`undici Agent` with `connect.rejectUnauthorized: false` doesn't bypass TLS verification

[soundridge]

What version of Bun is running?

1.3.4

What platform is your computer?

macOS arm64

What steps can reproduce the bug?

Description

When using undici's Agent with the connect.rejectUnauthorized: false option, TLS certificate verification is not bypassed in Bun, but works correctly in Node.js.

Environment

• Bun version: 1.3.4
• Node.js version: 22.21.1 (works correctly)
• undici version: 7.16.0
• OS: macOS arm64

Minimal Reproduction

// minimal-repro.js
import { Agent, request } from 'undici';

const agent = new Agent({
  connect: {
    rejectUnauthorized: false,
  },
});

try {
  // Use a public test URL with self-signed certificate
  const result = await request('https://self-signed.badssl.com/', {
    dispatcher: agent,
    method: 'GET',
  });

  await result.body.text();
  console.log('✓ SUCCESS - Status:', result.statusCode);
} catch (err) {
  console.log('✗ FAILED -', err.code, ':', err.message);
}

Result in Node.js:

✓ SUCCESS - Status: 200

Result in Bun:

✗ FAILED - DEPTH_ZERO_SELF_SIGNED_CERT : self signed certificate

minimal-repro.js

package.json

What is the expected behavior?

The rejectUnauthorized: false option should bypass TLS certificate verification in both Node.js and Bun, allowing connections to servers with self-signed or invalid certificates.

What do you see instead?

No response

Additional information

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

🔗 Similar Issues

Possible Duplicates

• mTLS fails for https.request with Agent but works for native fetch #23985

Related Issues

• tls.rejectUnauthorized has no use #22870

🔗 Related PRs

#22331 - Fix crypto.verify() with null/undefined algorithm for RSA keys [merged]
#23195 - fix(Bun.RedisClient) keep it alive when connecting [merged]
#23216 - fix(crypto): hkdf callback should pass null (not undefined) on success [merged]
#23719 - ProxyTunnel: close-delimited responses via proxy cause ECONNRESET [merged]
#24350 - fix(tls) undo some changes added in root_certs [merged]

👤 Suggested Assignees

• robobun
• cirospaciari
• mccoysc
• WarstekHUN
• avarayr

---

🧪 Issue enrichment is currently in early access.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

[github-actions]

Found 3 possible duplicate issues:

1. fetch() in bun executable does not respect rejectUnauthorized: false in custom dispatcher #24376
2. undici.Agent's connect option goes unused, making fetch-socks not work #21492
3. https.Agent does not respect rejectUnauthorized option #10834

This issue will be automatically closed as a duplicate in 3 days.

• If your issue is a duplicate, please close it and 👍 the existing issue instead
• To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code