2 files changed, 22 insertions, 4 deletions

diff --git a/cli/tests/unit/tls_test.ts b/cli/tests/unit/tls_test.ts
index ba1f067de..fa869037e 100644
--- a/cli/tests/unit/tls_test.ts
+++ b/cli/tests/unit/tls_test.ts
@@ -20,6 +20,24 @@ unitTest(async function connectTLSNoPerm(): Promise<void> {
   }, Deno.errors.PermissionDenied);
 });
 
+unitTest(
+  { perms: { read: true, net: true } },
+  async function connectTLSInvalidHost(): Promise<void> {
+    const listener = await Deno.listenTls({
+      hostname: "localhost",
+      port: 3567,
+      certFile: "cli/tests/tls/localhost.crt",
+      keyFile: "cli/tests/tls/localhost.key",
+    });
+
+    await assertThrowsAsync(async () => {
+      await Deno.connectTls({ hostname: "127.0.0.1", port: 3567 });
+    }, Error);
+
+    listener.close();
+  },
+);
+
 unitTest(async function connectTLSCertFileNoReadPerm(): Promise<void> {
   await assertThrowsAsync(async () => {
     await Deno.connectTls({
diff --git a/runtime/ops/tls.rs b/runtime/ops/tls.rs
index 7a5636cd7..893c068c4 100644
--- a/runtime/ops/tls.rs
+++ b/runtime/ops/tls.rs
@@ -140,8 +140,8 @@ async fn op_start_tls(
   }
 
   let tls_connector = TlsConnector::from(Arc::new(config));
-  let dnsname =
-    DNSNameRef::try_from_ascii_str(&domain).expect("Invalid DNS lookup");
+  let dnsname = DNSNameRef::try_from_ascii_str(&domain)
+    .map_err(|_| generic_error("Invalid DNS lookup"))?;
   let tls_stream = tls_connector.connect(dnsname, tcp_stream).await?;
 
   let rid = {
@@ -202,8 +202,8 @@ async fn op_connect_tls(
     config.root_store.add_pem_file(reader).unwrap();
   }
   let tls_connector = TlsConnector::from(Arc::new(config));
-  let dnsname =
-    DNSNameRef::try_from_ascii_str(&domain).expect("Invalid DNS lookup");
+  let dnsname = DNSNameRef::try_from_ascii_str(&domain)
+    .map_err(|_| generic_error("Invalid DNS lookup"))?;
   let tls_stream = tls_connector.connect(dnsname, tcp_stream).await?;
   let rid = {
     let mut state_ = state.borrow_mut();