hostname Validation
89+ *
90+ * Context:
91+ * - The Netflix servers we connect to rely on the SNI in the ClientHello
92+ * beyond just the typical use case of serving multiple hostnames from a
93+ * single IP. The alternate hostname for the SNI can contain underscores
94+ * (non-compliant for hostnames).
95+ * - The server always presents the same certificate, regardless of the SNI
96+ * - The certificate’s SAN entries do not match the server’s DNS name, and in
97+ * - Because of this mismatch, the TLS handshake fails unless we apply two
98+ * client-side workarounds:
99+ *
100+ * 1. SNI manipulation — we rewrite the SNI in the ClientHello via a custom
101+ * SSLSocketFactory. Even though the server’s cert does not vary by SNI,
102+ * connections fail if this rewrite is removed. The server’s TLS stack
103+ * appears to depend on the SNI being set in a particular way.
104+ *
105+ * 2. Hostname validation override — we relax certificate checks by allowing
106+ * an “alternate hostname” to be matched against the cert SANs. This avoids
107+ * rejections when the SAN does not align with the requested DNS name.
108+ *
109+ * See [this issue](https://github.com/coder/jetbrains-coder/issues/578) for more details.
110+ */
87111fun coderSocketFactory (settings : ReadOnlyTLSSettings ):SSLSocketFactory {
88112val sslContext= sslContextFromPEMs(settings.certPath, settings.keyPath, settings.caPath)
89113