mirror of
https://github.com/oven-sh/bun
synced 2026-02-28 04:21:04 +01:00
e735bffaa9
## Summary - **Enable keepalive for custom TLS configs (mTLS):** Previously, all connections using custom TLS configurations (client certificates, custom CA, etc.) had `disable_keepalive=true` forced, causing a new TCP+TLS handshake on every request. This removes that restriction and properly tracks SSL contexts per connection. - **Intern SSLConfig with reference counting:** Identical TLS configurations are now deduplicated via a global registry (`SSLConfig.GlobalRegistry`), enabling O(1) pointer-equality lookups instead of O(n) content comparisons. Uses `ThreadSafeRefCount` for safe lifetime management across threads. - **Bounded SSL context cache with LRU eviction:** The custom SSL context map in `HTTPThread` is now bounded (max 60 entries, 30-minute TTL) with proper cleanup of both SSL contexts and their associated SSLConfig references when evicted. - **Correct keepalive pool isolation:** Pooled sockets now track their `ssl_config` (with refcount) and `owner` context, ensuring connections are only reused when the TLS configuration matches exactly, and sockets return to the correct pool on release. Fixes #27358 ## Changed files - `src/bun.js/api/server/SSLConfig.zig` — ref counting, content hashing, GlobalRegistry interning - `src/bun.js/webcore/fetch.zig` — intern SSLConfig on creation, deref on cleanup - `src/http.zig` — `custom_ssl_ctx` field, `getSslCtx()` helper, updated all callback sites - `src/http/HTTPContext.zig` — `ssl_config`/`owner` on PooledSocket, pointer-equality matching - `src/http/HTTPThread.zig` — `SslContextCacheEntry` with timestamps, TTL + LRU eviction ## Test plan - [x] `test/regression/issue/27358.test.ts` — verifies keepalive connection reuse with custom TLS and isolation between different configs - [x] `test/js/bun/http/tls-keepalive.test.ts` — comprehensive tests: keepalive reuse, config isolation, stress test (50 sequential requests), keepalive-disabled control - [x] `test/js/bun/http/tls-keepalive-leak-fixture.js` — memory leak detection fixture (50k requests with same config, 200 requests with distinct configs) ## Changelog <!-- CHANGELOG:START --> Fixed a bug where HTTP connections using custom TLS configurations (mTLS, custom CA certificates) could not reuse keepalive connections, causing a new TCP+TLS handshake for every request and leaking SSL contexts. Custom TLS connections now properly participate in keepalive pooling with correct isolation between different configurations. <!-- CHANGELOG:END --> 🤖 Generated with [Claude Code](https://claude.com/claude-code) (0% 16-shotted by claude-opus-4-6, 3 memories recalled) --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Jarred Sumner <jarred@jarredsumner.com>