Implement TLS min/max versions and matching CLI behaviour

.gitignore

@@ -183,4 +183,5 @@ codegen-for-zig-team.tar.gz
 *.sock
 scratch*.{js,ts,tsx,cjs,mjs}
 
-*.bun-build
+*.bun-build
+**/.claude/settings.local.json

.vscode/settings.json

@@ -39,6 +39,7 @@
   "zig.zls.path": "${workspaceFolder}/vendor/zig/zls.exe",
   "zig.formattingProvider": "zls",
   "zig.zls.enableInlayHints": false,
+
   "[zig]": {
     "editor.tabSize": 4,
     "editor.useTabStops": false,

cmake/ZigSources.txt

@@ -164,6 +164,7 @@ src/bun.js/node/node_http_binding.zig
 src/bun.js/node/node_net_binding.zig
 src/bun.js/node/node_os.zig
 src/bun.js/node/node_process.zig
+src/bun.js/node/node_tls_binding.zig
 src/bun.js/node/node_util_binding.zig
 src/bun.js/node/node_zlib_binding.zig
 src/bun.js/node/nodejs_error_code.zig
@@ -222,6 +223,7 @@ src/bun.js/webcore/Response.zig
 src/bun.js/webcore/S3Client.zig
 src/bun.js/webcore/S3File.zig
 src/bun.js/webcore/S3Stat.zig
+src/bun.js/webcore/ScriptExecutionContext.zig
 src/bun.js/webcore/Sink.zig
 src/bun.js/webcore/streams.zig
 src/bun.js/webcore/TextDecoder.zig
@@ -580,6 +582,7 @@ src/system_timer.zig
 src/test/fixtures.zig
 src/test/recover.zig
 src/thread_pool.zig
+src/tls.zig
 src/tmp.zig
 src/toml/toml_lexer.zig
 src/toml/toml_parser.zig

packages/bun-types/overrides.d.ts

@@ -2,7 +2,7 @@ export {};
 
 declare global {
   namespace NodeJS {
-    interface ProcessEnv extends Bun.Env, ImportMetaEnv {}
+    interface ProcessEnv extends Bun.Env {}
 
     interface Process {
       readonly version: string;

packages/bun-usockets/src/crypto/openssl.c

@@ -1140,14 +1140,31 @@ SSL_CTX *create_ssl_context_from_bun_options(
   /* Create the context */
   SSL_CTX *ssl_context = SSL_CTX_new(TLS_method());
 
+
   /* Default options we rely on - changing these will break our logic */
   SSL_CTX_set_read_ahead(ssl_context, 1);
   /* we should always accept moving write buffer so we can retry writes with a
    * buffer allocated in a different address */
   SSL_CTX_set_mode(ssl_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+  if (options.min_tls_version > 0) {
+    if (!SSL_CTX_set_min_proto_version(ssl_context, options.min_tls_version)) {
+      free_ssl_context(ssl_context);
+      return NULL; 
+    }
+  } else {
+
+    if (!SSL_CTX_set_min_proto_version(ssl_context, TLS1_2_VERSION)) {
+      free_ssl_context(ssl_context);
+      return NULL;
+    }
+  }
 
-  /* Anything below TLS 1.2 is disabled */
-  SSL_CTX_set_min_proto_version(ssl_context, TLS1_2_VERSION);
+  if (options.max_tls_version > 0) {
+    if (!SSL_CTX_set_max_proto_version(ssl_context, options.max_tls_version)) {
+      free_ssl_context(ssl_context);
+      return NULL;
+    }
+  }
 
   /* The following are helpers. You may easily implement whatever you want by
    * using the native handle directly */

packages/bun-usockets/src/libusockets.h

@@ -237,6 +237,8 @@ struct us_bun_socket_context_options_t {
     int request_cert;
     unsigned int client_renegotiation_limit;
     unsigned int client_renegotiation_window;
+    unsigned int min_tls_version;
+    unsigned int max_tls_version;
 };
 
 /* Return 15-bit timestamp for this context */

packages/bun-uws/src/App.h

@@ -78,6 +78,8 @@ namespace uWS {
         int request_cert = 0;
         unsigned int client_renegotiation_limit = 3;
         unsigned int client_renegotiation_window = 600;
+        unsigned int min_tls_version = 0;
+        unsigned int max_tls_version = 0;
 
         /* Conversion operator used internally */
         operator struct us_bun_socket_context_options_t() const {

src/bun.js/api/bun/socket.zig

@@ -718,6 +718,12 @@ pub const Listener = struct {
             return globalObject.throwValue(err);
         };
 
+        if (ssl_enabled and create_err != .none) {
+            const js_err = create_err.toJS(globalObject);
+            uws.us_socket_context_free(1, socket_context);
+            return globalObject.throwValue(js_err);
+        }
+
         if (ssl_enabled) {
             if (ssl.?.protos) |p| {
                 protos = p[0..ssl.?.protos_len];
@@ -1220,6 +1226,12 @@ pub const Listener = struct {
             return globalObject.throwValue(err.toErrorInstance(globalObject));
         };
 
+        if (ssl_enabled and create_err != .none) {
+            const js_err = create_err.toJS(globalObject);
+            uws.us_socket_context_free(1, socket_context);
+            return globalObject.throwValue(js_err);
+        }
+
         if (ssl_enabled) {
             if (ssl.?.protos) |p| {
                 protos = p[0..ssl.?.protos_len];

src/bun.js/api/server.zig

@@ -649,6 +649,9 @@ pub const ServerConfig = struct {
         client_renegotiation_limit: u32 = 0,
         client_renegotiation_window: u32 = 0,
 
+        min_version: ?u16 = null,
+        max_version: ?u16 = null,
+
         const log = Output.scoped(.SSLConfig, false);
 
         pub fn asUSockets(this: SSLConfig) uws.us_bun_socket_context_options_t {
@@ -685,6 +688,14 @@ pub const ServerConfig = struct {
             ctx_opts.request_cert = this.request_cert;
             ctx_opts.reject_unauthorized = this.reject_unauthorized;
 
+            if (this.min_version) |version| {
+                ctx_opts.min_tls_version = version;
+            }
+
+            if (this.max_version) |version| {
+                ctx_opts.max_tls_version = version;
+            }
+
             return ctx_opts;
         }
 
@@ -715,7 +726,7 @@ pub const ServerConfig = struct {
 
             {
                 //numbers
-                const fields = .{ "secure_options", "request_cert", "reject_unauthorized", "low_memory_mode" };
+                const fields = .{ "secure_options", "request_cert", "reject_unauthorized", "low_memory_mode", "min_version", "max_version" };
 
                 inline for (fields) |field| {
                     const lhs = @field(thisConfig, field);
@@ -1040,6 +1051,16 @@ pub const ServerConfig = struct {
                 any = true;
             }
 
+            if (try obj.getTruthy(global, "minVersion")) |min_version| {
+                result.min_version = @as(u16, @intCast(min_version.toInt32()));
+                any = true;
+            }
+
+            if (try obj.getTruthy(global, "maxVersion")) |max_version| {
+                result.max_version = @as(u16, @intCast(max_version.toInt32()));
+                any = true;
+            }
+
             if (try obj.getTruthy(global, "ciphers")) |ssl_ciphers| {
                 var sliced = try ssl_ciphers.toSlice(global, bun.default_allocator);
                 defer sliced.deinit();

src/bun.js/node/node_tls_binding.zig

@@ -0,0 +1,20 @@
+const std = @import("std");
+
+const bun = @import("bun");
+const JSC = bun.JSC;
+
+pub fn getDefaultMinTLSVersionFromCLIFlag(_: *JSC.JSGlobalObject, _: *JSC.CallFrame) bun.JSError!JSC.JSValue {
+    if (bun.tls.min_tls_version_from_cli_flag) |version| {
+        return JSC.JSValue.jsNumber(version);
+    }
+
+    return JSC.JSValue.jsNull();
+}
+
+pub fn getDefaultMaxTLSVersionFromCLIFlag(_: *JSC.JSGlobalObject, _: *JSC.CallFrame) bun.JSError!JSC.JSValue {
+    if (bun.tls.max_tls_version_from_cli_flag) |version| {
+        return JSC.JSValue.jsNumber(version);
+    }
+
+    return JSC.JSValue.jsNull();
+}

src/bun.zig

@@ -599,6 +599,7 @@ pub const Bunfig = @import("./bunfig.zig").Bunfig;
 
 pub const HTTPThread = @import("./http.zig").HTTPThread;
 pub const http = @import("./http.zig");
+pub const tls = @import("./tls.zig");
 
 pub const Analytics = @import("./analytics/analytics_thread.zig");
 

src/cli.zig

@@ -247,6 +247,12 @@ pub const Arguments = struct {
         clap.parseParam("--zero-fill-buffers                Boolean to force Buffer.allocUnsafe(size) to be zero-filled.") catch unreachable,
         clap.parseParam("--redis-preconnect                Preconnect to $REDIS_URL at startup") catch unreachable,
         clap.parseParam("--no-addons                       Throw an error if process.dlopen is called, and disable export condition \"node-addons\"") catch unreachable,
+        clap.parseParam("--tls-max-v1.2                    Set the maximum TLS version to 1.2") catch unreachable,
+        clap.parseParam("--tls-max-v1.3                    Set the maximum TLS version to 1.3") catch unreachable,
+        clap.parseParam("--tls-min-v1.0                    Set the minimum TLS version to 1") catch unreachable,
+        clap.parseParam("--tls-min-v1.1                    Set the minimum TLS version to 1.1") catch unreachable,
+        clap.parseParam("--tls-min-v1.2                    Set the minimum TLS version to 1.2") catch unreachable,
+        clap.parseParam("--tls-min-v1.3                    Set the minimum TLS version to 1.3") catch unreachable,
     };
 
     const auto_or_run_params = [_]ParamType{
@@ -754,6 +760,27 @@ pub const Arguments = struct {
                 }
             }
 
+            // TLS version flags here are specified in ascending order for MAX, and descending order for MIN
+            // because Node will use the maximum value for --tls-max and the minimum value for --tls-min
+            // See comments on:
+            // - https://bun.sh/reference/node/tls/DEFAULT_MAX_VERSION
+            // - https://bun.sh/reference/node/tls/DEFAULT_MIN_VERSION
+
+            // if (args.flag("--tls-max-v1.0")) bun.tls.max_tls_version = 0x0301;
+            // if (args.flag("--tls-max-v1.1")) bun.tls.max_tls_version = 0x0302;
+            if (args.flag("--tls-max-v1.2")) bun.tls.max_tls_version_from_cli_flag = 0x0303;
+            if (args.flag("--tls-max-v1.3")) bun.tls.max_tls_version_from_cli_flag = 0x0304;
+
+            if (args.flag("--tls-min-v1.3")) bun.tls.min_tls_version_from_cli_flag = 0x0304;
+            if (args.flag("--tls-min-v1.2")) bun.tls.min_tls_version_from_cli_flag = 0x0303;
+            if (args.flag("--tls-min-v1.1")) bun.tls.min_tls_version_from_cli_flag = 0x0302;
+            if (args.flag("--tls-min-v1.0")) bun.tls.min_tls_version_from_cli_flag = 0x0301;
+
+            if (bun.tls.min_tls_version_from_cli_flag != null and bun.tls.max_tls_version_from_cli_flag != null) {
+                Output.errGeneric("either --tls-min-v1.x or --tls-max-v1.x can be used, not both", .{});
+                Global.exit(1);
+            }
+
             ctx.debug.offline_mode_setting = if (args.flag("--prefer-offline"))
                 Bunfig.OfflineMode.offline
             else if (args.flag("--prefer-latest"))

src/deps/uws.zig

@@ -2538,6 +2538,8 @@ pub const us_bun_socket_context_options_t = extern struct {
     request_cert: i32 = 0,
     client_renegotiation_limit: u32 = 3,
     client_renegotiation_window: u32 = 600,
+    min_tls_version: u32 = 0,
+    max_tls_version: u32 = 0,
 };
 
 pub const create_bun_socket_error_t = enum(c_int) {

src/js/builtins.d.ts

@@ -667,6 +667,7 @@ declare function $makeAbortError(message?: string, options?: { cause: Error }):
  */
 declare function $ERR_INVALID_ARG_TYPE(argName: string, expectedType: string, actualValue: any): TypeError;
 declare function $ERR_INVALID_ARG_TYPE(argName: string, expectedTypes: string[], actualValue: any): TypeError;
+declare function $ERR_INVALID_ARG_TYPE(message: string): TypeError;
 declare function $ERR_INVALID_ARG_VALUE(name: string, value: any, reason?: string): TypeError;
 declare function $ERR_UNKNOWN_ENCODING(enc: string): TypeError;
 declare function $ERR_STREAM_DESTROYED(method: string): Error;
@@ -680,7 +681,7 @@ declare function $ERR_MISSING_ARGS(...args: [string, ...string[]]): TypeError;
  */
 declare function $ERR_MISSING_ARGS(oneOf: string[]): TypeError;
 declare function $ERR_INVALID_RETURN_VALUE(expected_type: string, name: string, actual_value: any): TypeError;
-declare function $ERR_TLS_INVALID_PROTOCOL_VERSION(a: string, b: string): TypeError;
+declare function $ERR_TLS_INVALID_PROTOCOL_VERSION(a: import("tls").SecureVersion, b: "maximum" | "minimum"): TypeError;
 declare function $ERR_TLS_PROTOCOL_VERSION_CONFLICT(a: string, b: string): TypeError;
 declare function $ERR_INVALID_IP_ADDRESS(ip: any): TypeError;
 declare function $ERR_INVALID_ADDRESS_FAMILY(addressType, host, port): RangeError;