node: tls: accept ALPNProtocols for undici compatibility

Author: Kevin

src/node/internal/internal_tls_wrap.ts

@@ -32,7 +32,10 @@ import {
   tryReadStart,
 } from 'node-internal:internal_net';
 import { JSStreamSocket } from 'node-internal:internal_tls_jsstream';
-import { checkServerIdentity } from 'node-internal:internal_tls';
+import {
+  checkServerIdentity,
+  convertALPNProtocols,
+} from 'node-internal:internal_tls';
 import type {
   ConnectionOptions,
   TlsOptions,
@@ -194,8 +197,12 @@ export function TLSSocket(
   }
 
   if (tlsOptions.ALPNProtocols !== undefined) {
-    // Does not apply to Cloudflare Workers.
-    throw new ERR_OPTION_NOT_IMPLEMENTED('options.ALPNProtocols');
+    // connect()/startTls() does not expose ALPN selection yet.
+    // Undici's buildConnector always passes ALPNProtocols for TLS connections,
+    // so rejecting it breaks clients like @elastic/elasticsearch. Accept the
+    // option and preserve Node.js input validation behavior.
+    const normalizedAlpn = { ALPNProtocols: Buffer.alloc(0) };
+    convertALPNProtocols(tlsOptions.ALPNProtocols, normalizedAlpn);
   }
 
   if (tlsOptions.SNICallback !== undefined) {

src/workerd/api/node/tests/tls-nodejs-test.js

@@ -753,6 +753,34 @@ export const testConvertALPNProtocols = {
   },
 };
 
+export const testConnectAcceptsAlpnProtocols = {
+  async test(_ctrl, env) {
+    const socket = tls.connect({
+      port: env.ECHO_SERVER_PORT,
+      ALPNProtocols: ['http/1.1'],
+    });
+
+    await once(socket, 'secureConnect');
+    socket.destroy();
+  },
+};
+
+export const testConnectRejectsInvalidAlpnProtocolLength = {
+  async test() {
+    throws(
+      () =>
+        tls.connect({
+          port: 42,
+          lookup() {},
+          ALPNProtocols: [new String('a').repeat(500)],
+        }),
+      {
+        code: 'ERR_OUT_OF_RANGE',
+      }
+    );
+  },
+};
+
 export const testStartTlsBehaviorOnUpgrade = {
   async test(ctrl, env) {
     const { promise, resolve, reject } = Promise.withResolvers();