Skip to content

Implements Node.js behaviour for parallel/test-tls-set-ciphers-error.js #19443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Jarred-Sumner merged 23 commits into from
May 26, 2025
Merged

Implements Node.js behaviour for parallel/test-tls-set-ciphers-error.js #19443

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
727f352
add test + passing
alii May 2, 2025
ae271bb
unnecessary prop
alii May 2, 2025
4078a62
simpler
alii May 2, 2025
d69631f
address SecureContext change
alii May 2, 2025
c980b06
Merge branch 'main' into ali/test-tls-set-ciphers-error
alii May 3, 2025
069797f
experiment: fix instanceof called on an object with an invalid protot…
alii May 5, 2025
05944aa
Merge branch 'main' into ali/test-tls-set-ciphers-error
alii May 5, 2025
ed7c7f8
Merge branch 'main' into ali/test-tls-set-ciphers-error
alii May 6, 2025
bbd8ddb
more reasonable typecast for the quirk
alii May 7, 2025
eed875c
add type overrides
alii May 7, 2025
c37638a
create ERR_SSL_NO_CIPHER_MATCH
alii May 7, 2025
4c591c3
more coverage for error codes
alii May 7, 2025
e85fdf5
Merge branch 'main' into ali/test-tls-set-ciphers-error
alii May 7, 2025
2734d49
Merge branch 'main' into ali/test-tls-set-ciphers-error
alii May 8, 2025
e4ab7af
Merge branch 'main' of github.com:oven-sh/bun into ali/test-tls-set-c…
alii May 19, 2025
9a16de9
add fix for test-tls-handshake-error.js
alii May 19, 2025
db31f60
`bun run prettier`
alii May 19, 2025
a95c424
console log
alii May 19, 2025
7a51242
Merge branch 'ali/test-tls-set-ciphers-error' of github.com:oven-sh/b…
alii May 19, 2025
124cfb3
remove import
alii May 19, 2025
a4fdefe
add another test file !!
alii May 19, 2025
2a16907
Merge branch 'main' into ali/test-tls-set-ciphers-error
alii May 21, 2025
b2cc0d5
`bun run prettier`
alii May 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions src/bun.js/bindings/ErrorCode.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2278,6 +2278,17 @@ JSC_DEFINE_HOST_FUNCTION(Bun::jsFunctionMakeErrorWithCode, (JSC::JSGlobalObject
return JSC::JSValue::encode(createError(globalObject, ErrorCode::ERR_TLS_CERT_ALTNAME_FORMAT, "Invalid subject alternative name string"_s));
case ErrorCode::ERR_TLS_SNI_FROM_SERVER:
return JSC::JSValue::encode(createError(globalObject, ErrorCode::ERR_TLS_SNI_FROM_SERVER, "Cannot issue SNI from a TLS server-side socket"_s));
case ErrorCode::ERR_SSL_NO_CIPHER_MATCH: {
auto err = createError(globalObject, ErrorCode::ERR_SSL_NO_CIPHER_MATCH, "No cipher match"_s);
Copy link
Contributor

@nektro nektro May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in node the code is error:0A0000B9:SSL routines::no cipher match. how much do we care about retaining the boringssl message?

Copy link
Member Author

@alii alii May 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Jarred-Sumner Any thoughts?


auto reason = JSC::jsString(vm, WTF::String("no cipher match"_s));
err->putDirect(vm, Identifier::fromString(vm, "reason"_s), reason);

auto library = JSC::jsString(vm, WTF::String("SSL routines"_s));
err->putDirect(vm, Identifier::fromString(vm, "library"_s), library);

return JSC::JSValue::encode(err);
}
case ErrorCode::ERR_INVALID_URI:
return JSC::JSValue::encode(createError(globalObject, ErrorCode::ERR_INVALID_URI, "URI malformed"_s));
case ErrorCode::ERR_HTTP2_PSEUDOHEADER_NOT_ALLOWED:
Expand Down
1 change: 1 addition & 0 deletions src/bun.js/bindings/ErrorCode.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,7 @@ const errors: ErrorCodeMapping = [
["ERR_TLS_PSK_SET_IDENTITY_HINT_FAILED", Error],
["ERR_TLS_RENEGOTIATION_DISABLED", Error],
["ERR_TLS_SNI_FROM_SERVER", Error],
["ERR_SSL_NO_CIPHER_MATCH", Error],
["ERR_UNAVAILABLE_DURING_EXIT", Error],
["ERR_UNCAUGHT_EXCEPTION_CAPTURE_ALREADY_SET", Error],
["ERR_UNESCAPED_CHARACTERS", TypeError],
Expand Down
1 change: 1 addition & 0 deletions src/js/builtins.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -744,6 +744,7 @@ declare function $ERR_TLS_RENEGOTIATION_DISABLED(): Error;
declare function $ERR_UNAVAILABLE_DURING_EXIT(): Error;
declare function $ERR_TLS_CERT_ALTNAME_FORMAT(): SyntaxError;
declare function $ERR_TLS_SNI_FROM_SERVER(): Error;
declare function $ERR_SSL_NO_CIPHER_MATCH(): Error;
declare function $ERR_INVALID_URI(): URIError;
declare function $ERR_HTTP2_PSEUDOHEADER_NOT_ALLOWED(): TypeError;
declare function $ERR_HTTP2_INFO_STATUS_NOT_ALLOWED(): RangeError;
Expand Down
28 changes: 25 additions & 3 deletions src/js/node/tls.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,8 +247,10 @@ var InternalSecureContext = class SecureContext {
}
};

function SecureContext(options) {
return new InternalSecureContext(options);
function SecureContext(options): void {
// TODO: The `never` exists because TypeScript only lets you construct functions that return void
// but in reality we should just be calling like InternalSecureContext.$call or similar
return new InternalSecureContext(options) as never;
}

function createSecureContext(options) {
Expand Down Expand Up @@ -562,6 +564,21 @@ function Server(options, secureConnectionListener): void {
if (typeof rejectUnauthorized !== "undefined") {
this._rejectUnauthorized = rejectUnauthorized;
} else this._rejectUnauthorized = rejectUnauthorizedDefault;

if (typeof options.ciphers !== "undefined") {
if (typeof options.ciphers !== "string") {
throw $ERR_INVALID_ARG_TYPE("options.ciphers", "string", options.ciphers);
}

const requested = options.ciphers.split(":");
for (const r of requested) {
if (!DEFAULT_CIPHERS_SET.has(r)) {
throw $ERR_SSL_NO_CIPHER_MATCH();
}
}

// TODO: Use the ciphers?
}
}
};

Expand Down Expand Up @@ -607,6 +624,9 @@ const DEFAULT_ECDH_CURVE = "auto",
DEFAULT_MIN_VERSION = "TLSv1.2",
DEFAULT_MAX_VERSION = "TLSv1.3";

const DEFAULT_CIPHERS_LIST = DEFAULT_CIPHERS.split(":");
const DEFAULT_CIPHERS_SET = new Set([...DEFAULT_CIPHERS_LIST.map(c => c.toLowerCase()), ...DEFAULT_CIPHERS_LIST]);

function normalizeConnectArgs(listArgs) {
const args = net._normalizeArgs(listArgs);
$assert($isObject(args[0]));
Expand All @@ -631,10 +651,12 @@ function normalizeConnectArgs(listArgs) {
function connect(...args) {
let normal = normalizeConnectArgs(args);
const options = normal[0];
const { ALPNProtocols } = options;
const { ALPNProtocols } = options as { ALPNProtocols?: unknown };

if (ALPNProtocols) {
convertALPNProtocols(ALPNProtocols, options);
}

return new TLSSocket(options).connect(normal);
}

Expand Down
4 changes: 4 additions & 0 deletions src/js/private.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,3 +223,7 @@ declare function $newZigFunction<T = (...args: any) => any>(
*/
declare function $bindgenFn<T = (...args: any) => any>(filename: string, symbol: string): T;
// NOTE: $debug, $assert, and $isPromiseFulfilled omitted

declare module "node:net" {
export function _normalizeArgs(args: any[]): unknown[];
}
25 changes: 25 additions & 0 deletions test/js/node/test/parallel/test-tls-set-ciphers-error.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
'use strict';
const common = require('../common');

if (!common.hasCrypto)
common.skip('missing crypto');

const assert = require('assert');
const tls = require('tls');
const fixtures = require('../common/fixtures');

{
const options = {
key: fixtures.readKey('agent2-key.pem'),
cert: fixtures.readKey('agent2-cert.pem'),
ciphers: 'aes256-sha'
};
assert.throws(() => tls.createServer(options, common.mustNotCall()),
/no[_ ]cipher[_ ]match/i);
options.ciphers = 'FOOBARBAZ';
assert.throws(() => tls.createServer(options, common.mustNotCall()),
/no[_ ]cipher[_ ]match/i);
options.ciphers = 'TLS_not_a_cipher';
assert.throws(() => tls.createServer(options, common.mustNotCall()),
/no[_ ]cipher[_ ]match/i);
}
49 changes: 49 additions & 0 deletions test/js/node/tls/node-tls-no-cipher-match-error.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
import { describe, expect, test } from "bun:test";
import * as tls from "node:tls";

const fixtures = require("../test/common/fixtures");

describe("TLS No Cipher Match Error code matches Node.js", () => {
test("The error should have all the same properties as Node.js", () => {
const options = {
key: fixtures.readKey("agent2-key.pem"),
cert: fixtures.readKey("agent2-cert.pem"),
ciphers: "aes256-sha",
};

expect(() =>
tls.createServer(options, () => {
throw new Error("should not be called");
}),
).toThrow({
code: "ERR_SSL_NO_CIPHER_MATCH",
message: "No cipher match",
library: "SSL routines",
reason: "no cipher match",
});

options.ciphers = "FOOBARBAZ";
expect(() =>
tls.createServer(options, () => {
throw new Error("should not be called");
}),
).toThrow({
code: "ERR_SSL_NO_CIPHER_MATCH",
message: "No cipher match",
library: "SSL routines",
reason: "no cipher match",
});

options.ciphers = "TLS_not_a_cipher";
expect(() =>
tls.createServer(options, () => {
throw new Error("should not be called");
}),
).toThrow({
code: "ERR_SSL_NO_CIPHER_MATCH",
message: "No cipher match",
library: "SSL routines",
reason: "no cipher match",
});
});
});