diff --git a/packages/grpc-js/package.json b/packages/grpc-js/package.json
index 6a355635..1b5d2e12 100644
--- a/packages/grpc-js/package.json
+++ b/packages/grpc-js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@grpc/grpc-js",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "gRPC Library for Node - pure JS implementation",
   "homepage": "https://grpc.io/",
   "repository": "https://github.com/grpc/grpc-node/tree/master/packages/grpc-js",
diff --git a/packages/grpc-js/src/channel-credentials.ts b/packages/grpc-js/src/channel-credentials.ts
index e5c9bfda..675e9162 100644
--- a/packages/grpc-js/src/channel-credentials.ts
+++ b/packages/grpc-js/src/channel-credentials.ts
@@ -211,7 +211,8 @@ class SecureChannelCredentialsImpl extends ChannelCredentials {
   }
 
   _getConnectionOptions(): ConnectionOptions | null {
-    return this.connectionOptions;
+    // Copy to prevent callers from mutating this.connectionOptions
+    return { ...this.connectionOptions };
   }
   _isSecure(): boolean {
     return true;
diff --git a/packages/grpc-js/src/http_proxy.ts b/packages/grpc-js/src/http_proxy.ts
index 18c0e115..df9ea09f 100644
--- a/packages/grpc-js/src/http_proxy.ts
+++ b/packages/grpc-js/src/http_proxy.ts
@@ -147,9 +147,9 @@ export function mapProxyName(
     extraOptions['grpc.http_connect_creds'] = proxyInfo.creds;
   }
   return {
-    target: { 
+    target: {
       scheme: 'dns',
-      path: proxyInfo.address
+      path: proxyInfo.address,
     },
     extraOptions: extraOptions,
   };
@@ -207,23 +207,33 @@ export function getProxiedConnection(
             ' through proxy ' +
             proxyAddressString
         );
-        resolve({
-          socket,
-          realTarget: parsedTarget,
-        });
         if ('secureContext' in connectionOptions) {
           /* The proxy is connecting to a TLS server, so upgrade this socket
            * connection to a TLS connection.
            * This is a workaround for https://github.com/nodejs/node/issues/32922
            * See https://github.com/grpc/grpc-node/pull/1369 for more info. */
-          const cts = tls.connect({
-              ...connectionOptions,
-              host: getDefaultAuthority(parsedTarget),
+          const remoteHost = getDefaultAuthority(parsedTarget);
+
+          const cts = tls.connect(
+            {
+              host: remoteHost,
+              servername: remoteHost,
               socket: socket,
-            }, () => {
+              ...connectionOptions,
+            },
+            () => {
+              trace(
+                'Successfully established a TLS connection to ' +
+                  options.path +
+                  ' through proxy ' +
+                  proxyAddressString
+              );
               resolve({ socket: cts, realTarget: parsedTarget });
             }
           );
+          cts.on('error', () => {
+            reject();
+          });
         } else {
           resolve({
             socket,
diff --git a/packages/grpc-js/src/subchannel.ts b/packages/grpc-js/src/subchannel.ts
index 1691ffd2..2af7885e 100644
--- a/packages/grpc-js/src/subchannel.ts
+++ b/packages/grpc-js/src/subchannel.ts
@@ -322,10 +322,11 @@ export class Subchannel {
       };
     }
 
-    connectionOptions = Object.assign(
-      connectionOptions,
-      this.subchannelAddress
-    );
+    connectionOptions = {
+      ...connectionOptions,
+      ...this.subchannelAddress,
+    };
+
     /* http2.connect uses the options here:
      * https://github.com/nodejs/node/blob/70c32a6d190e2b5d7b9ff9d5b6a459d14e8b7d59/lib/internal/http2/core.js#L3028-L3036
      * The spread operator overides earlier values with later ones, so any port