fix(tls) fix ciphers

packages/bun-usockets/src/crypto/default_ciphers.h

@@ -0,0 +1,58 @@
+// TLSv1.3 suites start with TLS_, and are the OpenSSL defaults, see:
+//   https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
+#ifndef DEFAULT_CIPHER_LIST
+#define DEFAULT_CIPHER_LIST \
+                                 "ECDHE-RSA-AES128-GCM-SHA256:"     \
+                                 "ECDHE-ECDSA-AES128-GCM-SHA256:"   \
+                                 "ECDHE-RSA-AES256-GCM-SHA384:"     \
+                                 "ECDHE-ECDSA-AES256-GCM-SHA384:"   \
+                                 "ECDHE-RSA-AES128-SHA256:"         \
+                                 "ECDHE-RSA-AES256-SHA384:"         \
+                                 "HIGH:"                            \
+                                 "!aNULL:"                          \
+                                 "!eNULL:"                          \
+                                 "!EXPORT:"                         \
+                                 "!DES:"                            \
+                                 "!RC4:"                            \
+                                 "!MD5:"                            \
+                                 "!PSK:"                            \
+                                 "!SRP:"                            \
+                                 "!CAMELLIA"
+#endif
+
+// BoringSSL does not support legacy DHE ciphers and dont support SSL_CTX_set_cipher_list (see https://github.com/envoyproxy/envoy/issues/8848#issuecomment-548672667)
+// Node.js full list bellow
+
+// In node.js they filter TLS_* ciphers and use SSL_CTX_set_cipher_list (TODO: Electron has a patch https://github.com/nodejs/node/issues/25890)
+// if passed to SSL_CTX_set_cipher_list it will be filtered out and not used in BoringSSL
+// "TLS_AES_256_GCM_SHA384:"          \
+// "TLS_CHACHA20_POLY1305_SHA256:"    \
+// "TLS_AES_128_GCM_SHA256:"          \
+
+// Supported by BoringSSL:
+// "ECDHE-RSA-AES128-GCM-SHA256:"     \
+// "ECDHE-ECDSA-AES128-GCM-SHA256:"   \
+// "ECDHE-RSA-AES256-GCM-SHA384:"     \
+// "ECDHE-ECDSA-AES256-GCM-SHA384:"   \
+// "ECDHE-RSA-AES128-SHA256:"         \
+// "ECDHE-RSA-AES256-SHA384:"         \
+
+// Not supported by BoringSSL:
+// "ECDHE-RSA-AES256-SHA256:"         \
+// "DHE-RSA-AES128-GCM-SHA256:"       \
+// "DHE-RSA-AES128-SHA256:"           \
+// "DHE-RSA-AES256-SHA384:"           \
+// "DHE-RSA-AES256-SHA256:"           \
+
+
+// Also present in Node.js and supported by BoringSSL:
+// "HIGH:"                            \
+// "!aNULL:"                          \
+// "!eNULL:"                          \
+// "!EXPORT:"                         \
+// "!DES:"                            \
+// "!RC4:"                            \
+// "!MD5:"                            \
+// "!PSK:"                            \
+// "!SRP:"                            \
+// "!CAMELLIA"

packages/bun-usockets/src/crypto/openssl.c

@@ -45,7 +45,7 @@ void *sni_find(void *sni, const char *hostname);
 #endif
 
 #include "./root_certs_header.h"
-
+#include "./default_ciphers.h"
 struct loop_ssl_data {
   char *ssl_read_input, *ssl_read_output;
   unsigned int ssl_read_input_length;
@@ -848,21 +848,24 @@ create_ssl_context_from_options(struct us_socket_context_options_t options) {
       return NULL;
     }
 
-    /* OWASP Cipher String 'A+'
-     * (https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet) */
-    if (SSL_CTX_set_cipher_list(
-            ssl_context,
-            "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-"
-            "AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256") != 1) {
+    if (!SSL_CTX_set_cipher_list(ssl_context, DEFAULT_CIPHER_LIST)) {
       free_ssl_context(ssl_context);
       return NULL;
     }
   }
 
   if (options.ssl_ciphers) {
-    if (SSL_CTX_set_cipher_list(ssl_context, options.ssl_ciphers) != 1) {
-      free_ssl_context(ssl_context);
-      return NULL;
+    if (!SSL_CTX_set_cipher_list(ssl_context, options.ssl_ciphers)) {
+      unsigned long ssl_err = ERR_get_error(); 
+      if (!(strlen(options.ssl_ciphers) == 0 && ERR_GET_REASON(ssl_err) == SSL_R_NO_CIPHER_MATCH)) {
+        // TLS1.2 ciphers were deliberately cleared, so don't consider
+        // SSL_R_NO_CIPHER_MATCH to be an error (this is how _set_cipher_suites()
+        // works). If the user actually sets a value (like "no-such-cipher"), then
+        // that's actually an error.
+        free_ssl_context(ssl_context);
+        return NULL;
+      }
+      ERR_clear_error();
     }
   }
 
@@ -1288,21 +1291,27 @@ SSL_CTX *create_ssl_context_from_bun_options(
       return NULL;
     }
 
-    /* OWASP Cipher String 'A+'
-     * (https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet) */
-    if (SSL_CTX_set_cipher_list(
-            ssl_context,
-            "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-"
-            "AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256") != 1) {
+    if (!SSL_CTX_set_cipher_list(ssl_context, DEFAULT_CIPHER_LIST)) {
       free_ssl_context(ssl_context);
       return NULL;
     }
   }
 
   if (options.ssl_ciphers) {
-    if (SSL_CTX_set_cipher_list(ssl_context, options.ssl_ciphers) != 1) {
-      free_ssl_context(ssl_context);
-      return NULL;
+    if (!SSL_CTX_set_cipher_list(ssl_context, options.ssl_ciphers)) {
+      unsigned long ssl_err = ERR_get_error(); 
+      if (!(strlen(options.ssl_ciphers) == 0 && ERR_GET_REASON(ssl_err) == SSL_R_NO_CIPHER_MATCH)) {
+        char error_msg[256];
+        ERR_error_string_n(ERR_peek_last_error(), error_msg, sizeof(error_msg));
+        // TLS1.2 ciphers were deliberately cleared, so don't consider
+        // SSL_R_NO_CIPHER_MATCH to be an error (this is how _set_cipher_suites()
+        // works). If the user actually sets a value (like "no-such-cipher"), then
+        // that's actually an error.
+        *err = CREATE_BUN_SOCKET_ERROR_INVALID_CIPHERS;  
+        free_ssl_context(ssl_context);
+        return NULL;
+      }
+      ERR_clear_error();
     }
   }
 

packages/bun-usockets/src/crypto/root_certs.cpp

@@ -5,6 +5,7 @@
 #include "./internal/internal.h"
 #include <atomic>
 #include <string.h>
+#include "./default_ciphers.h"
 static const int root_certs_size = sizeof(root_certs) / sizeof(root_certs[0]);
 
 extern "C" void BUN__warn__extra_ca_load_failed(const char* filename, const char* error_msg);
@@ -184,3 +185,6 @@ extern "C" X509_STORE *us_get_default_ca_store() {
 
   return store;
 }
+extern "C" const char *us_get_default_ciphers() {
+  return DEFAULT_CIPHER_LIST;
+}

packages/bun-usockets/src/libusockets.h

@@ -262,6 +262,7 @@ enum create_bun_socket_error_t {
   CREATE_BUN_SOCKET_ERROR_LOAD_CA_FILE,
   CREATE_BUN_SOCKET_ERROR_INVALID_CA_FILE,
   CREATE_BUN_SOCKET_ERROR_INVALID_CA,
+  CREATE_BUN_SOCKET_ERROR_INVALID_CIPHERS,
 };
 
 struct us_socket_context_t *us_create_bun_ssl_socket_context(struct us_loop_t *loop,

src/bun.js/api/BunObject.zig

@@ -1306,6 +1306,15 @@ pub fn getS3DefaultClient(globalThis: *jsc.JSGlobalObject, _: *jsc.JSObject) jsc
     return globalThis.bunVM().rareData().s3DefaultClient(globalThis);
 }
 
+pub fn getTLSDefaultCiphers(globalThis: *jsc.JSGlobalObject, _: *jsc.JSObject) jsc.JSValue {
+    return globalThis.bunVM().rareData().tlsDefaultCiphers();
+}
+
+pub fn setTLSDefaultCiphers(globalThis: *jsc.JSGlobalObject, _: *jsc.JSObject, ciphers: jsc.JSValue) jsc.JSValue {
+    globalThis.bunVM().rareData().setTLSDefaultCiphers(ciphers);
+    return .js_undefined;
+}
+
 pub fn getValkeyDefaultClient(globalThis: *jsc.JSGlobalObject, _: *jsc.JSObject) jsc.JSValue {
     const valkey = jsc.API.Valkey.create(globalThis, &.{.js_undefined}) catch |err| {
         if (err != error.JSError) {

src/bun.js/api/server/SSLConfig.zig

@@ -1,6 +1,5 @@
 const SSLConfig = @This();
 
-requires_custom_request_ctx: bool = false,
 server_name: [*c]const u8 = null,
 
 key_file_name: [*c]const u8 = null,
@@ -10,7 +9,6 @@ ca_file_name: [*c]const u8 = null,
 dh_params_file_name: [*c]const u8 = null,
 
 passphrase: [*c]const u8 = null,
-low_memory_mode: bool = false,
 
 key: ?[][*c]const u8 = null,
 key_count: u32 = 0,
@@ -29,6 +27,9 @@ protos: ?[*:0]const u8 = null,
 protos_len: usize = 0,
 client_renegotiation_limit: u32 = 0,
 client_renegotiation_window: u32 = 0,
+requires_custom_request_ctx: bool = false,
+is_using_default_ciphers: bool = true,
+low_memory_mode: bool = false,
 
 const BlobFileContentResult = struct {
     data: [:0]const u8,
@@ -168,10 +169,18 @@ pub fn deinit(this: *SSLConfig) void {
         "ca_file_name",
         "dh_params_file_name",
         "passphrase",
-        "ssl_ciphers",
         "protos",
     };
 
+    if (!this.is_using_default_ciphers) {
+        if (this.ssl_ciphers) |slice_ptr| {
+            const slice = std.mem.span(slice_ptr);
+            if (slice.len > 0) {
+                bun.freeSensitive(bun.default_allocator, slice);
+            }
+        }
+    }
+
     inline for (fields) |field| {
         if (@field(this, field)) |slice_ptr| {
             const slice = std.mem.span(slice_ptr);
@@ -452,10 +461,14 @@ pub fn fromJS(vm: *jsc.VirtualMachine, global: *jsc.JSGlobalObject, obj: jsc.JSV
         defer sliced.deinit();
         if (sliced.len > 0) {
             result.ssl_ciphers = try bun.default_allocator.dupeZ(u8, sliced.slice());
+            result.is_using_default_ciphers = false;
             any = true;
             result.requires_custom_request_ctx = true;
         }
     }
+    if (result.is_using_default_ciphers) {
+        result.ssl_ciphers = global.bunVM().rareData().tlsDefaultCiphers() orelse null;
+    }
 
     if (try obj.getTruthy(global, "serverName") orelse try obj.getTruthy(global, "servername")) |server_name| {
         var sliced = try server_name.toSlice(global, bun.default_allocator);

src/bun.js/bindings/NodeTLS.cpp

@@ -72,4 +72,17 @@ JSC_DEFINE_HOST_FUNCTION(getExtraCACertificates, (JSC::JSGlobalObject * globalOb
     RELEASE_AND_RETURN(scope, JSValue::encode(JSC::objectConstructorFreeze(globalObject, rootCertificates)));
 }
 
+extern "C" JSC::EncodedJSValue Bun__getTLSDefaultCiphers(JSC::JSGlobalObject* globalObject, JSC::CallFrame* callFrame);
+extern "C" JSC::EncodedJSValue Bun__setTLSDefaultCiphers(JSC::JSGlobalObject* globalObject, JSC::CallFrame* callFrame);
+
+JSC_DEFINE_HOST_FUNCTION(getDefaultCiphers, (JSC::JSGlobalObject * globalObject, JSC::CallFrame* callFrame))
+{
+    return Bun__getTLSDefaultCiphers(globalObject, callFrame);
+}
+
+JSC_DEFINE_HOST_FUNCTION(setDefaultCiphers, (JSC::JSGlobalObject * globalObject, JSC::CallFrame* callFrame))
+{
+    return Bun__setTLSDefaultCiphers(globalObject, callFrame);
+}
+
 } // namespace Bun

src/bun.js/bindings/NodeTLS.h

@@ -6,5 +6,7 @@ namespace Bun {
 BUN_DECLARE_HOST_FUNCTION(Bun__canonicalizeIP);
 JSC_DECLARE_HOST_FUNCTION(getBundledRootCertificates);
 JSC_DECLARE_HOST_FUNCTION(getExtraCACertificates);
+JSC_DECLARE_HOST_FUNCTION(getDefaultCiphers);
+JSC_DECLARE_HOST_FUNCTION(setDefaultCiphers);
 
 }

src/bun.js/rare_data.zig

@@ -39,6 +39,8 @@ default_csrf_secret: []const u8 = "",
 
 valkey_context: ValkeyContext = .{},
 
+tls_default_ciphers: ?[:0]const u8 = null,
+
 const PipeReadBuffer = [256 * 1024]u8;
 const DIGESTED_HMAC_256_LEN = 32;
 pub const AWSSignatureCache = struct {
@@ -421,6 +423,31 @@ pub export fn Bun__Process__getStdinFdType(vm: *jsc.VirtualMachine, fd: i32) Std
     }
 }
 
+fn setTLSDefaultCiphersFromJS(globalThis: *jsc.JSGlobalObject, callframe: *jsc.CallFrame) bun.JSError!jsc.JSValue {
+    const vm = globalThis.bunVM();
+    const args = callframe.arguments();
+    const ciphers = if (args.len > 0) args[0] else .js_undefined;
+    if (!ciphers.isString()) return globalThis.throwInvalidArgumentTypeValue("ciphers", "string", ciphers);
+    var sliced = try ciphers.toSlice(globalThis, bun.default_allocator);
+    defer sliced.deinit();
+    vm.rareData().setTLSDefaultCiphers(sliced.slice());
+    return .js_undefined;
+}
+
+fn getTLSDefaultCiphersFromJS(globalThis: *jsc.JSGlobalObject, _: *jsc.CallFrame) bun.JSError!jsc.JSValue {
+    const vm = globalThis.bunVM();
+    const ciphers = vm.rareData().tlsDefaultCiphers() orelse return try bun.String.createUTF8ForJS(globalThis, bun.uws.get_default_ciphers());
+
+    return try bun.String.createUTF8ForJS(globalThis, ciphers);
+}
+
+comptime {
+    const js_setTLSDefaultCiphers = jsc.toJSHostFn(setTLSDefaultCiphersFromJS);
+    @export(&js_setTLSDefaultCiphers, .{ .name = "Bun__setTLSDefaultCiphers" });
+    const js_getTLSDefaultCiphers = jsc.toJSHostFn(getTLSDefaultCiphersFromJS);
+    @export(&js_getTLSDefaultCiphers, .{ .name = "Bun__getTLSDefaultCiphers" });
+}
+
 pub fn spawnIPCContext(rare: *RareData, vm: *jsc.VirtualMachine) *uws.SocketContext {
     if (rare.spawn_ipc_usockets_context) |ctx| {
         return ctx;
@@ -466,6 +493,17 @@ pub fn s3DefaultClient(rare: *RareData, globalThis: *jsc.JSGlobalObject) jsc.JSV
     };
 }
 
+pub fn tlsDefaultCiphers(this: *RareData) ?[:0]const u8 {
+    return this.tls_default_ciphers orelse null;
+}
+
+pub fn setTLSDefaultCiphers(this: *RareData, ciphers: []const u8) void {
+    if (this.tls_default_ciphers) |old_ciphers| {
+        bun.default_allocator.free(old_ciphers);
+    }
+    this.tls_default_ciphers = bun.default_allocator.dupeZ(u8, ciphers) catch bun.outOfMemory();
+}
+
 pub fn defaultCSRFSecret(this: *RareData) []const u8 {
     if (this.default_csrf_secret.len == 0) {
         const secret = bun.default_allocator.alloc(u8, 16) catch bun.outOfMemory();
@@ -498,6 +536,11 @@ pub fn deinit(this: *RareData) void {
         deflate.deinit();
     }
 
+    if (this.tls_default_ciphers) |ciphers| {
+        this.tls_default_ciphers = null;
+        bun.default_allocator.free(ciphers);
+    }
+
     this.valkey_context.deinit();
 }
 

src/deps/uws.zig

@@ -69,6 +69,7 @@ pub const create_bun_socket_error_t = enum(c_int) {
     load_ca_file,
     invalid_ca_file,
     invalid_ca,
+    invalid_ciphers,
 
     pub fn toJS(this: create_bun_socket_error_t, globalObject: *jsc.JSGlobalObject) jsc.JSValue {
         return switch (this) {
@@ -79,6 +80,7 @@ pub const create_bun_socket_error_t = enum(c_int) {
             .load_ca_file => globalObject.ERR(.BORINGSSL, "Failed to load CA file", .{}).toJS(),
             .invalid_ca_file => globalObject.ERR(.BORINGSSL, "Invalid CA file", .{}).toJS(),
             .invalid_ca => globalObject.ERR(.BORINGSSL, "Invalid CA", .{}).toJS(),
+            .invalid_ciphers => globalObject.ERR(.BORINGSSL, "Invalid ciphers", .{}).toJS(),
         };
     }
 };
@@ -144,6 +146,14 @@ pub const LIBUS_SOCKET_DESCRIPTOR = switch (bun.Environment.isWindows) {
     false => i32,
 };
 
+const c = struct {
+    pub extern fn us_get_default_ciphers() [*:0]const u8;
+};
+
+pub fn get_default_ciphers() [:0]const u8 {
+    return c.us_get_default_ciphers()[0..bun.len(c.us_get_default_ciphers()) :0];
+}
+
 const bun = @import("bun");
 const Environment = bun.Environment;
 const jsc = bun.jsc;