fix(fetch) (#6672)

* fix fetch

* oops

* revert

* fix checkServerIdentity

* check dns len

* use same checks on wsclient and fetch, fix tests

* more tests and more fixes

* fix node-http flask test

* orelse

* fix requestCert

* more fixes, but no data receiving

* fix pause on connect behavior on TLS

* WS Client + rejectUnauthorized progress

* move test to the right place

* more test

* oops

* oops 2

* fmt

* cleanup

* WIP: handle handshake properly on uWS

* handle rejectUnauthorized in uWS

* fmt

* duplicated test

* fix leak

* add rejectUnauthorized option in WS types

* fix merge

* fix merge2

1 files changed, 35 insertions, 20 deletions

diff --git a/src/js/node/net.js b/src/js/node/net.js
index 56b0f9ced..3e3839451 100644
--- a/src/js/node/net.js
+++ b/src/js/node/net.js
@@ -63,9 +63,9 @@ const bunTlsSymbol = Symbol.for("::buntls::");
 const bunSocketServerHandlers = Symbol.for("::bunsocket_serverhandlers::");
 const bunSocketServerConnections = Symbol.for("::bunnetserverconnections::");
 const bunSocketServerOptions = Symbol.for("::bunnetserveroptions::");
+
 const bunSocketInternal = Symbol.for("::bunnetsocketinternal::");
 const bunTLSConnectOptions = Symbol.for("::buntlsconnectoptions::");
-
 function closeNT(self) {
   self.emit("close");
 }
@@ -151,12 +151,12 @@ const Socket = (function (InternalSocket) {
           const cert = self.getPeerCertificate(true);
           verifyError = checkServerIdentity(self.servername, cert);
         }
-
         if (self._requestCert || self._rejectUnauthorized) {
           if (verifyError) {
             self.authorized = false;
             self.authorizationError = verifyError.code || verifyError.message;
             if (self._rejectUnauthorized) {
+              self.emit("error", verifyError);
               self.destroy(verifyError);
               return;
             }
@@ -221,6 +221,7 @@ const Socket = (function (InternalSocket) {
         const { pauseOnConnect, connectionListener, InternalSocketClass, requestCert, rejectUnauthorized } = options;
         const _socket = new InternalSocketClass({});
         _socket.isServer = true;
+        _socket.server = self;
         _socket._requestCert = requestCert;
         _socket._rejectUnauthorized = rejectUnauthorized;
 
@@ -240,37 +241,41 @@ const Socket = (function (InternalSocket) {
           self.emit("drop", data);
           return;
         }
-        // the duplex implementation start paused, so we resume when pauseOnConnect is falsy
-        if (!pauseOnConnect) {
-          _socket.resume();
-        }
+
+        const bunTLS = _socket[bunTlsSymbol];
+        const isTLS = typeof bunTLS === "function";
 
         self[bunSocketServerConnections]++;
 
         if (typeof connectionListener == "function") {
-          if (InternalSocketClass.name === "TLSSocket") {
+          this.pauseOnConnect = pauseOnConnect;
+          if (isTLS) {
             // add secureConnection event handler
             self.once("secureConnection", () => connectionListener(_socket));
           } else {
             connectionListener(_socket);
           }
         }
-
         self.emit("connection", _socket);
+        // the duplex implementation start paused, so we resume when pauseOnConnect is falsy
+        if (!pauseOnConnect && !isTLS) {
+          _socket.resume();
+        }
       },
       handshake(socket, success, verifyError) {
         const { data: self } = socket;
-        self.emit("secure", self);
-
         self._securePending = false;
         self.secureConnecting = false;
         self._secureEstablished = !!success;
-
+        const server = self.server;
         if (self._requestCert || self._rejectUnauthorized) {
           if (verifyError) {
             self.authorized = false;
             self.authorizationError = verifyError.code || verifyError.message;
+            server.emit("tlsClientError", verifyError, self);
             if (self._rejectUnauthorized) {
+              // if we reject we still need to emit secure
+              self.emit("secure", self);
               self.destroy(verifyError);
               return;
             }
@@ -278,7 +283,13 @@ const Socket = (function (InternalSocket) {
         } else {
           self.authorized = true;
         }
-        self.emit("secureConnection", verifyError);
+        self.server.emit("secureConnection", self);
+        // after secureConnection event we emmit secure and secureConnect
+        self.emit("secure", self);
+        self.emit("secureConnect", verifyError);
+        if (!server.pauseOnConnect) {
+          self.resume();
+        }
       },
       error(socket, error) {
         Socket.#Handlers.error(socket, error);
@@ -309,6 +320,8 @@ const Socket = (function (InternalSocket) {
     _parent;
     _parentWrap;
     #socket;
+    server;
+    pauseOnConnect = false;
     #upgraded;
 
     constructor(options) {
@@ -416,6 +429,7 @@ const Socket = (function (InternalSocket) {
         }
       }
 
+      this.pauseOnConnect = pauseOnConnect;
       if (!pauseOnConnect) {
         this.resume();
       }
@@ -429,10 +443,14 @@ const Socket = (function (InternalSocket) {
         tls = bunTLS.$call(this, port, host, true);
         // Client always request Cert
         this._requestCert = true;
-        this._rejectUnauthorized = rejectUnauthorized;
 
         if (tls) {
-          tls.rejectUnauthorized = rejectUnauthorized;
+          if (typeof rejectUnauthorized !== "undefined") {
+            this._rejectUnauthorized = rejectUnauthorized;
+            tls.rejectUnauthorized = rejectUnauthorized;
+          } else {
+            this._rejectUnauthorized = tls.rejectUnauthorized;
+          }
           tls.requestCert = true;
           tls.session = session || tls.session;
           this.servername = tls.servername;
@@ -662,7 +680,6 @@ const connect = createConnection;
 
 class Server extends EventEmitter {
   #server;
-  #listening = false;
   [bunSocketServerConnections] = 0;
   [bunSocketServerOptions];
   maxConnections = 0;
@@ -700,7 +717,6 @@ class Server extends EventEmitter {
     if (this.#server) {
       this.#server.stop(true);
       this.#server = null;
-      this.#listening = false;
       this[bunSocketServerConnections] = 0;
       this.emit("close");
       if (typeof callback === "function") {
@@ -841,10 +857,12 @@ class Server extends EventEmitter {
         [tls, TLSSocketClass] = bunTLS.$call(this, port, hostname, false);
         options.servername = tls.serverName;
         options.InternalSocketClass = TLSSocketClass;
+        if (!tls.requestCert) {
+          tls.rejectUnauthorized = false;
+        }
       } else {
         options.InternalSocketClass = SocketClass;
       }
-
       this.#server = Bun.listen(
         path
           ? {
@@ -865,8 +883,6 @@ class Server extends EventEmitter {
       //make this instance available on handlers
       this.#server.data = this;
 
-      this.#listening = true;
-
       // We must schedule the emitListeningNextTick() only after the next run of
       // the event loop's IO queue. Otherwise, the server may not actually be listening
       // when the 'listening' event is emitted.
@@ -876,7 +892,6 @@ class Server extends EventEmitter {
       // process.nextTick() is not sufficient because it will run before the IO queue.
       setTimeout(emitListeningNextTick, 1, this, onListen);
     } catch (err) {
-      this.#listening = false;
       setTimeout(emitErrorNextTick, 1, this, err);
     }
     return this;