Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(tls.connect) fix SNI on tls sockets and also servername (mongodb) #2934

Merged
merged 33 commits into from
May 21, 2023
Merged

fix(tls.connect) fix SNI on tls sockets and also servername (mongodb) #2934

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
00a71e1
fixes SNI on tls sockets and also servername
cirospaciari May 17, 2023
023488d
💅
cirospaciari May 18, 2023
5ea4671
💅
cirospaciari May 18, 2023
0854cc3
add support for https and wss
cirospaciari May 18, 2023
f2be6ee
fix bun types
cirospaciari May 18, 2023
580994d
support Bun.file on ca, key and cert
cirospaciari May 18, 2023
2ddc97e
💅
cirospaciari May 18, 2023
e47364e
add setTimeout (makes fastify run)
cirospaciari May 18, 2023
7843562
fix httpVersion
cirospaciari May 18, 2023
aec341a
fix WebSocketServer and add listen event
cirospaciari May 19, 2023
b289456
fix ws exports and http listening
cirospaciari May 19, 2023
d6bbf66
fix default import
cirospaciari May 19, 2023
6889198
bump uws
cirospaciari May 19, 2023
af1795f
add nodebuffer compatibility
cirospaciari May 19, 2023
e177e84
fix drain and allow more passing tests to run
cirospaciari May 19, 2023
e4b1529
fix enqueud messages
cirospaciari May 19, 2023
6ccc261
default to arraybuffer
cirospaciari May 19, 2023
e92ba51
fix constructor binaryType
cirospaciari May 19, 2023
89ad195
fmt
cirospaciari May 19, 2023
1e5d28a
fixup
cirospaciari May 19, 2023
0ccb274
skip some tests
cirospaciari May 19, 2023
6b4ce2b
skip more
cirospaciari May 19, 2023
6a9a402
skip fault tests
cirospaciari May 19, 2023
1de58c1
reuse encoder instance
cirospaciari May 19, 2023
fdce916
fix handshake WS Client
cirospaciari May 20, 2023
a523466
temporary revert handshake fix
cirospaciari May 20, 2023
5e8d323
fix handshake
cirospaciari May 20, 2023
a1360ea
disable all socket.io test temp
cirospaciari May 20, 2023
f583bb2
fixup
cirospaciari May 20, 2023
8e91569
add back socket.io tests
cirospaciari May 20, 2023
5d28303
use node_fs to read cert, ca and key on server.zig
cirospaciari May 20, 2023
52daa77
throw the error returned by NodeFS
cirospaciari May 20, 2023
5f89f71
💅
cirospaciari May 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions packages/bun-types/bun.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1646,12 +1646,16 @@ declare module "bun" {
* File path to a TLS key
*
* To enable TLS, this option is required.
*
* @deprecated since v0.6.3 - Use `key: Bun.file(path)` instead.
*/
keyFile: string;
/**
* File path to a TLS certificate
*
* To enable TLS, this option is required.
*
* @deprecated since v0.6.3 - Use `cert: Bun.file(path)` instead.
*/
certFile: string;

Expand All @@ -1661,6 +1665,8 @@ declare module "bun" {
passphrase?: string;
/**
* File path to a .pem file for a custom root CA
*
* @deprecated since v0.6.3 - Use `ca: Bun.file(path)` instead.
*/
caFile?: string;

Expand All @@ -1680,6 +1686,42 @@ declare module "bun" {
* @default false
*/
lowMemoryMode?: boolean;

/**
* Optionally override the trusted CA certificates. Default is to trust
* the well-known CAs curated by Mozilla. Mozilla's CAs are completely
* replaced when CAs are explicitly specified using this option.
*/
ca?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
/**
* Cert chains in PEM format. One cert chain should be provided per
* private key. Each cert chain should consist of the PEM formatted
* certificate for a provided private key, followed by the PEM
* formatted intermediate certificates (if any), in order, and not
* including the root CA (the root CA must be pre-known to the peer,
* see ca). When providing multiple cert chains, they do not have to
* be in the same order as their private keys in key. If the
* intermediate certificates are not provided, the peer will not be
* able to validate the certificate, and the handshake will fail.
*/
cert?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
/**
* Private keys in PEM format. PEM allows the option of private keys
* being encrypted. Encrypted keys will be decrypted with
* options.passphrase. Multiple keys using different algorithms can be
* provided either as an array of unencrypted key strings or buffers,
* or an array of objects in the form {pem: <string|buffer>[,
* passphrase: <string>]}. The object form can only occur in an array.
* object.passphrase is optional. Encrypted keys will be decrypted with
* object.passphrase if provided, or options.passphrase if it is not.
*/
key?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
/**
* Optionally affect the OpenSSL protocol behavior, which is not
* usually necessary. This should be used carefully if at all! Value is
* a numeric bitmask of the SSL_OP_* options from OpenSSL Options
*/
secureOptions?: number | undefined; // Value is a numeric bitmask of the `SSL_OP_*` options
}

export interface TLSServeOptions extends ServeOptions, TLSOptions {
Expand Down
7 changes: 4 additions & 3 deletions packages/bun-types/tls.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ declare module "tls" {
// import { X509Certificate } from "node:crypto";
import * as net from "node:net";
import * as stream from "stream";
import { BunFile } from "bun";
const CLIENT_RENEG_LIMIT: number;
const CLIENT_RENEG_WINDOW: number;
interface Certificate {
Expand Down Expand Up @@ -860,7 +861,7 @@ declare module "tls" {
* the well-known CAs curated by Mozilla. Mozilla's CAs are completely
* replaced when CAs are explicitly specified using this option.
*/
ca?: string | Buffer | Array<string | Buffer> | undefined;
ca?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
/**
* Cert chains in PEM format. One cert chain should be provided per
* private key. Each cert chain should consist of the PEM formatted
Expand All @@ -872,7 +873,7 @@ declare module "tls" {
* intermediate certificates are not provided, the peer will not be
* able to validate the certificate, and the handshake will fail.
*/
cert?: string | Buffer | Array<string | Buffer> | undefined;
cert?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
/**
* Colon-separated list of supported signature algorithms. The list
* can contain digest algorithms (SHA256, MD5 etc.), public key
Expand Down Expand Up @@ -930,7 +931,7 @@ declare module "tls" {
* object.passphrase is optional. Encrypted keys will be decrypted with
* object.passphrase if provided, or options.passphrase if it is not.
*/
key?: string | Buffer | Array<string | Buffer | KeyObject> | undefined;
key?: string | Buffer | BunFile | Array<string | Buffer | BunFile | KeyObject> | undefined;
/**
* Name of an OpenSSL engine to get private key from. Should be used
* together with privateKeyIdentifier.
Expand Down
29 changes: 28 additions & 1 deletion src/bun.js/api/bun/socket.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ const JSGlobalObject = JSC.JSGlobalObject;
const Which = @import("../../../which.zig");
const uws = @import("root").bun.uws;
const ZigString = JSC.ZigString;
const BoringSSL = bun.BoringSSL;
// const Corker = struct {
// ptr: ?*[16384]u8 = null,
// holder: ?*anyopaque = null,
Expand Down Expand Up @@ -831,6 +832,7 @@ pub const Listener = struct {
.handlers = handlers_ptr,
.this_value = .zero,
.socket = undefined,
.connection = connection,
};

TLSSocket.dataSetCached(tls.getThisValue(globalObject), globalObject, default_data);
Expand All @@ -853,6 +855,7 @@ pub const Listener = struct {
.handlers = handlers_ptr,
.this_value = .zero,
.socket = undefined,
.connection = null,
};

TCPSocket.dataSetCached(tcp.getThisValue(globalObject), globalObject, default_data);
Expand Down Expand Up @@ -891,6 +894,7 @@ fn NewSocket(comptime ssl: bool) type {
reffer: JSC.Ref = JSC.Ref.init(),
last_4: [4]u8 = .{ 0, 0, 0, 0 },
authorized: bool = false,
connection: ?Listener.UnixOrHost = null,

// TODO: switch to something that uses `visitAggregate` and have the
// `Listener` keep a list of all the sockets JSValue in there
Expand Down Expand Up @@ -1068,7 +1072,25 @@ fn NewSocket(comptime ssl: bool) type {

pub fn onOpen(this: *This, socket: Socket) void {
JSC.markBinding(@src());
log("onOpen", .{});
log("onOpen ssl: {}", .{comptime ssl});

// Add SNI support for TLS (mongodb and others requires this)
if (comptime ssl) {
if (this.connection) |connection| {
if (connection == .host) {
const host = normalizeHost(connection.host.host);
if (host.len > 0) {
var ssl_ptr: *BoringSSL.SSL = @ptrCast(*BoringSSL.SSL, socket.getNativeHandle());
if (!ssl_ptr.isInitFinished()) {
var host__ = default_allocator.dupeZ(u8, host) catch unreachable;
defer default_allocator.free(host__);
ssl_ptr.setHostname(host__);
}
}
}
}
}

this.poll_ref.ref(this.handlers.vm);
this.detached = false;
this.socket = socket;
Expand Down Expand Up @@ -1145,6 +1167,7 @@ fn NewSocket(comptime ssl: bool) type {
}

pub fn onHandshake(this: *This, _: Socket, success: i32, ssl_error: uws.us_bun_verify_error_t) void {
log("onHandshake({d})", .{success});
JSC.markBinding(@src());

const authorized = if (success == 1) true else false;
Expand Down Expand Up @@ -1651,6 +1674,10 @@ fn NewSocket(comptime ssl: bool) type {
if (!this.socket.isClosed()) {
this.socket.close(0, null);
}
if (this.connection) |connection| {
connection.deinit();
this.connection = null;
}
this.markInactive();
this.poll_ref.unref(JSC.VirtualMachine.get());
}
Expand Down
Loading