Skip to content

feat(tls): implement TLS module for secure connections #1273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
chessbyte wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(tls): implement TLS module for secure connections #1273

chessbyte wants to merge 5 commits into from

Conversation

@chessbyte
Copy link
Contributor

@chessbyte chessbyte commented Dec 5, 2025

Issue # (if available)

Fixes #1
Fixes #1102

Description of changes

Add client-side TLS support with the following features:

  • tls.connect() for creating secure outbound connections
  • tls.createSecureContext() for reusable TLS configurations
  • TLSSocket class with full event support (secureConnect, data, end, close, error, keylog)
  • Custom CA certificates for private PKI
  • Client certificate authentication (mTLS) for zero-trust environments
  • ALPN protocol negotiation for HTTP/2 support
  • TLS version control (minVersion/maxVersion)
  • SNI (Server Name Indication) support
  • keylog event for TLS debugging with Wireshark
  • getCiphers(), checkServerIdentity(), rootCertificates

This implementation focuses on Lambda-relevant client-side functionality. Server-side APIs (createServer, Server class) are intentionally omitted as they are not applicable to serverless environments.

Checklist

  • Created unit tests in tests/unit and/or in Rust for my feature if needed
  • Ran make fix to format JS and apply Clippy auto fixes
  • Made sure my code didn't add any additional warnings: make check
  • Added relevant type info in types/ directory
  • Updated documentation if needed (API.md/README.md/Other)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Sytten
Sytten reviewed Dec 5, 2025
View reviewed changes
@chessbyte chessbyte mentioned this pull request Dec 7, 2025
Open
@chessbyte chessbyte force-pushed the feat/tls-module branch 2 times, most recently from 824bdaf to 2319678 Compare December 8, 2025 19:04
richarddavison
richarddavison requested changes Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@richarddavison richarddavison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can reduce duplication a bit by using the Socket from llrt_net as an inner field on TLSSocket

@chessbyte
Copy link
Contributor Author

chessbyte commented Dec 11, 2025
edited
Loading

@richarddavison @Sytten tried to address your concerns in 2nd commit

  • Consolidate TLSSocket with llrt_net by sharing common types (ReadyState, LOCALHOST, get_hostname, rw_join) from llrt_net
  • Merge SecureContextOptions into BuildClientConfigOptions to reduce duplication between tls and http modules
  • Replace custom hex_encode with llrt_encoding::bytes_to_hex_string
  • Use [].concat() pattern for string formatting in keylog.rs
  • Capture actual cipher/protocol info from TLS connection after handshake instead of returning hardcoded values
  • Add clarifying comment for servername SNI requirement

chessbyte
chessbyte commented Dec 11, 2025
View reviewed changes
@chessbyte
feat(tls): implement TLS module for secure connections
d40fffb 
Add client-side TLS support with the following features:
- tls.connect() for creating secure outbound connections
- tls.createSecureContext() for reusable TLS configurations
- TLSSocket class with full event support (secureConnect, data, end, close, error, keylog)
- Custom CA certificates for private PKI
- Client certificate authentication (mTLS) for zero-trust environments
- ALPN protocol negotiation for HTTP/2 support
- TLS version control (minVersion/maxVersion)
- SNI (Server Name Indication) support
- keylog event for TLS debugging with Wireshark
- getCiphers(), checkServerIdentity(), rootCertificates

This implementation focuses on Lambda-relevant client-side functionality.
Server-side APIs (createServer, Server class) are intentionally omitted
as they are not applicable to serverless environments.

Fixes awslabs#1
Fixes awslabs#1102
@chessbyte
refactor(tls): address PR review feedback and consolidate code
af36b27 
- Consolidate TLSSocket with llrt_net by sharing common types
  (ReadyState, LOCALHOST, get_hostname, rw_join) from llrt_net
- Merge SecureContextOptions into BuildClientConfigOptions to
  reduce duplication between tls and http modules
- Replace custom hex_encode with llrt_encoding::bytes_to_hex_string
- Use [].concat() pattern for string formatting in keylog.rs
- Capture actual cipher/protocol info from TLS connection after
  handshake instead of returning hardcoded values
- Add clarifying comment for servername SNI requirement
@chessbyte
feat(tls): implement ciphers and TLS version filtering options
f5e0a36 
- Add min_version/max_version options to filter TLS protocol versions
- Add ciphers option to filter cipher suites using OpenSSL-style names
- Implement reverse mapping from OpenSSL cipher names to rustls suites
- Update build_client_config to apply cipher and version filtering
@richarddavison richarddavison requested a review from Sytten January 6, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@richarddavison richarddavison richarddavison requested changes

@Sytten Sytten Awaiting requested review from Sytten

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TLS support TLS: ReferenceError: Error resolving module '/var/task/tls

3 participants

@chessbyte @Sytten @richarddavison