node:tls: accept Ed25519 server certificates during client verification

[robobun]

Fixes #32234

Problem

A TLS client connecting to a server that presents an Ed25519 certificate always fails hostname verification:

ed: ERROR Hostname/IP does not match certificate's altnames: Cert does not contain a DNS name

RSA and ECDSA P-256/P-384 certificates work; Node verifies all of them. The peer certificate comes back empty (subjectaltname: undefined even in detailed mode), so the internal checkServerIdentity finds no DNS names and rejects with ERR_TLS_CERT_ALTNAME_INVALID. Real-world impact: connecting to servers whose PKI issues Ed25519 certs (e.g. NATS behind cert-manager) works under Node but breaks under Bun.

During review this turned out to affect ECDSA P-521 leaf certificates too, for the same underlying reason.

Root cause

BoringSSL's default accepted signature-algorithm list for verifying a peer certificate (kVerifySignatureAlgorithms in ssl/extensions.cc) omits SSL_SIGN_ED25519 and SSL_SIGN_ECDSA_SECP521R1_SHA512, even though its signing list (kSignSignatureAlgorithms) includes both. Bun never overrode this, so the client never advertised Ed25519 or P-521 in the signature_algorithms extension. A TLS 1.3 handshake against an Ed25519 or P-521 leaf then could not complete; the connection degraded with an empty peer certificate, which surfaced as the bogus hostname error. This also explains why Bun's server presents Ed25519 fine (it signs) while its client cannot verify it. OpenSSL (and therefore Node) accepts both by default.

Fix

Set explicit verify signature-algorithm preferences on the client SSL_CTX (BoringSSL's default list plus SSL_SIGN_ED25519 and SSL_SIGN_ECDSA_SECP521R1_SHA512), matching the OpenSSL defaults Node relies on. The list is applied once in the shared us_ssl_ctx_build_raw in packages/bun-usockets/src/crypto/openssl.c, which backs every node:tls / Bun.connect / fetch / node:https context, and reused for the QUIC client context in quic.c so HTTP/3 stays consistent. Because the SSL_CTX is mode-neutral, the same list governs verifying client certificates, so a Bun server doing mTLS now accepts these client certs too, matching Node.

The fixing line is the SSL_CTX_set_verify_algorithm_prefs call (via the shared us_ssl_ctx_set_verify_signature_algorithms helper); the rest is the algorithm list and its reuse in QUIC.

Verification

• test/js/node/tls/node-tls-connect.test.ts: a matrix test stands up a tls.createServer with an Ed25519, RSA, ECDSA P-256, and ECDSA P-521 leaf (each subjectAltName=DNS:localhost,IP:127.0.0.1) and connects with tls.connect({ ca, servername: "localhost" }), asserting authorized === true and getPeerCertificate(true).subjectaltname === "DNS:localhost, IP Address:127.0.0.1". Before the fix, Ed25519 and P-521 fail (ERR_TLS_CERT_ALTNAME_INVALID) while RSA and P-256 pass, proving the fix does not regress them.
• test/js/web/fetch/fetch-http3-client.test.ts: an HTTP/3 test connects to an Ed25519 server via fetch(url, { protocol: "http3" }), which exercises the QUIC client context. Without the fix the h3 handshake fails with HTTP3HandshakeFailed during signature_algorithms negotiation (before the verify callback, so rejectUnauthorized: false cannot mask it); with the fix it returns 200.

# USE_SYSTEM_BUN=1 (pre-fix):  ed25519 + p521 fail, rsa + p256 pass
# bun bd (post-fix):           full tls matrix + h3 ed25519 green

---

Rebased onto main (resolving conflicts from #31155) and squashed into a single commit; the empty ci: retrigger commit was dropped. Conflict resolution: #31155 added explicit minVersion/maxVersion handling in us_ssl_ctx_build_raw at the same spot this PR adds the verify-sigalgs call, so its version handling is kept and the sigalgs call runs right after it (the previously-hardcoded TLS1_2_VERSION line is dropped in favor of #31155s option-aware one). In node-tls-connect.test.ts both branches appended tests at end-of-file; both are kept. Matrix + h3 tests verified green on the rebased tree.

[robobun]

^{Updated 9:01 PM PT - Jun 16th, 2026}

✅ @robobun, your commit 2f40188bc708026cde6e1b62e7fc5ea4f1367b4c passed in Build #63055! 🎉

---

🧪   To try this PR locally:

bunx bun-pr 32235

That installs a local version of the PR into your bun-32235 executable, so you can run:

bun-32235 --bun

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR adds a BoringSSL/OpenSSL helper that sets verification signature-algorithm preferences (including Ed25519 and P-521), applies it when building SSL_CTX for standard TLS and QUIC clients, and adds tests validating connections for Ed25519, RSA, and ECDSA server certificates.

Changes

Ed25519 certificate signature algorithm verification

Layer / File(s)	Summary
Signature algorithm verification configuration in OpenSSL packages/bun-usockets/src/crypto/openssl.c	New us_ssl_ctx_set_verify_signature_algorithms() defines a preference list including Ed25519/P-521 and applies it to an SSL_CTX via SSL_CTX_set_verify_algorithm_prefs; called from us_ssl_ctx_build_raw.
QUIC client signature algorithm configuration packages/bun-usockets/src/quic.c	Adds external declaration and invokes us_ssl_ctx_set_verify_signature_algorithms(ssl) during QUIC client SSL_CTX setup to enable accepting Ed25519 peer signatures.
Multi-algorithm Node TLS tests test/js/node/tls/node-tls-connect.test.ts	Embedded PEM fixtures for ed25519, rsa, ecdsa, and p521 and a test that starts per-algorithm TLS servers, connects trusting only the matching cert, asserts subjectaltname and socket.authorized.
HTTP/3 Ed25519 regression test test/js/web/fetch/fetch-http3-client.test.ts	Adds Ed25519 certificate/key fixture and an HTTP/3-only server test that performs a fetch over HTTP/3 to verify TLS handshake succeeds with an Ed25519 server certificate.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: enabling Bun's TLS client to accept Ed25519 (and P-521) server certificates during verification, matching Node behavior.
Description check	✅ Passed	The PR description comprehensively addresses both required template sections: it explains the problem (Ed25519/P-521 certs fail verification), root cause (BoringSSL's default list omits these algorithms), fix (setting explicit verify signature-algorithm preferences), and verification (matrix test + HTTP/3 test with specific assertions).
Linked Issues check	✅ Passed	All coding requirements from issue #32234 are met: Ed25519 certificates are now accepted during client verification, subjectAltName is properly retained, hostname verification succeeds, and the fix applies consistently across tls/fetch/QUIC/mTLS contexts matching Node behavior.
Out of Scope Changes check	✅ Passed	All code changes are scoped to the stated objectives: signature-algorithm configuration in openssl.c and quic.c, plus comprehensive test coverage for Ed25519/P-521/RSA/ECDSA P-256 verification and HTTP/3 scenarios; no unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/bun-usockets/src/quic.c`:
- Around line 1127-1128: Add a QUIC/HTTP3 client test that covers the
us_create_quic_client_context(...) code path and verifies an Ed25519 server
certificate so this SSL_CTX change cannot regress; specifically, extend the
existing TLS client test matrix to include an HTTP/3/QUIC client case (mirroring
the tls.connect() TCP case) that performs a QUIC connection to the test server
using us_create_quic_client_context(...) and asserts the server certificate is
accepted when signed with Ed25519 (use the same test certificate fixtures and
expectations as the TCP Ed25519 case). Ensure the new test exercises the
QUIC-only code path that calls us_ssl_ctx_set_verify_signature_algorithms(ssl)
and fails if Ed25519 verification is broken.

In `@test/js/node/tls/node-tls-connect.test.ts`:
- Around line 678-684: The test currently calls server.close() in the finally
block without awaiting it; change the cleanup to await the server shutdown by
replacing server.close() with awaiting its callback (e.g. await new
Promise<void>(resolve => server.close(resolve))) so the finally block only
returns after the TLS server and accepted sockets are fully closed; update the
finally in the test that references the server variable accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7d509436-aae2-4592-8cae-9cb1b81a8a34

📥 Commits

Reviewing files that changed from the base of the PR and between a0e221e and c8fe685.

📒 Files selected for processing (3)

• packages/bun-usockets/src/crypto/openssl.c
• packages/bun-usockets/src/quic.c
• test/js/node/tls/node-tls-connect.test.ts

[claude]

Thanks for addressing the P-521 gap and the test cleanup — the change looks correct and well-tested to me, but since it now hardcodes the verify sigalg allowlist for every TLS/QUIC connection in Bun, I'd like a human to sign off on the final list.

Extended reasoning...

Overview

This PR adds an explicit SSL_CTX_set_verify_algorithm_prefs call in us_ssl_ctx_build_raw (openssl.c) and in us_create_quic_client_context (quic.c), supplying a hardcoded list of accepted peer signature algorithms — BoringSSL's default kVerifySignatureAlgorithms plus SSL_SIGN_ED25519 and SSL_SIGN_ECDSA_SECP521R1_SHA512. It adds a 4-algorithm (ed25519/rsa/ecdsa/p521) tls.connect matrix test and an HTTP/3 Ed25519 regression test.

Security risks

The change widens the set of signature algorithms the TLS client will accept when verifying a server (or, in mTLS, a client) certificate. Ed25519 and ECDSA P-521 are both standard, secure algorithms that OpenSSL and Node.js already accept by default, so this aligns Bun with Node rather than weakening security. The list otherwise mirrors BoringSSL's existing defaults verbatim. I don't see an injection, auth-bypass, or downgrade vector here. The notable risk surface is that Bun now owns this list explicitly: future BoringSSL changes to its default verify list will no longer flow through automatically.

Level of scrutiny

This is core TLS/crypto code on the certificate-verification path, executed for every node:tls / Bun.connect / fetch / node:https / HTTP/3 connection. Per the approval guidelines I shouldn't auto-approve security-sensitive crypto changes even when they look correct — the policy decision to take ownership of the verify sigalg list (and exactly which entries belong in it) is worth a human reviewer's eyes.

Other factors

All prior review feedback (my P-521 note, CodeRabbit's await-close and QUIC-regression asks) is addressed in 33ea391. The bug-hunting system found no issues on the latest revision. The CI failure looks like an unrelated musl LTO linking problem, not this change. Test coverage is good and proves no regression for RSA/ECDSA.

[robobun]

CI status for maintainers: the diff is green; the red lanes are unrelated flaky/environment tests, not this change.

This PR only touches BoringSSL verify-sigalgs (openssl.c / quic.c) plus two TLS test files, and those pass everywhere they run (e.g. node-tls-connect.test.ts 29 pass on the darwin shard). The red test-bun lanes have been unrelated, non-TLS failures:

• Build 62329 (current): test/cli/init/init.test.ts fails because bun init scaffolds an extra CLAUDE.md agent-rule file the snapshot does not expect (env-sensitive on the agent runner; see fix(init): respect --minimal flag for agent rule files #26051). Nothing to do with TLS.
• Builds 62254 / 62259 (earlier): package-manager install tests (bun-install.test.ts "should handle bitbucket git dependencies", complex-workspace.test.ts) failing on an external Bitbucket outage (HTTP 503 / SSH reset from every agent).

None touch the signature-algorithm code this PR changes. I have already used my one retrigger (62259), so these need a re-run on green infra rather than another retrigger from me.

[Jarred-Sumner]

Cna you double check this list matches what node does?

[robobun]

Good call, it did not match, and I adjusted it. I parsed the raw ClientHello each runtime emits and compared the signature_algorithms (ext 13) lists.

Node v24 (OpenSSL 3) sends, in order:
ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_pss_sha256/384/512, rsa_pss_rsae_sha256/384/512, rsa_pkcs1_sha256/384/512 (+ the SHA-224 / DSA legacy pairs). Note: no rsa_pkcs1_sha1.

My list before led with ed25519, interleaved ECDSA/RSA per hash tier, and kept rsa_pkcs1_sha1 (inherited from BoringSSL’s default). So: wrong order, and one extra algorithm Node does not advertise.

BoringSSL has no SSL_SIGN_* constant for ed448, rsa_pss_pss_*, SHA-224, or DSA, so those four families physically cannot be listed from BoringSSL. For every algorithm BoringSSL does implement, I reordered to Node’s exact order and dropped rsa_pkcs1_sha1 to match Node:

ecdsa_secp256r1_sha256
ecdsa_secp384r1_sha384
ecdsa_secp521r1_sha512
ed25519
rsa_pss_rsae_sha256
rsa_pss_rsae_sha384
rsa_pss_rsae_sha512
rsa_pkcs1_sha256
rsa_pkcs1_sha384
rsa_pkcs1_sha512

This is now a strict subsequence of Node’s list (identical order, only the 4 BoringSSL-unsupported families missing). Dropping sha1 means Bun no longer accepts SHA-1-signed peer signatures, matching Node (and TLS 1.3 forbids sha1 anyway). Rebuilding to confirm the emitted bytes against the Node capture.

[robobun]

Confirmed after rebuild, parsing the actual ClientHello bytes each runtime emits:

node: 0403,0503,0603,0807,0808,0809,080a,080b,0804,0805,0806,0401,0501,0601,0303,0301,0302,0402,0502,0602
bun : 0403,0503,0603,0807,          0804,0805,0806,0401,0501,0601

Bun’s signature_algorithms is now an exact ordered subsequence of Node’s. The only gaps are the families BoringSSL has no SSL_SIGN_* value for: ed448 (0808), rsa_pss_pss_* (0809/0a/0b), and the SHA-224/DSA legacy pairs (0303/0301/0302/0402/0502/0602). sha1 is gone on both sides.

No test regressions from the reorder + sha1 drop: node-tls connect/cert/server (61 pass), the ed25519/rsa/ecdsa/p521 matrix (4 pass), and the h3 suite incl. the Ed25519 case (51 pass). Pushed in 95803e4.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/bun-usockets/src/crypto/openssl.c (1)

457-490: ⚠️ Potential issue | 🟠 Major

Check SSL_CTX_set_verify_algorithm_prefs return value, matching the cipher-list error handling.

The helper us_ssl_ctx_set_verify_signature_algorithms() discards the return value of SSL_CTX_set_verify_algorithm_prefs() by returning void. In the same file, SSL_CTX_set_cipher_list() is checked with if (!) and fails the context on error — apply the same pattern here. If signature-algorithm setup fails silently, the context retains BoringSSL's default list, recreating the Ed25519/P-521 verification failure this PR fixes. Change the helper to return int (matching BoringSSL's actual return type), check both call sites (openssl.c:510 in us_ssl_ctx_build_raw and quic.c:1128), and call ssl_ctx_build_fail() or equivalent on failure.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/bun-usockets/src/crypto/openssl.c` around lines 457 - 490, The
function us_ssl_ctx_set_verify_signature_algorithms() currently returns void and
does not check the return value of SSL_CTX_set_verify_algorithm_prefs(),
allowing silent failures that leave BoringSSL's default algorithm list in place,
recreating the Ed25519/P-521 verification issue. Change the function to return
int (matching BoringSSL's actual return type for
SSL_CTX_set_verify_algorithm_prefs), check its return value, and call
ssl_ctx_build_fail() or equivalent on failure. Update both call sites in
us_ssl_ctx_build_raw and the corresponding call in quic.c to check the return
value of us_ssl_ctx_set_verify_signature_algorithms() and handle errors
consistently with how cipher-list setup errors are currently handled.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/bun-usockets/src/crypto/openssl.c`:
- Around line 457-490: The function us_ssl_ctx_set_verify_signature_algorithms()
currently returns void and does not check the return value of
SSL_CTX_set_verify_algorithm_prefs(), allowing silent failures that leave
BoringSSL's default algorithm list in place, recreating the Ed25519/P-521
verification issue. Change the function to return int (matching BoringSSL's
actual return type for SSL_CTX_set_verify_algorithm_prefs), check its return
value, and call ssl_ctx_build_fail() or equivalent on failure. Update both call
sites in us_ssl_ctx_build_raw and the corresponding call in quic.c to check the
return value of us_ssl_ctx_set_verify_signature_algorithms() and handle errors
consistently with how cipher-list setup errors are currently handled.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e30cc620-2137-4d3f-85f0-56060b3f5108

📥 Commits

Reviewing files that changed from the base of the PR and between 33ea391 and 95803e4.

📒 Files selected for processing (1)

• packages/bun-usockets/src/crypto/openssl.c

[robobun]

Addressed the verify-sigalgs return-value check in 92bca83: us_ssl_ctx_set_verify_signature_algorithms now returns the SSL_CTX_set_verify_algorithm_prefs result, and both call sites (us_ssl_ctx_build_raw and the QUIC client context) fail the context on error instead of silently falling back to BoringSSL’s default list, matching the SSL_CTX_set_cipher_list handling in the same file. Emitted signature_algorithms is unchanged (still the Node-matching subsequence); matrix + h3 tests still green.

[claude]

No issues found and my earlier P-521 note was addressed — but this now hardcodes the verify signature_algorithms list for every TLS/QUIC context (and drops rsa_pkcs1_sha1 vs BoringSSL's previous default), so it's worth a maintainer sign-off before merge.

Extended reasoning...

Overview

The PR adds a static us_verify_signature_algorithms[] list in packages/bun-usockets/src/crypto/openssl.c and applies it via SSL_CTX_set_verify_algorithm_prefs in both us_ssl_ctx_build_raw (every node:tls / Bun.connect / fetch / node:https context) and us_create_quic_client_context in quic.c. This makes Bun's TLS client advertise Ed25519 and ECDSA P-521 in the signature_algorithms extension so it can verify servers presenting those leaf certs (fixing #32234). Tests add a 4-algorithm matrix in node-tls-connect.test.ts and an HTTP/3 Ed25519 regression in fetch-http3-client.test.ts. Since my last comment the list was also reordered to be a strict subsequence of Node/OpenSSL's order, rsa_pkcs1_sha1 was dropped to match Node, and the helper now returns the BoringSSL result so callers fail the context on error rather than silently falling back.

Security risks

This is squarely security-sensitive: it replaces BoringSSL's curated default verify-sigalg list with a Bun-owned hardcoded one for every TLS handshake. The additions (Ed25519, P-521) are widely accepted and match Node/OpenSSL, so they don't weaken the trust posture. The notable behavior change is removing SSL_SIGN_RSA_PKCS1_SHA1 from what Bun previously advertised — that's a hardening (and matches Node), but it is a user-visible change for anyone connecting to a TLS 1.2 peer that can only sign with SHA-1. I don't see an injection/auth-bypass vector; the error-path change in quic.c returns NULL from us_create_quic_client_context on failure, which callers should already handle since SSL_CTX_new could already fail there.

Level of scrutiny

Moderate-to-high. The diff is small and well-commented, the root cause is clearly explained, and the test matrix proves both the fix and non-regression for RSA/P-256. But because the new array now governs the verify sigalgs for every SSL_CTX Bun creates (client and mTLS-server), and because it intentionally diverges from BoringSSL's default (adds two, drops one), a maintainer should confirm the policy choice — particularly the SHA-1 drop and that owning this list going forward is the desired approach vs. e.g. only appending to BoringSSL's default.

Other factors

All prior review threads (CodeRabbit's QUIC-test request, awaited server.close, my P-521 note) are resolved in the current diff. The author verified the emitted ClientHello bytes against Node's and confirmed the full TLS matrix + h3 suite stay green; the only red CI lanes are an unrelated musl LTO build infra issue. No CODEOWNERS file restricts these paths. Given the security-sensitive scope I'm deferring rather than approving.