feat(tls): implement TLS module for secure connections

Add client-side TLS support with the following features:
- tls.connect() for creating secure outbound connections
- tls.createSecureContext() for reusable TLS configurations
- TLSSocket class with full event support (secureConnect, data, end, close, error, keylog)
- Custom CA certificates for private PKI
- Client certificate authentication (mTLS) for zero-trust environments
- ALPN protocol negotiation for HTTP/2 support
- TLS version control (minVersion/maxVersion)
- SNI (Server Name Indication) support
- keylog event for TLS debugging with Wireshark
- getCiphers(), checkServerIdentity(), rootCertificates

This implementation focuses on Lambda-relevant client-side functionality.
Server-side APIs (createServer, Server class) are intentionally omitted
as they are not applicable to serverless environments.

Fixes #1
Fixes #1102

Author: chessbyte

API.md

@@ -245,6 +245,29 @@ Everything else inherited from [Uint8Array](https://developer.mozilla.org/en-US/
 
 [createServer](https://nodejs.org/api/net.html#netcreateserveroptions-connectionlistener)
 
+## tls
+
+> [!WARNING]
+> These APIs uses native streams that is not 100% compatible with the Node.js Streams API.
+
+[connect](https://nodejs.org/api/tls.html#tlsconnectoptions-callback)
+
+[createSecureContext](https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions)
+
+[getCiphers](https://nodejs.org/api/tls.html#tlsgetciphers)
+
+[rootCertificates](https://nodejs.org/api/tls.html#tlsrootcertificates)
+
+[checkServerIdentity](https://nodejs.org/api/tls.html#tlscheckserveridentityhostname-cert)
+
+[DEFAULT_MIN_VERSION](https://nodejs.org/api/tls.html#tlsdefault_min_version)
+
+[DEFAULT_MAX_VERSION](https://nodejs.org/api/tls.html#tlsdefault_max_version)
+
+[TLSSocket](https://nodejs.org/api/tls.html#class-tlstlssocket)
+
+[SecureContext](https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions)
+
 ## os
 
 [arch](https://nodejs.org/api/os.html#osarch)

Cargo.lock

@@ -85,6 +85,8 @@ const ES_BUILD_OPTIONS = {
     "net",
     "node:net",
     "os",
+    "tls",
+    "node:tls",
     "node:os",
     "path",
     "node:path",

build.mjs

@@ -161,6 +161,10 @@ impl Default for ModuleBuilder {
                 .with_global(crate::modules::timers::init)
                 .with_module(crate::modules::timers::TimersModule);
         }
+        #[cfg(feature = "tls")]
+        {
+            builder = builder.with_module(crate::modules::tls::TlsModule);
+        }
         #[cfg(feature = "tty")]
         {
             builder = builder.with_module(crate::modules::tty::TtyModule);

llrt_modules/src/module_builder.rs

@@ -45,6 +45,9 @@ impl Agent {
         let config = llrt_tls::build_client_config(llrt_tls::BuildClientConfigOptions {
             reject_unauthorized,
             ca,
+            cert: None,
+            key: None,
+            key_log: None,
         })
         .or_throw_msg(&ctx, "Failed to build TLS config")?;
         let client =

modules/llrt_http/src/agent.rs

@@ -12,12 +12,27 @@ name = "llrt_tls"
 path = "src/lib.rs"
 
 [dependencies]
+base64-simd = { version = "0.8", features = ["alloc"], default-features = false }
+itoa = { version = "1", default-features = false }
+llrt_buffer = { version = "0.7.0-beta", path = "../llrt_buffer" }
+llrt_context = { version = "0.7.0-beta", path = "../../libs/llrt_context" }
+llrt_events = { version = "0.7.0-beta", path = "../llrt_events" }
+llrt_stream = { version = "0.7.0-beta", path = "../llrt_stream" }
+llrt_utils = { version = "0.7.0-beta", path = "../../libs/llrt_utils", default-features = false }
 once_cell = { version = "1", features = ["std"], default-features = false }
+rquickjs = { git = "https://github.com/DelSkayn/rquickjs.git", version = "0.10.0", default-features = false }
 rustls = { version = "0.23", features = [
   "std",
   "ring",
   "tls12",
 ], default-features = false }
+rustls-pki-types = { version = "1", default-features = false }
+tokio = { version = "1", features = ["net"], default-features = false }
+tokio-rustls = { version = "0.26", default-features = false }
+tracing = { version = "0.1", default-features = false }
 webpki-roots = { version = "1", default-features = false }
 
 [dev-dependencies]
+llrt_test = { path = "../../libs/llrt_test" }
+rand = { version = "0.10.0-rc.5", features = ["alloc"], default-features = false }
+tokio = { version = "1", features = ["macros", "rt"] }

modules/llrt_tls/Cargo.toml

@@ -5,7 +5,7 @@ use std::sync::{Arc, OnceLock};
 use once_cell::sync::Lazy;
 use rustls::{
     crypto::ring,
-    pki_types::{pem::PemObject, CertificateDer},
+    pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer},
     ClientConfig, RootCertStore, SupportedProtocolVersion,
 };
 use webpki_roots::TLS_SERVER_ROOTS;
@@ -47,12 +47,20 @@ pub static TLS_CONFIG: Lazy<Result<ClientConfig, Box<dyn std::error::Error + Sen
         build_client_config(BuildClientConfigOptions {
             reject_unauthorized: true,
             ca: None,
+            cert: None,
+            key: None,
+            key_log: None,
         })
     });
 
 pub struct BuildClientConfigOptions {
     pub reject_unauthorized: bool,
     pub ca: Option<Vec<Vec<u8>>>,
+    /// Client certificate in PEM format for mTLS
+    pub cert: Option<Vec<u8>>,
+    /// Client private key in PEM format for mTLS
+    pub key: Option<Vec<u8>>,
+    pub key_log: Option<Arc<dyn rustls::KeyLog>>,
 }
 
 pub fn build_client_config(
@@ -72,11 +80,11 @@ pub fn build_client_config(
         builder
             .dangerous()
             .with_custom_certificate_verifier(Arc::new(NoCertificateVerification::new(provider)))
-    } else if let Some(ca) = options.ca {
+    } else if let Some(ca) = &options.ca {
         let mut root_certificates = RootCertStore::empty();
 
         for cert in ca {
-            root_certificates.add(CertificateDer::from_pem_slice(&cert)?)?;
+            root_certificates.add(CertificateDer::from_pem_slice(cert)?)?;
         }
         builder.with_root_certificates(root_certificates)
     } else {
@@ -93,5 +101,24 @@ pub fn build_client_config(
         builder.with_root_certificates(root_certificates)
     };
 
-    Ok(builder.with_no_client_auth())
+    // Client authentication (mTLS)
+    let mut config = if let (Some(cert_pem), Some(key_pem)) = (&options.cert, &options.key) {
+        // Parse client certificate chain
+        let certs: Vec<CertificateDer<'static>> =
+            CertificateDer::pem_slice_iter(cert_pem).collect::<std::result::Result<Vec<_>, _>>()?;
+
+        // Parse private key
+        let key = PrivateKeyDer::from_pem_slice(key_pem)?;
+
+        builder.with_client_auth_cert(certs, key)?
+    } else {
+        builder.with_no_client_auth()
+    };
+
+    // Set key log if provided
+    if let Some(key_log) = options.key_log {
+        config.key_log = key_log;
+    }
+
+    Ok(config)
 }