extract magic number into constant and make use of cert we have

tadjik1 · tadjik1 · commit b3c05d186553 · 2026-02-26T13:31:48.000+01:00
diff --git a/src/cmap/connect.ts b/src/cmap/connect.ts
@@ -281,6 +281,14 @@ export async function prepareHandshakeDocument(
   return handshakeDoc;
 }
 
+/**
+ * Default TCP keepAlive initial delay in milliseconds.
+ * Set to half the Azure load balancer idle timeout (240s) to ensure
+ * probes fire well before cloud LBs (Azure, AWS PrivateLink/NLB)
+ * drop idle connections.
+ * */
+const DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS = 120_000;
+
 /** @public */
 export const LEGAL_TLS_SOCKET_OPTIONS = [
   'allowPartialTrustChain',
@@ -324,7 +332,7 @@ function parseConnectOptions(options: ConnectionOptions): SocketConnectOpts {
       (result as Document)[name] = options[name];
     }
   }
-  result.keepAliveInitialDelay ??= 120000;
+  result.keepAliveInitialDelay ??= DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS;
   result.keepAlive = true;
   result.noDelay = options.noDelay ?? true;
 
@@ -370,6 +378,9 @@ export async function makeSocket(options: MakeConnectionOptions): Promise<Stream
   const useTLS = options.tls ?? false;
   const connectTimeoutMS = options.connectTimeoutMS ?? 30000;
   const existingSocket = options.existingSocket;
+  const keepAliveInitialDelay =
+    options.keepAliveInitialDelay ?? DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS;
+  const noDelay = options.noDelay ?? true;
 
   let socket: Stream;
 
@@ -396,8 +407,11 @@ export async function makeSocket(options: MakeConnectionOptions): Promise<Stream
     socket = net.createConnection(parseConnectOptions(options));
   }
 
-  socket.setKeepAlive(true, options.keepAliveInitialDelay ?? 120_000);
-  socket.setNoDelay(options.noDelay ?? true);
+  // Explicit setKeepAlive/setNoDelay are required because tls.connect() silently
+  // ignores these constructor due to a Node.js bug.
+  // See: https://github.com/nodejs/node/issues/62003
+  socket.setKeepAlive(true, keepAliveInitialDelay);
+  socket.setNoDelay(noDelay);
   socket.setTimeout(connectTimeoutMS);
 
   let cancellationHandler: ((err: Error) => void) | null = null;
diff --git a/test/unit/cmap/connect.test.ts b/test/unit/cmap/connect.test.ts
@@ -1,7 +1,7 @@
 import { expect } from 'chai';
-import { execSync } from 'child_process';
-import * as crypto from 'crypto';
+import * as fs from 'fs';
 import * as net from 'net';
+import * as path from 'path';
 import * as process from 'process';
 import * as sinon from 'sinon';
 import * as tls from 'tls';
@@ -459,24 +459,26 @@ describe('Connect Tests', function () {
     // TLS sockets created by tls.connect() do not honor keepAlive/noDelay constructor
     // options due to a Node.js bug (options are not forwarded to the net.Socket constructor).
     // The driver must call setKeepAlive/setNoDelay explicitly on all sockets.
-    // See: https://github.com/nodejs/node/issues/...
+    // See: https://github.com/nodejs/node/issues/62003
 
     let tlsServer: tls.Server;
     let tlsPort: number;
     let setKeepAliveSpy: sinon.SinonSpy;
     let setNoDelaySpy: sinon.SinonSpy;
 
+    const serverPem = fs.readFileSync(
+      path.join(__dirname, '../../integration/auth/ssl/server.pem')
+    );
+
     before(function (done) {
-      const { privateKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 });
-      const key = privateKey.export({ type: 'pkcs8', format: 'pem' });
-      const cert = execSync(
-        'openssl req -new -x509 -key /dev/stdin -out /dev/stdout -days 1 -subj /CN=localhost -batch 2>/dev/null',
-        { input: key }
-      ).toString();
-
-      tlsServer = tls.createServer({ key, cert }, () => {
-        /* empty */
-      });
+      // @SECLEVEL=0 allows the legacy test certificate (signed with SHA-1/1024-bit RSA)
+      // to be accepted by OpenSSL 3.x, which rejects at the default security level.
+      tlsServer = tls.createServer(
+        { key: serverPem, cert: serverPem, ciphers: 'DEFAULT:@SECLEVEL=0' },
+        () => {
+          /* empty */
+        }
+      );
       tlsServer.listen(0, '127.0.0.1', () => {
         tlsPort = (tlsServer.address() as net.AddressInfo).port;
         done();
@@ -501,7 +503,8 @@ describe('Connect Tests', function () {
         const socket = await makeSocket({
           hostAddress: new HostAddress(`127.0.0.1:${tlsPort}`),
           tls: true,
-          rejectUnauthorized: false
+          rejectUnauthorized: false,
+          ciphers: 'DEFAULT:@SECLEVEL=0'
         } as ConnectionOptions);
 
         try {
@@ -516,6 +519,7 @@ describe('Connect Tests', function () {
           hostAddress: new HostAddress(`127.0.0.1:${tlsPort}`),
           tls: true,
           rejectUnauthorized: false,
+          ciphers: 'DEFAULT:@SECLEVEL=0',
           keepAliveInitialDelay: 5000
         } as ConnectionOptions);
 
@@ -530,7 +534,8 @@ describe('Connect Tests', function () {
         const socket = await makeSocket({
           hostAddress: new HostAddress(`127.0.0.1:${tlsPort}`),
           tls: true,
-          rejectUnauthorized: false
+          rejectUnauthorized: false,
+          ciphers: 'DEFAULT:@SECLEVEL=0'
         } as ConnectionOptions);
 
         try {
