undici or node native fetch is not working with mTLS

[sibelius]

Bug Description

this works with node-fetch

import https from 'https';

const agent = new https.Agent({
    key,
    cert,
    rejectUnauthorized: false,
    keepAlive: true,
  });

this does not work

import { Agent } from 'undici';

dispatcher: new Agent({
      connect: {
        cert: cert,
        key: key,
        rejectUnauthorized: false,
        keepAlive: true,
      },
    })

Reproducible By

You can use this repo https://github.com/sibelius/node-mtls

to create cert, key for a server and for a client

Expected Behavior

mTLS should work with undici and node native fetch

Logs & Screenshots

FETCH 604571: request to GET https://endpoint errored - read ECONNRESET

Environment

System:
OS: Linux 6.8 Ubuntu 24.04.1 LTS 24.04.1 LTS (Noble Numbat)
CPU: (12) x64 Intel(R) Xeon(R) Platinum 8160 CPU @ 2.10GHz
Memory: 52.21 GB / 64.00 GB
Container: Yes
Shell: 5.2.21 - /bin/bash
Binaries:
Node: 22.13.0 - ~/.nvm/versions/node/v22.13.0/bin/node
npm: 10.9.2 - ~/.nvm/versions/node/v22.13.0/bin/npm
pnpm: 9.15.4 - ~/.nvm/versions/node/v22.13.0/bin/pnpm

Additional context

trying to make undici mTLS work

[mcollina]

I've used https://github.com/platformatic/undici-tls-dispatcher in the past and it worked very well.

[sibelius]

this is failing for me

[metcoder95]

What is the error output you are seeing?

[sibelius]

fetch failed

[metcoder95]

yes, but what's the output in the console?

[sibelius]

FETCH 125142: connecting to endpoint:16522:16522 using https:undefined
FETCH 125142: connecting to endpoint:16522:16522 using https:undefined
FETCH 125142: connected to endpoint:16522:16522 using https:h1
FETCH 125142: connected to endpoint:16522:16522 using https:h1
FETCH 125142: sending request to POST https://endpoint:16522//api/v1/in/54811417/msgs
  FETCH 125142: sending request to POST https://endpoint:16522//api/v1/in/54811417/msgs
  FETCH 125142: request to POST https://endpoint:16522//api/v1/in/54811417/msgs errored - read ECONNRESET
  FETCH 125142: request to POST https://endpoint:16522//api/v1/in/54811417/msgs errored - read ECONNRESET
```

fetch faild

[sibelius]

using NODE_DEBUG=undici,fetch

[metcoder95]

It seems it is mostly an issue with the way the example was set, if you only use node:https, the example works as expected.

import https from 'node:https';
import fs from 'node:fs';
import { config } from './config';

const port = 3000;

const options = {
  // key: fs.readFileSync('server-private-key.pem', 'utf-8').toString(),
  // cert: fs.readFileSync('server.crt', 'utf-8').toString(),
  // ca: fs.readFileSync('rootCA.crt', 'utf-8').toString(),
  key: fs.readFileSync(config.SERVER_PRIVATE_KEY),
  cert: fs.readFileSync(config.SERVER_CERT),
  ca: fs.readFileSync(config.ROOT_CA_CERT),
  requestCert: true,
  rejectUnauthorized: false,
};

console.log({
  ...options,
  key: options.key.toString(),
  cert: options.cert.toString(),
  ca: options.ca.toString(),
});

const server = https.createServer(options, (req, res) => {
  console.log('hello!');
  res.writeHead(200, { ['content-type']: 'text/plain' });
  res.end('200');
});

server.listen(port, () => {
  console.log(`Server running at https://localhost:${port}`);
});