4 files changed, 60 insertions, 1 deletions
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 9b22edfb96..dd7e0c8468 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -359,6 +359,19 @@ void SecureContext::Initialize(Environment* env, Local<Object> target) {
   t->Set(FIXED_ONE_BYTE_STRING(env->isolate(), "kTicketKeyIVIndex"),
          Integer::NewFromUnsigned(env->isolate(), kTicketKeyIVIndex));
 
+  Local<FunctionTemplate> ctx_getter_templ =
+      FunctionTemplate::New(env->isolate(),
+                            CtxGetter,
+                            env->as_external(),
+                            Signature::New(env->isolate(), t));
+
+
+  t->PrototypeTemplate()->SetAccessorProperty(
+      FIXED_ONE_BYTE_STRING(env->isolate(), "_external"),
+      ctx_getter_templ,
+      Local<FunctionTemplate>(),
+      static_cast<PropertyAttribute>(ReadOnly | DontDelete));
+
   target->Set(secureContextString,
               t->GetFunction(env->context()).ToLocalChecked());
   env->set_secure_context_constructor_template(t);
@@ -1331,6 +1344,14 @@ int SecureContext::TicketCompatibilityCallback(SSL* ssl,
 }
 
 
+void SecureContext::CtxGetter(const FunctionCallbackInfo<Value>& info) {
+  SecureContext* sc;
+  ASSIGN_OR_RETURN_UNWRAP(&sc, info.This());
+  Local<External> ext = External::New(info.GetIsolate(), sc->ctx_.get());
+  info.GetReturnValue().Set(ext);
+}
+
+
 template <bool primary>
 void SecureContext::GetCertificate(const FunctionCallbackInfo<Value>& args) {
   SecureContext* wrap;
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 63d85669fa..2ca333f3c2 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -165,6 +165,7 @@ class SecureContext : public BaseObject {
       const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EnableTicketKeyCallback(
       const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void CtxGetter(const v8::FunctionCallbackInfo<v8::Value>& info);
 
   template <bool primary>
   static void GetCertificate(const v8::FunctionCallbackInfo<v8::Value>& args);
diff --git a/test/parallel/test-accessor-properties.js b/test/parallel/test-accessor-properties.js
index 453100d108..95b960b202 100644
--- a/test/parallel/test-accessor-properties.js
+++ b/test/parallel/test-accessor-properties.js
@@ -1,7 +1,7 @@
 // Flags: --expose-internals
 'use strict';
 
-require('../common');
+const common = require('../common');
 
 // This tests that the accessor properties do not raise assertions
 // when called with incompatible receivers.
@@ -54,4 +54,19 @@ const UDP = internalBinding('udp_wrap').UDP;
     typeof Object.getOwnPropertyDescriptor(StreamWrapProto, 'fd'),
     'object'
   );
+
+  if (common.hasCrypto) { // eslint-disable-line node-core/crypto-check
+    // There are accessor properties in crypto too
+    const crypto = process.binding('crypto');
+
+    assert.throws(() => {
+      crypto.SecureContext.prototype._external;
+    }, TypeError);
+
+    assert.strictEqual(
+      typeof Object.getOwnPropertyDescriptor(
+        crypto.SecureContext.prototype, '_external'),
+      'object'
+    );
+  }
 }
diff --git a/test/parallel/test-tls-external-accessor.js b/test/parallel/test-tls-external-accessor.js
new file mode 100644
index 0000000000..33d371923a
--- /dev/null
+++ b/test/parallel/test-tls-external-accessor.js
@@ -0,0 +1,22 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+
+// Ensure accessing ._external doesn't hit an assert in the accessor method.
+{
+  const pctx = tls.createSecureContext().context;
+  const cctx = Object.create(pctx);
+  assert.throws(() => cctx._external, TypeError);
+  pctx._external;
+}
+{
+  const pctx = tls.createSecurePair().credentials.context;
+  const cctx = Object.create(pctx);
+  assert.throws(() => cctx._external, TypeError);
+  pctx._external;
+}