Revert TLS store caching optimization

The caching optimization is incompatible with how SSL_CTX_set_cert_store works. SSL_CTX_set_cert_store takes ownership of the X509_STORE and can modify it, so we cannot share the same store across multiple SSL_CTX instances. This was causing test failures in test-tls-client-verify.js where different connections need different CA certificates. We need a different approach that doesn't involve sharing X509_STORE instances. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-14 04:49:06 +00:00 · 2025-09-11 09:43:08 +00:00
parent 0ff4579f6e
commit 0164f5bd9e
1 changed files with 1 additions and 18 deletions
--- a/packages/bun-usockets/src/crypto/root_certs.cpp
+++ b/packages/bun-usockets/src/crypto/root_certs.cpp
@@ -151,9 +151,7 @@ STACK_OF(X509) *us_get_root_extra_cert_instances() {
  return us_get_default_ca_certificates()->root_extra_cert_instances;
 }

-// Create the default CA store with all certificates
-// This is only called once to create the cached store
-static X509_STORE* us_create_default_ca_store() {
+extern "C" X509_STORE *us_get_default_ca_store() {
  X509_STORE *store = X509_STORE_new();
  if (store == NULL) {
    return NULL;
@@ -187,21 +185,6 @@ static X509_STORE* us_create_default_ca_store() {

  return store;
 }
-
-extern "C" X509_STORE *us_get_default_ca_store() {
-  // Create the store once using static initialization (thread-safe in C++11)
-  // This is similar to Node.js's approach but using a single global store
-  // instead of per-thread storage
-  static X509_STORE* cached_store = us_create_default_ca_store();
-  
-  // Return a new reference to the cached store
-  // X509_STORE_up_ref is thread-safe according to BoringSSL docs
-  if (cached_store != NULL) {
-    X509_STORE_up_ref(cached_store);
-  }
-  
-  return cached_store;
-}
 extern "C" const char *us_get_default_ciphers() {
  return DEFAULT_CIPHER_LIST;
 }