How to fix Node.js ERR_TLS_SNI_FROM_SERVER TLS SNI extension cannot be issued from a server socket?

Call setServername() only on client-side TLS sockets: SNI is set during the connect() options; it is sent by the client in the ClientHello, not by the server.

ERR_TLS_SNI_FROM_SERVER

Node.jsERRORCriticalTLSHIGH confidence

TLS SNI extension cannot be issued from a server socket

Production Risk

Low — caught immediately at call site; affects only misconfigured TLS code.

What this means

Thrown when tlsSocket.setServername() is called on a TLS socket that is operating in server mode. Server Name Indication (SNI) is a client-side extension that tells the server which hostname to use. A server socket cannot set its own SNI because it is the recipient, not the sender, of the extension.

Why it happens

1Calling socket.setServername() on the server-side TLS socket in the connection handler
2Confusing client and server socket roles in TLS code

How to reproduce

Triggered when setServername() is called on a server-side TLS socket.

trigger — this will error

const tls = require('tls');
const server = tls.createServer(options, (socket) => {
  socket.setServername('example.com'); // server socket — throws
});

expected output

Error [ERR_TLS_SNI_FROM_SERVER]: Cannot issue SNI from a TLS server-side socket

Fix

Call setServername() only on client-side TLS sockets

WHEN When connecting to a server that requires SNI

Call setServername() only on client-side TLS sockets

const socket = tls.connect({
  host: 'example.com',
  port: 443,
  servername: 'example.com', // set in options, not post-connect
});

Why this works

SNI is set during the connect() options; it is sent by the client in the ClientHello, not by the server.

Code examples

Triggerjs

const tls = require('tls');
const server = tls.createServer(options, (socket) => {
  socket.setServername('example.com'); // server socket — throws
});  // this triggers ERR_TLS_SNI_FROM_SERVER

Handle in try/catchjs

try {
  // operation that may throw ERR_TLS_SNI_FROM_SERVER
  riskyOperation()
} catch (err) {
  if (err.code === 'ERR_TLS_SNI_FROM_SERVER') {
    console.error('ERR_TLS_SNI_FROM_SERVER:', err.message)
  } else {
    throw err
  }
}

Defensive pattern to avoid itjs

// Validate inputs before calling the operation
function safe_err_tls_sni_from_server(...args) {
  // validate args here
  return performOperation(...args)
}

What not to do

✕ Call setServername() inside a server connection handler

Server sockets receive SNI from clients; they do not send it.

Same error in other languages

ssl.SSLErrorin Python→

Sources

Official documentation ↗

Node.js Error Codes Documentation

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformNode.js Error Codes

CodeERR_TLS_SNI_FROM_SERVER

ClassTLS

SeverityERROR

TierCritical

ConfidenceHIGH

← All Node.js errors