Adds tls and crypto updates for node and changelog (#21482)

mikenomitch · web-flow · commit 381401a8cccc · 2025-04-07T21:33:26.000-05:00
Adds tls and crypto updates for node and changelog
diff --git a/src/content/changelog/workers/2025-01-28-nodejs-compat-improvements.mdx b/src/content/changelog/workers/2025-01-28-nodejs-compat-improvements.mdx
@@ -41,7 +41,7 @@ export default {
 ````
 </TypeScriptExample>
 
-Additionally, you can now use other APIs incliding [`net.BlockList`](https://nodejs.org/api/net.html#class-netblocklist) and
+Additionally, you can now use other APIs including [`net.BlockList`](https://nodejs.org/api/net.html#class-netblocklist) and
 [`net.SocketAddress`](https://nodejs.org/api/net.html#class-netsocketaddress).
 
 Note that [`net.Server`](https://nodejs.org/api/net.html#class-netserver) is not supported.
diff --git a/src/content/changelog/workers/2025-02-03-workers-metrics-revamp.mdx b/src/content/changelog/workers/2025-02-03-workers-metrics-revamp.mdx
@@ -1,18 +1,18 @@
 ---
-title: Revamped Workers Metrics 
+title: Revamped Workers Metrics
 description: Monitor your Worker's performance with a default set of automatically enabled metrics.
 products:
   - workers
 date: 2025-02-03T18:00:00Z
 ---
 
-We've revamped the [Workers Metrics dashboard](https://dash.cloudflare.com/?to=/:account/workers/services/view/:worker/production/metrics/). 
+We've revamped the [Workers Metrics dashboard](https://dash.cloudflare.com/?to=/:account/workers/services/view/:worker/production/metrics/).
 
 ![Workers Metrics dashboard](~/assets/images/workers/observability/workers-metrics.png)
 
 Now you can easily compare metrics across Worker versions, understand the current state of a [gradual deployment](/workers/configuration/versions-and-deployments/gradual-deployments/), and review key Workers metrics in a single view. This new interface enables you to:
 
-- Drag-and-select using a graphical timepicker for precise metric selection. 
+- Drag-and-select using a graphical timepicker for precise metric selection.
 
 ![Workers Metrics graphical timepicker](~/assets/images/workers/observability/metrics-graphical-timepicker.png)
 
diff --git a/src/content/changelog/workers/2025-04-08-nodejs-crypto-and-tls.mdx b/src/content/changelog/workers/2025-04-08-nodejs-crypto-and-tls.mdx
@@ -0,0 +1,75 @@
+---
+title: Improved support for Node.js Crypto and TLS APIs in Workers
+description: Node.js APIs from the node:crypto and node:tls modules are now available when using nodejs_compat.
+products:
+  - workers
+date: 2025-04-08T14:00:00Z
+hidden: true
+---
+
+import { Render, PackageManagers, TypeScriptExample } from "~/components";
+
+When using a Worker with the [`nodejs_compat`](/workers/runtime-apis/nodejs/) compatibility flag enabled,
+the following Node.js APIs are now available:
+
+- [`node:crypto`](/workers/runtime-apis/nodejs/crypto/)
+- [`node:tls`](/workers/runtime-apis/nodejs/tls/)
+
+This make it easier to reuse existing Node.js code in Workers or use npm packages that depend on these APIs.
+
+#### node:crypto
+
+The full [`node:crypto`](https://nodejs.org/api/crypto.html) API is now available in Workers.
+
+You can use it to verify and sign data:
+
+```js
+import { sign, verify } from "node:crypto";
+
+const signature = sign("sha256", "-data to sign-", env.PRIVATE_KEY);
+const verified = verify("sha256", "-data to sign-", env.PUBLIC_KEY, signature);
+```
+
+Or, to encrypt and decrypt data:
+
+```js
+import { publicEncrypt, privateDecrypt } from "node:crypto";
+
+const encrypted = publicEncrypt(env.PUBLIC_KEY, "some data");
+const plaintext = privateDecrypt(env.PRIVATE_KEY, encrypted);
+```
+
+See the [`node:crypto` documentation](/workers/runtime-apis/nodejs/crypto/) for more information.
+
+#### node:tls
+
+The following APIs from `node:tls` are now available:
+
+- [`connect`](https://nodejs.org/api/tls.html#tlsconnectoptions-callback)
+- [`TLSSocket`](https://nodejs.org/api/tls.html#class-tlstlssocket)
+- [`checkServerIdentity`](https://nodejs.org/api/tls.html#tlscheckserveridentityhostname-cert)
+- [`createSecureContext`](https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions)
+
+This enables secure connections over TLS (Transport Layer Security) to external services.
+
+```js
+import { connect } from "node:tls";
+
+// ... in a request handler ...
+const connectionOptions = { key: env.KEY, cert: env.CERT };
+const socket = connect(url, connectionOptions, () => {
+	if (socket.authorized) {
+		console.log("Connection authorized");
+	}
+});
+
+socket.on("data", (data) => {
+	console.log(data);
+});
+
+socket.on("end", () => {
+	console.log("server ends connection");
+});
+```
+
+See the [`node:tls` documentation](/workers/runtime-apis/nodejs/tls/) for more information.
diff --git a/src/content/docs/workers/runtime-apis/nodejs/crypto.mdx b/src/content/docs/workers/runtime-apis/nodejs/crypto.mdx
@@ -1,6 +1,6 @@
 ---
 pcx_content_type: configuration
-title: Crypto
+title: crypto
 ---
 
 import { Render } from "~/components";
@@ -9,134 +9,13 @@ import { Render } from "~/components";
 
 The `node:crypto` module provides cryptographic functionality that includes a set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify functions.
 
-A subset of the `node:crypto` module is available in Workers. All APIs in the tables below with a ✅ are supported, and unless otherwise noted, work the same way as the implementations in Node.js.
+All `node:crypto` APIs are fully supported in Workers with the following exceptions:
 
-The [WebCrypto API](/workers/runtime-apis/web-crypto/) is also available within Cloudflare Workers.
+- The functions [generateKeyPair](https://nodejs.org/api/crypto.html#cryptogeneratekeypairtype-options-callback) and [generateKeyPairSync](https://nodejs.org/api/crypto.html#cryptogeneratekeypairsynctype-options)
+  do not support DSA or DH key pairs.
+- `ed448` and `x448` curves are not supported.
 
-## Classes
+The full `node:crypto` API is documented in the [Node.js documentation for `node:crypto`](https://nodejs.org/api/crypto.html).
 
-| API                                                                               | Supported? | Notes |
-| --------------------------------------------------------------------------------- | ---------- | ----- |
-| [Certificate](https://nodejs.org/api/crypto.html#class-certificate)               | ✅         |       |
-| [Cipher](https://nodejs.org/api/crypto.html#class-cipher)                         |            |       |
-| [Decipher](https://nodejs.org/api/crypto.html#class-decipher)                     |            |       |
-| [DiffieHellman](https://nodejs.org/api/crypto.html#class-diffiehellman)           | ✅         |       |
-| [DiffieHellmanGroup](https://nodejs.org/api/crypto.html#class-diffiehellmangroup) | ✅         |       |
-| [ECDH](https://nodejs.org/api/crypto.html#class-ecdh)                             |            |       |
-| [Hash](https://nodejs.org/api/crypto.html#class-hash)                             | ✅         |       |
-| [Hmac](https://nodejs.org/api/crypto.html#class-hmac)                             | ✅         |       |
-| [KeyObject](https://nodejs.org/api/crypto.html#class-keyobject)                   | ✅         |       |
-| [Sign](https://nodejs.org/api/crypto.html#class-sign)                             |            |       |
-| [Verify](https://nodejs.org/api/crypto.html#class-verify)                         |            |       |
-| [X509Certificate](https://nodejs.org/api/crypto.html#class-x509certificate)       | ✅         |       |
-| [constants](https://nodejs.org/api/crypto.html#cryptoconstants)                   |            |       |
-
-## Primes
-
-| API                                                                                          | Supported? | Notes |
-| -------------------------------------------------------------------------------------------- | ---------- | ----- |
-| [checkPrime](https://nodejs.org/api/crypto.html#cryptocheckprimecandidate-options-callback)  | ✅         |       |
-| [checkPrimeSync](https://nodejs.org/api/crypto.html#cryptocheckprimesynccandidate-options)   | ✅         |       |
-| [generatePrime](https://nodejs.org/api/crypto.html#cryptogenerateprimesize-options-callback) | ✅         |       |
-| [generatePrimeSync](https://nodejs.org/api/crypto.html#cryptogenerateprimesyncsize-options)  | ✅         |       |
-
-## Ciphers
-
-| API                                                                                                   | Supported? | Notes                                      |
-| ----------------------------------------------------------------------------------------------------- | ---------- | ------------------------------------------ |
-| [createCipher](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)       |            | Deprecated, use `createCipheriv` instead   |
-| [createCipheriv](https://nodejs.org/api/crypto.html#cryptocreatecipherivalgorithm-key-iv-options)     |            |                                            |
-| [createDecipher](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)   |            | Deprecated, use `createDecipheriv` instead |
-| [createDecipheriv](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options) |            |                                            |
-| [privateDecrypt](https://nodejs.org/api/crypto.html#cryptoprivatedecryptprivatekey-buffer)            |            |                                            |
-| [privateEncrypt](https://nodejs.org/api/crypto.html#cryptoprivateencryptprivatekey-buffer)            |            |                                            |
-| [publicDecrypt](https://nodejs.org/api/crypto.html#cryptopublicdecryptkey-buffer)                     |            |                                            |
-| [publicEncrypt](https://nodejs.org/api/crypto.html#cryptopublicencryptkey-buffer)                     |            |                                            |
-
-## DiffieHellman
-
-| API                                                                                                                                       | Supported? | Notes |
-| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----- |
-| [createDiffieHellman(prime)](https://nodejs.org/api/crypto.html#cryptocreatediffiehellmanprime-primeencoding-generator-generatorencoding) | ✅         |       |
-| [createDiffieHellman(primeLength)](https://nodejs.org/api/crypto.html#cryptocreatediffiehellmanprimelength-generator)                     | ✅         |       |
-| [createDiffieHellmanGroup](https://nodejs.org/api/crypto.html#cryptocreatediffiehellmangroupname)                                         | ✅         |       |
-| [createECDH](https://nodejs.org/api/crypto.html#cryptocreateecdhcurvename)                                                                |            |       |
-| [diffieHellman](https://nodejs.org/api/crypto.html#cryptodiffiehellmanoptions)                                                            |            |       |
-| [getDiffieHellman](https://nodejs.org/api/crypto.html#cryptogetdiffiehellmangroupname)                                                    | ✅         |       |
-
-## Hash
-
-| API                                                                                    | Supported? | Notes |
-| -------------------------------------------------------------------------------------- | ---------- | ----- |
-| [createHash](https://nodejs.org/api/crypto.html#cryptocreatehashalgorithm-options)     | ✅         |       |
-| [createHmac](https://nodejs.org/api/crypto.html#cryptocreatehmacalgorithm-key-options) | ✅         |       |
-| [getHashes](https://nodejs.org/api/crypto.html#cryptogethashes)                        | ✅         |       |
-
-## Keys
-
-| API                                                                                              | Supported? | Notes |
-| ------------------------------------------------------------------------------------------------ | ---------- | ----- |
-| [createPrivateKey](https://nodejs.org/api/crypto.html#cryptocreateprivatekeykey)                 |   ✅        |       |
-| [createPublicKey](https://nodejs.org/api/crypto.html#cryptocreatepublickeykey)                   |   ✅        |       |
-| [createSecretKey](https://nodejs.org/api/crypto.html#cryptocreatesecretkeykey-encoding)          |   ✅        |       |
-| [generateKey](https://nodejs.org/api/crypto.html#cryptogeneratekeytype-options-callback)         |   ✅        |       |
-| [generateKeyPair](https://nodejs.org/api/crypto.html#cryptogeneratekeypairtype-options-callback) |   ✅        | Does not support DSA or DH key pairs |
-| [generateKeyPairSync](https://nodejs.org/api/crypto.html#cryptogeneratekeypairsynctype-options)  |   ✅        | Does not support DSA or DH key pairs |
-| [generateKeySync](https://nodejs.org/api/crypto.html#cryptogeneratekeysynctype-options)          |   ✅        |       |
-
-## Sign/Verify
-
-| API                                                                                            | Supported? | Notes |
-| ---------------------------------------------------------------------------------------------- | ---------- | ----- |
-| [createSign](https://nodejs.org/api/crypto.html#cryptocreatesignalgorithm-options)             |            |       |
-| [createVerify](https://nodejs.org/api/crypto.html#cryptocreateverifyalgorithm-options)         |            |       |
-| [sign](https://nodejs.org/api/crypto.html#cryptosignalgorithm-data-key-callback)               |            |       |
-| [verify](https://nodejs.org/api/crypto.html#cryptoverifyalgorithm-data-key-signature-callback) |            |       |
-
-## Misc
-
-| API                                                                                      | Supported? | Notes |
-| ---------------------------------------------------------------------------------------- | ---------- | ----- |
-| [getCipherInfo](https://nodejs.org/api/crypto.html#cryptogetcipherinfonameornid-options) |            |       |
-| [getCiphers](https://nodejs.org/api/crypto.html#cryptogetciphers)                        | ✅         |       |
-| [getCurves](https://nodejs.org/api/crypto.html#cryptogetcurves)                          | ✅         |       |
-| [secureHeapUsed](https://nodejs.org/api/crypto.html#cryptosecureheapused)                | ✅         |       |
-| [setEngine](https://nodejs.org/api/crypto.html#cryptosetengineengine-flags)              | ✅         |       |
-| [timingSafeEqual](https://nodejs.org/api/crypto.html#cryptotimingsafeequala-b)           | ✅         |       |
-
-## Fips
-
-| API                                                             | Supported? | Notes                               |
-| --------------------------------------------------------------- | ---------- | ----------------------------------- |
-| [getFips](https://nodejs.org/api/crypto.html#cryptogetfips)     | ✅         |                                     |
-| [fips](https://nodejs.org/api/crypto.html#cryptofips)           | ✅         | Deprecated, use `getFips()` instead |
-| [setFips](https://nodejs.org/api/crypto.html#cryptosetfipsbool) | ✅         |                                     |
-
-## Random
-
-| API                                                                                          | Supported? | Notes |
-| -------------------------------------------------------------------------------------------- | ---------- | ----- |
-| [getRandomValues](https://nodejs.org/api/crypto.html#cryptogetrandomvaluestypedarray)        | ✅         |       |
-| [randomBytes](https://nodejs.org/api/crypto.html#cryptorandombytessize-callback)             | ✅         |       |
-| [randomFillSync](https://nodejs.org/api/crypto.html#cryptorandomfillsyncbuffer-offset-size)  | ✅         |       |
-| [randomFill](https://nodejs.org/api/crypto.html#cryptorandomfillbuffer-offset-size-callback) | ✅         |       |
-| [randomInt](https://nodejs.org/api/crypto.html#cryptorandomintmin-max-callback)              | ✅         |       |
-| [randomUUID](https://nodejs.org/api/crypto.html#cryptorandomuuidoptions)                     | ✅         |       |
-
-## Key Derivation
-
-| API                                                                                                          | Supported? | Notes                          |
-| ------------------------------------------------------------------------------------------------------------ | ---------- | ------------------------------ |
-| [hkdf](https://nodejs.org/api/crypto.html#cryptohkdfdigest-ikm-salt-info-keylen-callback)                    | ✅         | Does not yet support KeyObject |
-| [hkdfSync](https://nodejs.org/api/crypto.html#cryptohkdfsyncdigest-ikm-salt-info-keylen)                     | ✅         | Does not yet support KeyObject |
-| [pbkdf2](https://nodejs.org/api/crypto.html#cryptopbkdf2password-salt-iterations-keylen-digest-callback)     | ✅         |                                |
-| [pbkdf2Sync](https://nodejs.org/api/crypto.html#cryptopbkdf2password-salt-iterations-keylen-digest-callback) | ✅         |                                |
-| [scrypt](https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback)               | ✅         |                                |
-| [scryptSync](https://nodejs.org/api/crypto.html#cryptoscryptsyncpassword-salt-keylen-options)                | ✅         |                                |
-
-## WebCrypto
-
-| API                                                       | Supported? | Notes |
-| --------------------------------------------------------- | ---------- | ----- |
-| [subtle](https://nodejs.org/api/crypto.html#cryptosubtle) | ✅         |       |
-| [webcrypto](https://nodejs.org/api/crypto.html#)          | ✅         |       |
+The [WebCrypto API](/workers/runtime-apis/web-crypto/) is also available within Cloudflare Workers. This does not
+require the `nodejs_compat` compatibility flag.
diff --git a/src/content/docs/workers/runtime-apis/nodejs/tls.mdx b/src/content/docs/workers/runtime-apis/nodejs/tls.mdx
@@ -0,0 +1,43 @@
+---
+pcx_content_type: configuration
+title: tls
+---
+
+import { Render, TypeScriptExample } from "~/components";
+
+<Render file="nodejs-compat-howto" />
+
+You can use [`node:tls`](https://nodejs.org/api/tls.html) to create secure connections to
+external services using [TLS](https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security) (Transport Layer Security).
+
+```js
+import { connect } from "node:tls";
+
+// ... in a request handler ...
+const connectionOptions = { key: env.KEY, cert: env.CERT };
+const socket = connect(url, connectionOptions, () => {
+	if (socket.authorized) {
+		console.log("Connection authorized");
+	}
+});
+
+socket.on("data", (data) => {
+	console.log(data);
+});
+
+socket.on("end", () => {
+	console.log("server ends connection");
+});
+```
+
+The following APIs are available:
+
+- [`connect`](https://nodejs.org/api/tls.html#tlsconnectoptions-callback)
+- [`TLSSocket`](https://nodejs.org/api/tls.html#class-tlstlssocket)
+- [`checkServerIdentity`](https://nodejs.org/api/tls.html#tlscheckserveridentityhostname-cert)
+- [`createSecureContext`](https://nodejs.org/api/tls.html#tlscreatesecurecontextoptions)
+
+All other APIs, including [`tls.Server`](https://nodejs.org/api/tls.html#class-tlsserver) and [`tls.createServer`](https://nodejs.org/api/tls.html#tlscreateserveroptions-secureconnectionlistener),
+are not supported and will throw a `Not implemented` error when called.
+
+The full `node:tls` API is documented in the [Node.js documentation for `node:tls`](https://nodejs.org/api/tls.html).
