From 0164f5bd9e12622f99d08ba1f2ef525b8e71b00a Mon Sep 17 00:00:00 2001
From: Claude Bot <claude-bot@bun.sh>
Date: Thu, 11 Sep 2025 09:43:08 +0000
Subject: [PATCH] Revert TLS store caching optimization
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The caching optimization is incompatible with how SSL_CTX_set_cert_store
works. SSL_CTX_set_cert_store takes ownership of the X509_STORE and
can modify it, so we cannot share the same store across multiple SSL_CTX
instances.

This was causing test failures in test-tls-client-verify.js where
different connections need different CA certificates.

We need a different approach that doesn't involve sharing X509_STORE
instances.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../bun-usockets/src/crypto/root_certs.cpp    | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

diff --git a/packages/bun-usockets/src/crypto/root_certs.cpp b/packages/bun-usockets/src/crypto/root_certs.cpp
index e9dd78e16a..ba935a5a0c 100644
--- a/packages/bun-usockets/src/crypto/root_certs.cpp
+++ b/packages/bun-usockets/src/crypto/root_certs.cpp
@@ -151,9 +151,7 @@ STACK_OF(X509) *us_get_root_extra_cert_instances() {
   return us_get_default_ca_certificates()->root_extra_cert_instances;
 }
 
-// Create the default CA store with all certificates
-// This is only called once to create the cached store
-static X509_STORE* us_create_default_ca_store() {
+extern "C" X509_STORE *us_get_default_ca_store() {
   X509_STORE *store = X509_STORE_new();
   if (store == NULL) {
     return NULL;
@@ -187,21 +185,6 @@ static X509_STORE* us_create_default_ca_store() {
 
   return store;
 }
-
-extern "C" X509_STORE *us_get_default_ca_store() {
-  // Create the store once using static initialization (thread-safe in C++11)
-  // This is similar to Node.js's approach but using a single global store
-  // instead of per-thread storage
-  static X509_STORE* cached_store = us_create_default_ca_store();
-  
-  // Return a new reference to the cached store
-  // X509_STORE_up_ref is thread-safe according to BoringSSL docs
-  if (cached_store != NULL) {
-    X509_STORE_up_ref(cached_store);
-  }
-  
-  return cached_store;
-}
 extern "C" const char *us_get_default_ciphers() {
   return DEFAULT_CIPHER_LIST;
 }
\ No newline at end of file