@aligent/cdk-prerender-proxy 0.2.4 → 0.2.5-beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (150) hide show
  1. package/lib/handlers/cache-control.ts +7 -20
  2. package/lib/handlers/error-response.ts +8 -51
  3. package/lib/handlers/node_modules/.package-lock.json +32 -3
  4. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/index.d.ts +6 -0
  5. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/index.js +14 -0
  6. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/cache-control.d.ts +3 -0
  7. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/cache-control.js +24 -0
  8. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/error-response.d.ts +3 -0
  9. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/error-response.js +50 -0
  10. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender-check.d.ts +3 -0
  11. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender-check.js +28 -0
  12. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender.d.ts +3 -0
  13. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender.js +49 -0
  14. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/redirect.d.ts +3 -0
  15. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/redirect.js +33 -0
  16. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/package.json +27 -0
  17. package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/tsconfig.json +3 -0
  18. package/lib/handlers/node_modules/@middy/core/LICENSE +21 -0
  19. package/lib/handlers/node_modules/@middy/core/README.md +65 -0
  20. package/lib/handlers/node_modules/@middy/core/index.cjs +207 -0
  21. package/lib/handlers/node_modules/@middy/core/index.d.ts +91 -0
  22. package/lib/handlers/node_modules/@middy/core/index.js +199 -0
  23. package/lib/handlers/node_modules/@middy/core/package.json +65 -0
  24. package/lib/handlers/node_modules/@types/node/README.md +4 -4
  25. package/lib/handlers/node_modules/@types/node/assert/strict.d.ts +5 -1
  26. package/lib/handlers/node_modules/@types/node/assert.d.ts +904 -67
  27. package/lib/handlers/node_modules/@types/node/async_hooks.d.ts +371 -96
  28. package/lib/handlers/node_modules/@types/node/buffer.d.ts +2199 -25
  29. package/lib/handlers/node_modules/@types/node/child_process.d.ts +1151 -308
  30. package/lib/handlers/node_modules/@types/node/cluster.d.ts +356 -208
  31. package/lib/handlers/node_modules/@types/node/console.d.ts +324 -45
  32. package/lib/handlers/node_modules/@types/node/constants.d.ts +8 -3
  33. package/lib/handlers/node_modules/@types/node/crypto.d.ts +3230 -846
  34. package/lib/handlers/node_modules/@types/node/dgram.d.ts +478 -74
  35. package/lib/handlers/node_modules/@types/node/diagnostics_channel.d.ts +153 -0
  36. package/lib/handlers/node_modules/@types/node/dns/promises.d.ts +308 -35
  37. package/lib/handlers/node_modules/@types/node/dns.d.ts +444 -107
  38. package/lib/handlers/node_modules/@types/node/dom-events.d.ts +126 -0
  39. package/lib/handlers/node_modules/@types/node/domain.d.ts +162 -16
  40. package/lib/handlers/node_modules/@types/node/events.d.ts +624 -39
  41. package/lib/handlers/node_modules/@types/node/fs/promises.d.ts +911 -365
  42. package/lib/handlers/node_modules/@types/node/fs.d.ts +2611 -978
  43. package/lib/handlers/node_modules/@types/node/globals.d.ts +66 -421
  44. package/lib/handlers/node_modules/@types/node/globals.global.d.ts +1 -1
  45. package/lib/handlers/node_modules/@types/node/http.d.ts +1416 -199
  46. package/lib/handlers/node_modules/@types/node/http2.d.ts +1688 -530
  47. package/lib/handlers/node_modules/@types/node/https.d.ts +532 -26
  48. package/lib/handlers/node_modules/@types/node/index.d.ts +92 -16
  49. package/lib/handlers/node_modules/@types/node/inspector.d.ts +511 -811
  50. package/lib/handlers/node_modules/@types/node/module.d.ts +75 -13
  51. package/lib/handlers/node_modules/@types/node/net.d.ts +710 -167
  52. package/lib/handlers/node_modules/@types/node/os.d.ts +252 -25
  53. package/lib/handlers/node_modules/@types/node/package.json +30 -25
  54. package/lib/handlers/node_modules/@types/node/path.d.ts +59 -31
  55. package/lib/handlers/node_modules/@types/node/perf_hooks.d.ts +420 -105
  56. package/lib/handlers/node_modules/@types/node/process.d.ts +1249 -228
  57. package/lib/handlers/node_modules/@types/node/punycode.d.ts +67 -25
  58. package/lib/handlers/node_modules/@types/node/querystring.d.ts +113 -10
  59. package/lib/handlers/node_modules/@types/node/readline/promises.d.ts +143 -0
  60. package/lib/handlers/node_modules/@types/node/readline.d.ts +570 -109
  61. package/lib/handlers/node_modules/@types/node/repl.d.ts +154 -125
  62. package/lib/handlers/node_modules/@types/node/stream/consumers.d.ts +12 -0
  63. package/lib/handlers/node_modules/@types/node/stream/promises.d.ts +18 -43
  64. package/lib/handlers/node_modules/@types/node/stream/web.d.ts +330 -0
  65. package/lib/handlers/node_modules/@types/node/stream.d.ts +1117 -248
  66. package/lib/handlers/node_modules/@types/node/string_decoder.d.ts +60 -0
  67. package/lib/handlers/node_modules/@types/node/test.d.ts +446 -0
  68. package/lib/handlers/node_modules/@types/node/timers/promises.d.ts +81 -9
  69. package/lib/handlers/node_modules/@types/node/timers.d.ts +84 -17
  70. package/lib/handlers/node_modules/@types/node/tls.d.ts +510 -275
  71. package/lib/handlers/node_modules/@types/node/trace_events.d.ts +120 -10
  72. package/lib/handlers/node_modules/@types/node/ts4.8/assert/strict.d.ts +8 -0
  73. package/lib/handlers/node_modules/@types/node/ts4.8/assert.d.ts +961 -0
  74. package/lib/handlers/node_modules/@types/node/ts4.8/async_hooks.d.ts +501 -0
  75. package/lib/handlers/node_modules/@types/node/ts4.8/buffer.d.ts +2259 -0
  76. package/lib/handlers/node_modules/@types/node/ts4.8/child_process.d.ts +1369 -0
  77. package/lib/handlers/node_modules/@types/node/ts4.8/cluster.d.ts +410 -0
  78. package/lib/handlers/node_modules/@types/node/ts4.8/console.d.ts +412 -0
  79. package/lib/handlers/node_modules/@types/node/ts4.8/constants.d.ts +18 -0
  80. package/lib/handlers/node_modules/@types/node/ts4.8/crypto.d.ts +3964 -0
  81. package/lib/handlers/node_modules/@types/node/ts4.8/dgram.d.ts +545 -0
  82. package/lib/handlers/node_modules/@types/node/ts4.8/diagnostics_channel.d.ts +153 -0
  83. package/lib/handlers/node_modules/@types/node/ts4.8/dns/promises.d.ts +370 -0
  84. package/lib/handlers/node_modules/@types/node/ts4.8/dns.d.ts +659 -0
  85. package/lib/handlers/node_modules/@types/node/ts4.8/dom-events.d.ts +126 -0
  86. package/lib/handlers/node_modules/@types/node/ts4.8/domain.d.ts +170 -0
  87. package/lib/handlers/node_modules/@types/node/ts4.8/events.d.ts +678 -0
  88. package/lib/handlers/node_modules/@types/node/ts4.8/fs/promises.d.ts +1138 -0
  89. package/lib/handlers/node_modules/@types/node/ts4.8/fs.d.ts +3872 -0
  90. package/lib/handlers/node_modules/@types/node/ts4.8/globals.d.ts +294 -0
  91. package/lib/handlers/node_modules/@types/node/ts4.8/globals.global.d.ts +1 -0
  92. package/lib/handlers/node_modules/@types/node/ts4.8/http.d.ts +1651 -0
  93. package/lib/handlers/node_modules/@types/node/ts4.8/http2.d.ts +2134 -0
  94. package/lib/handlers/node_modules/@types/node/ts4.8/https.d.ts +542 -0
  95. package/lib/handlers/node_modules/@types/node/ts4.8/index.d.ts +88 -0
  96. package/lib/handlers/node_modules/@types/node/ts4.8/inspector.d.ts +2741 -0
  97. package/lib/handlers/node_modules/@types/node/ts4.8/module.d.ts +114 -0
  98. package/lib/handlers/node_modules/@types/node/ts4.8/net.d.ts +869 -0
  99. package/lib/handlers/node_modules/@types/node/ts4.8/os.d.ts +466 -0
  100. package/lib/handlers/node_modules/@types/node/ts4.8/path.d.ts +191 -0
  101. package/lib/handlers/node_modules/@types/node/ts4.8/perf_hooks.d.ts +625 -0
  102. package/lib/handlers/node_modules/@types/node/ts4.8/process.d.ts +1482 -0
  103. package/lib/handlers/node_modules/@types/node/ts4.8/punycode.d.ts +117 -0
  104. package/lib/handlers/node_modules/@types/node/ts4.8/querystring.d.ts +131 -0
  105. package/lib/handlers/node_modules/@types/node/ts4.8/readline/promises.d.ts +143 -0
  106. package/lib/handlers/node_modules/@types/node/ts4.8/readline.d.ts +653 -0
  107. package/lib/handlers/node_modules/@types/node/ts4.8/repl.d.ts +424 -0
  108. package/lib/handlers/node_modules/@types/node/ts4.8/stream/consumers.d.ts +12 -0
  109. package/lib/handlers/node_modules/@types/node/ts4.8/stream/promises.d.ts +42 -0
  110. package/lib/handlers/node_modules/@types/node/ts4.8/stream/web.d.ts +330 -0
  111. package/lib/handlers/node_modules/@types/node/ts4.8/stream.d.ts +1340 -0
  112. package/lib/handlers/node_modules/@types/node/ts4.8/string_decoder.d.ts +67 -0
  113. package/lib/handlers/node_modules/@types/node/ts4.8/test.d.ts +446 -0
  114. package/lib/handlers/node_modules/@types/node/ts4.8/timers/promises.d.ts +93 -0
  115. package/lib/handlers/node_modules/@types/node/ts4.8/timers.d.ts +94 -0
  116. package/lib/handlers/node_modules/@types/node/ts4.8/tls.d.ts +1028 -0
  117. package/lib/handlers/node_modules/@types/node/ts4.8/trace_events.d.ts +171 -0
  118. package/lib/handlers/node_modules/@types/node/ts4.8/tty.d.ts +206 -0
  119. package/lib/handlers/node_modules/@types/node/ts4.8/url.d.ts +897 -0
  120. package/lib/handlers/node_modules/@types/node/ts4.8/util.d.ts +1926 -0
  121. package/lib/handlers/node_modules/@types/node/ts4.8/v8.d.ts +396 -0
  122. package/lib/handlers/node_modules/@types/node/ts4.8/vm.d.ts +509 -0
  123. package/lib/handlers/node_modules/@types/node/ts4.8/wasi.d.ts +158 -0
  124. package/lib/handlers/node_modules/@types/node/ts4.8/worker_threads.d.ts +689 -0
  125. package/lib/handlers/node_modules/@types/node/ts4.8/zlib.d.ts +517 -0
  126. package/lib/handlers/node_modules/@types/node/tty.d.ts +163 -23
  127. package/lib/handlers/node_modules/@types/node/url.d.ts +825 -44
  128. package/lib/handlers/node_modules/@types/node/util.d.ts +1842 -72
  129. package/lib/handlers/node_modules/@types/node/v8.d.ts +276 -78
  130. package/lib/handlers/node_modules/@types/node/vm.d.ts +410 -53
  131. package/lib/handlers/node_modules/@types/node/wasi.d.ts +102 -30
  132. package/lib/handlers/node_modules/@types/node/worker_threads.d.ts +559 -152
  133. package/lib/handlers/node_modules/@types/node/zlib.d.ts +234 -78
  134. package/lib/handlers/node_modules/esbuild/README.md +3 -0
  135. package/lib/handlers/node_modules/esbuild/bin/esbuild +0 -0
  136. package/lib/handlers/node_modules/esbuild/install.js +256 -0
  137. package/lib/handlers/node_modules/esbuild/lib/main.d.ts +397 -0
  138. package/lib/handlers/node_modules/esbuild/lib/main.js +1939 -0
  139. package/lib/handlers/node_modules/esbuild/package.json +15 -0
  140. package/lib/handlers/package-lock.json +62 -6
  141. package/lib/handlers/package.json +6 -1
  142. package/lib/handlers/prerender-check.ts +8 -27
  143. package/lib/handlers/prerender.ts +8 -43
  144. package/package.json +1 -1
  145. package/lib/handlers/node_modules/@types/node/base.d.ts +0 -19
  146. package/lib/handlers/node_modules/@types/node/diagnostic_channel.d.ts +0 -34
  147. package/lib/handlers/node_modules/@types/node/ts3.6/assert.d.ts +0 -98
  148. package/lib/handlers/node_modules/@types/node/ts3.6/base.d.ts +0 -68
  149. package/lib/handlers/node_modules/@types/node/ts3.6/index.d.ts +0 -7
  150. package/lib/handlers/node_modules/@types/node/util/types.d.ts +0 -53
@@ -1,10 +1,19 @@
1
+ /**
2
+ * The `tls` module provides an implementation of the Transport Layer Security
3
+ * (TLS) and Secure Socket Layer (SSL) protocols that is built on top of OpenSSL.
4
+ * The module can be accessed using:
5
+ *
6
+ * ```js
7
+ * const tls = require('tls');
8
+ * ```
9
+ * @see [source](https://github.com/nodejs/node/blob/v18.0.0/lib/tls.js)
10
+ */
1
11
  declare module 'tls' {
2
- import { X509Certificate } from 'crypto';
3
- import * as net from 'net';
4
-
12
+ import { X509Certificate } from 'node:crypto';
13
+ import * as net from 'node:net';
14
+ import * as stream from 'stream';
5
15
  const CLIENT_RENEG_LIMIT: number;
6
16
  const CLIENT_RENEG_WINDOW: number;
7
-
8
17
  interface Certificate {
9
18
  /**
10
19
  * Country code.
@@ -31,7 +40,6 @@ declare module 'tls' {
31
40
  */
32
41
  CN: string;
33
42
  }
34
-
35
43
  interface PeerCertificate {
36
44
  subject: Certificate;
37
45
  issuer: Certificate;
@@ -47,11 +55,9 @@ declare module 'tls' {
47
55
  serialNumber: string;
48
56
  raw: Buffer;
49
57
  }
50
-
51
58
  interface DetailedPeerCertificate extends PeerCertificate {
52
59
  issuerCertificate: DetailedPeerCertificate;
53
60
  }
54
-
55
61
  interface CipherNameAndProtocol {
56
62
  /**
57
63
  * The cipher name.
@@ -61,13 +67,11 @@ declare module 'tls' {
61
67
  * SSL/TLS protocol version.
62
68
  */
63
69
  version: string;
64
-
65
70
  /**
66
71
  * IETF name for the cipher suite.
67
72
  */
68
73
  standardName: string;
69
74
  }
70
-
71
75
  interface EphemeralKeyInfo {
72
76
  /**
73
77
  * The supported types are 'DH' and 'ECDH'.
@@ -76,13 +80,12 @@ declare module 'tls' {
76
80
  /**
77
81
  * The name property is available only when type is 'ECDH'.
78
82
  */
79
- name?: string;
83
+ name?: string | undefined;
80
84
  /**
81
85
  * The size of parameter of an ephemeral key exchange.
82
86
  */
83
87
  size: number;
84
88
  }
85
-
86
89
  interface KeyObject {
87
90
  /**
88
91
  * Private keys in PEM format.
@@ -91,9 +94,8 @@ declare module 'tls' {
91
94
  /**
92
95
  * Optional passphrase.
93
96
  */
94
- passphrase?: string;
97
+ passphrase?: string | undefined;
95
98
  }
96
-
97
99
  interface PxfObject {
98
100
  /**
99
101
  * PFX or PKCS12 encoded private key and certificate chain.
@@ -102,278 +104,347 @@ declare module 'tls' {
102
104
  /**
103
105
  * Optional passphrase.
104
106
  */
105
- passphrase?: string;
107
+ passphrase?: string | undefined;
106
108
  }
107
-
108
109
  interface TLSSocketOptions extends SecureContextOptions, CommonConnectionOptions {
109
110
  /**
110
111
  * If true the TLS socket will be instantiated in server-mode.
111
112
  * Defaults to false.
112
113
  */
113
- isServer?: boolean;
114
+ isServer?: boolean | undefined;
114
115
  /**
115
116
  * An optional net.Server instance.
116
117
  */
117
- server?: net.Server;
118
-
118
+ server?: net.Server | undefined;
119
119
  /**
120
120
  * An optional Buffer instance containing a TLS session.
121
121
  */
122
- session?: Buffer;
122
+ session?: Buffer | undefined;
123
123
  /**
124
124
  * If true, specifies that the OCSP status request extension will be
125
125
  * added to the client hello and an 'OCSPResponse' event will be
126
126
  * emitted on the socket before establishing a secure communication
127
127
  */
128
- requestOCSP?: boolean;
128
+ requestOCSP?: boolean | undefined;
129
129
  }
130
-
130
+ /**
131
+ * Performs transparent encryption of written data and all required TLS
132
+ * negotiation.
133
+ *
134
+ * Instances of `tls.TLSSocket` implement the duplex `Stream` interface.
135
+ *
136
+ * Methods that return TLS connection metadata (e.g.{@link TLSSocket.getPeerCertificate} will only return data while the
137
+ * connection is open.
138
+ * @since v0.11.4
139
+ */
131
140
  class TLSSocket extends net.Socket {
132
141
  /**
133
142
  * Construct a new tls.TLSSocket object from an existing TCP socket.
134
143
  */
135
144
  constructor(socket: net.Socket, options?: TLSSocketOptions);
136
-
137
145
  /**
138
- * A boolean that is true if the peer certificate was signed by one of the specified CAs, otherwise false.
146
+ * This property is `true` if the peer certificate was signed by one of the CAs
147
+ * specified when creating the `tls.TLSSocket` instance, otherwise `false`.
148
+ * @since v0.11.4
139
149
  */
140
150
  authorized: boolean;
141
151
  /**
142
- * The reason why the peer's certificate has not been verified.
143
- * This property becomes available only when tlsSocket.authorized === false.
152
+ * Returns the reason why the peer's certificate was not been verified. This
153
+ * property is set only when `tlsSocket.authorized === false`.
154
+ * @since v0.11.4
144
155
  */
145
156
  authorizationError: Error;
146
157
  /**
147
- * Static boolean value, always true.
148
- * May be used to distinguish TLS sockets from regular ones.
158
+ * Always returns `true`. This may be used to distinguish TLS sockets from regular`net.Socket` instances.
159
+ * @since v0.11.4
149
160
  */
150
- encrypted: boolean;
151
-
161
+ encrypted: true;
152
162
  /**
153
163
  * String containing the selected ALPN protocol.
154
- * When ALPN has no selected protocol, tlsSocket.alpnProtocol equals false.
164
+ * Before a handshake has completed, this value is always null.
165
+ * When a handshake is completed but not ALPN protocol was selected, tlsSocket.alpnProtocol equals false.
155
166
  */
156
- alpnProtocol?: string;
157
-
167
+ alpnProtocol: string | false | null;
158
168
  /**
159
- * Returns an object representing the local certificate. The returned
160
- * object has some properties corresponding to the fields of the
161
- * certificate.
169
+ * Returns an object representing the local certificate. The returned object has
170
+ * some properties corresponding to the fields of the certificate.
162
171
  *
163
- * See tls.TLSSocket.getPeerCertificate() for an example of the
164
- * certificate structure.
172
+ * See {@link TLSSocket.getPeerCertificate} for an example of the certificate
173
+ * structure.
165
174
  *
166
- * If there is no local certificate, an empty object will be returned.
167
- * If the socket has been destroyed, null will be returned.
175
+ * If there is no local certificate, an empty object will be returned. If the
176
+ * socket has been destroyed, `null` will be returned.
177
+ * @since v11.2.0
168
178
  */
169
179
  getCertificate(): PeerCertificate | object | null;
170
180
  /**
171
- * Returns an object representing the cipher name and the SSL/TLS protocol version of the current connection.
172
- * @returns Returns an object representing the cipher name
173
- * and the SSL/TLS protocol version of the current connection.
181
+ * Returns an object containing information on the negotiated cipher suite.
182
+ *
183
+ * For example:
184
+ *
185
+ * ```json
186
+ * {
187
+ * "name": "AES128-SHA256",
188
+ * "standardName": "TLS_RSA_WITH_AES_128_CBC_SHA256",
189
+ * "version": "TLSv1.2"
190
+ * }
191
+ * ```
192
+ *
193
+ * See [SSL\_CIPHER\_get\_name](https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html) for more information.
194
+ * @since v0.11.4
174
195
  */
175
196
  getCipher(): CipherNameAndProtocol;
176
197
  /**
177
- * Returns an object representing the type, name, and size of parameter
178
- * of an ephemeral key exchange in Perfect Forward Secrecy on a client
198
+ * Returns an object representing the type, name, and size of parameter of
199
+ * an ephemeral key exchange in `perfect forward secrecy` on a client
179
200
  * connection. It returns an empty object when the key exchange is not
180
- * ephemeral. As this is only supported on a client socket; null is
181
- * returned if called on a server socket. The supported types are 'DH'
182
- * and 'ECDH'. The name property is available only when type is 'ECDH'.
201
+ * ephemeral. As this is only supported on a client socket; `null` is returned
202
+ * if called on a server socket. The supported types are `'DH'` and `'ECDH'`. The`name` property is available only when type is `'ECDH'`.
183
203
  *
184
- * For example: { type: 'ECDH', name: 'prime256v1', size: 256 }.
204
+ * For example: `{ type: 'ECDH', name: 'prime256v1', size: 256 }`.
205
+ * @since v5.0.0
185
206
  */
186
207
  getEphemeralKeyInfo(): EphemeralKeyInfo | object | null;
187
208
  /**
188
- * Returns the latest Finished message that has
189
- * been sent to the socket as part of a SSL/TLS handshake, or undefined
190
- * if no Finished message has been sent yet.
191
- *
192
- * As the Finished messages are message digests of the complete
193
- * handshake (with a total of 192 bits for TLS 1.0 and more for SSL
194
- * 3.0), they can be used for external authentication procedures when
195
- * the authentication provided by SSL/TLS is not desired or is not
196
- * enough.
209
+ * As the `Finished` messages are message digests of the complete handshake
210
+ * (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
211
+ * be used for external authentication procedures when the authentication
212
+ * provided by SSL/TLS is not desired or is not enough.
197
213
  *
198
- * Corresponds to the SSL_get_finished routine in OpenSSL and may be
199
- * used to implement the tls-unique channel binding from RFC 5929.
214
+ * Corresponds to the `SSL_get_finished` routine in OpenSSL and may be used
215
+ * to implement the `tls-unique` channel binding from [RFC 5929](https://tools.ietf.org/html/rfc5929).
216
+ * @since v9.9.0
217
+ * @return The latest `Finished` message that has been sent to the socket as part of a SSL/TLS handshake, or `undefined` if no `Finished` message has been sent yet.
200
218
  */
201
219
  getFinished(): Buffer | undefined;
202
220
  /**
203
- * Returns an object representing the peer's certificate.
204
- * The returned object has some properties corresponding to the field of the certificate.
205
- * If detailed argument is true the full chain with issuer property will be returned,
206
- * if false only the top certificate without issuer property.
207
- * If the peer does not provide a certificate, it returns null or an empty object.
208
- * @param detailed - If true; the full chain with issuer property will be returned.
209
- * @returns An object representing the peer's certificate.
221
+ * Returns an object representing the peer's certificate. If the peer does not
222
+ * provide a certificate, an empty object will be returned. If the socket has been
223
+ * destroyed, `null` will be returned.
224
+ *
225
+ * If the full certificate chain was requested, each certificate will include an`issuerCertificate` property containing an object representing its issuer's
226
+ * certificate.
227
+ * @since v0.11.4
228
+ * @param detailed Include the full certificate chain if `true`, otherwise include just the peer's certificate.
229
+ * @return A certificate object.
210
230
  */
211
231
  getPeerCertificate(detailed: true): DetailedPeerCertificate;
212
232
  getPeerCertificate(detailed?: false): PeerCertificate;
213
233
  getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate;
214
234
  /**
215
- * Returns the latest Finished message that is expected or has actually
216
- * been received from the socket as part of a SSL/TLS handshake, or
217
- * undefined if there is no Finished message so far.
235
+ * As the `Finished` messages are message digests of the complete handshake
236
+ * (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
237
+ * be used for external authentication procedures when the authentication
238
+ * provided by SSL/TLS is not desired or is not enough.
218
239
  *
219
- * As the Finished messages are message digests of the complete
220
- * handshake (with a total of 192 bits for TLS 1.0 and more for SSL
221
- * 3.0), they can be used for external authentication procedures when
222
- * the authentication provided by SSL/TLS is not desired or is not
223
- * enough.
224
- *
225
- * Corresponds to the SSL_get_peer_finished routine in OpenSSL and may
226
- * be used to implement the tls-unique channel binding from RFC 5929.
240
+ * Corresponds to the `SSL_get_peer_finished` routine in OpenSSL and may be used
241
+ * to implement the `tls-unique` channel binding from [RFC 5929](https://tools.ietf.org/html/rfc5929).
242
+ * @since v9.9.0
243
+ * @return The latest `Finished` message that is expected or has actually been received from the socket as part of a SSL/TLS handshake, or `undefined` if there is no `Finished` message so
244
+ * far.
227
245
  */
228
246
  getPeerFinished(): Buffer | undefined;
229
247
  /**
230
- * Returns a string containing the negotiated SSL/TLS protocol version of the current connection.
231
- * The value `'unknown'` will be returned for connected sockets that have not completed the handshaking process.
232
- * The value `null` will be returned for server sockets or disconnected client sockets.
233
- * See https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_version.html for more information.
234
- * @returns negotiated SSL/TLS protocol version of the current connection
248
+ * Returns a string containing the negotiated SSL/TLS protocol version of the
249
+ * current connection. The value `'unknown'` will be returned for connected
250
+ * sockets that have not completed the handshaking process. The value `null` will
251
+ * be returned for server sockets or disconnected client sockets.
252
+ *
253
+ * Protocol versions are:
254
+ *
255
+ * * `'SSLv3'`
256
+ * * `'TLSv1'`
257
+ * * `'TLSv1.1'`
258
+ * * `'TLSv1.2'`
259
+ * * `'TLSv1.3'`
260
+ *
261
+ * See the OpenSSL [`SSL_get_version`](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html) documentation for more information.
262
+ * @since v5.7.0
235
263
  */
236
264
  getProtocol(): string | null;
237
265
  /**
238
- * Could be used to speed up handshake establishment when reconnecting to the server.
239
- * @returns ASN.1 encoded TLS session or undefined if none was negotiated.
266
+ * Returns the TLS session data or `undefined` if no session was
267
+ * negotiated. On the client, the data can be provided to the `session` option of {@link connect} to resume the connection. On the server, it may be useful
268
+ * for debugging.
269
+ *
270
+ * See `Session Resumption` for more information.
271
+ *
272
+ * Note: `getSession()` works only for TLSv1.2 and below. For TLSv1.3, applications
273
+ * must use the `'session'` event (it also works for TLSv1.2 and below).
274
+ * @since v0.11.4
240
275
  */
241
276
  getSession(): Buffer | undefined;
242
277
  /**
243
- * Returns a list of signature algorithms shared between the server and
244
- * the client in the order of decreasing preference.
278
+ * See [SSL\_get\_shared\_sigalgs](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html) for more information.
279
+ * @since v12.11.0
280
+ * @return List of signature algorithms shared between the server and the client in the order of decreasing preference.
245
281
  */
246
282
  getSharedSigalgs(): string[];
247
283
  /**
248
- * NOTE: Works only with client TLS sockets.
249
- * Useful only for debugging, for session reuse provide session option to tls.connect().
250
- * @returns TLS session ticket or undefined if none was negotiated.
284
+ * For a client, returns the TLS session ticket if one is available, or`undefined`. For a server, always returns `undefined`.
285
+ *
286
+ * It may be useful for debugging.
287
+ *
288
+ * See `Session Resumption` for more information.
289
+ * @since v0.11.4
251
290
  */
252
291
  getTLSTicket(): Buffer | undefined;
253
292
  /**
254
- * Returns true if the session was reused, false otherwise.
293
+ * See `Session Resumption` for more information.
294
+ * @since v0.5.6
295
+ * @return `true` if the session was reused, `false` otherwise.
255
296
  */
256
297
  isSessionReused(): boolean;
257
298
  /**
258
- * Initiate TLS renegotiation process.
299
+ * The `tlsSocket.renegotiate()` method initiates a TLS renegotiation process.
300
+ * Upon completion, the `callback` function will be passed a single argument
301
+ * that is either an `Error` (if the request failed) or `null`.
259
302
  *
260
- * NOTE: Can be used to request peer's certificate after the secure connection has been established.
261
- * ANOTHER NOTE: When running as the server, socket will be destroyed with an error after handshakeTimeout timeout.
262
- * @param options - The options may contain the following fields: rejectUnauthorized,
263
- * requestCert (See tls.createServer() for details).
264
- * @param callback - callback(err) will be executed with null as err, once the renegotiation
265
- * is successfully completed.
266
- * @return `undefined` when socket is destroy, `false` if negotiaion can't be initiated.
267
- */
268
- renegotiate(options: { rejectUnauthorized?: boolean, requestCert?: boolean }, callback: (err: Error | null) => void): undefined | boolean;
269
- /**
270
- * Set maximum TLS fragment size (default and maximum value is: 16384, minimum is: 512).
271
- * Smaller fragment size decreases buffering latency on the client: large fragments are buffered by
272
- * the TLS layer until the entire fragment is received and its integrity is verified;
273
- * large fragments can span multiple roundtrips, and their processing can be delayed due to packet
274
- * loss or reordering. However, smaller fragments add extra TLS framing bytes and CPU overhead,
275
- * which may decrease overall server throughput.
276
- * @param size - TLS fragment size (default and maximum value is: 16384, minimum is: 512).
277
- * @returns Returns true on success, false otherwise.
303
+ * This method can be used to request a peer's certificate after the secure
304
+ * connection has been established.
305
+ *
306
+ * When running as the server, the socket will be destroyed with an error after`handshakeTimeout` timeout.
307
+ *
308
+ * For TLSv1.3, renegotiation cannot be initiated, it is not supported by the
309
+ * protocol.
310
+ * @since v0.11.8
311
+ * @param callback If `renegotiate()` returned `true`, callback is attached once to the `'secure'` event. If `renegotiate()` returned `false`, `callback` will be called in the next tick with
312
+ * an error, unless the `tlsSocket` has been destroyed, in which case `callback` will not be called at all.
313
+ * @return `true` if renegotiation was initiated, `false` otherwise.
314
+ */
315
+ renegotiate(
316
+ options: {
317
+ rejectUnauthorized?: boolean | undefined;
318
+ requestCert?: boolean | undefined;
319
+ },
320
+ callback: (err: Error | null) => void
321
+ ): undefined | boolean;
322
+ /**
323
+ * The `tlsSocket.setMaxSendFragment()` method sets the maximum TLS fragment size.
324
+ * Returns `true` if setting the limit succeeded; `false` otherwise.
325
+ *
326
+ * Smaller fragment sizes decrease the buffering latency on the client: larger
327
+ * fragments are buffered by the TLS layer until the entire fragment is received
328
+ * and its integrity is verified; large fragments can span multiple roundtrips
329
+ * and their processing can be delayed due to packet loss or reordering. However,
330
+ * smaller fragments add extra TLS framing bytes and CPU overhead, which may
331
+ * decrease overall server throughput.
332
+ * @since v0.11.11
333
+ * @param [size=16384] The maximum TLS fragment size. The maximum value is `16384`.
278
334
  */
279
335
  setMaxSendFragment(size: number): boolean;
280
-
281
336
  /**
282
- * Disables TLS renegotiation for this TLSSocket instance. Once called,
283
- * attempts to renegotiate will trigger an 'error' event on the
284
- * TLSSocket.
337
+ * Disables TLS renegotiation for this `TLSSocket` instance. Once called, attempts
338
+ * to renegotiate will trigger an `'error'` event on the `TLSSocket`.
339
+ * @since v8.4.0
285
340
  */
286
341
  disableRenegotiation(): void;
287
-
288
342
  /**
289
343
  * When enabled, TLS packet trace information is written to `stderr`. This can be
290
344
  * used to debug TLS connection problems.
291
345
  *
292
- * Note: The format of the output is identical to the output of `openssl s_client
293
- * -trace` or `openssl s_server -trace`. While it is produced by OpenSSL's
294
- * `SSL_trace()` function, the format is undocumented, can change without notice,
295
- * and should not be relied on.
346
+ * The format of the output is identical to the output of`openssl s_client -trace` or `openssl s_server -trace`. While it is produced by
347
+ * OpenSSL's `SSL_trace()` function, the format is undocumented, can change
348
+ * without notice, and should not be relied on.
349
+ * @since v12.2.0
296
350
  */
297
351
  enableTrace(): void;
298
-
299
352
  /**
300
- * If there is no peer certificate, or the socket has been destroyed, `undefined` will be returned.
353
+ * Returns the peer certificate as an `X509Certificate` object.
354
+ *
355
+ * If there is no peer certificate, or the socket has been destroyed,`undefined` will be returned.
356
+ * @since v15.9.0
301
357
  */
302
358
  getPeerX509Certificate(): X509Certificate | undefined;
303
-
304
359
  /**
305
- * If there is no local certificate, or the socket has been destroyed, `undefined` will be returned.
360
+ * Returns the local certificate as an `X509Certificate` object.
361
+ *
362
+ * If there is no local certificate, or the socket has been destroyed,`undefined` will be returned.
363
+ * @since v15.9.0
306
364
  */
307
365
  getX509Certificate(): X509Certificate | undefined;
308
-
309
366
  /**
367
+ * Keying material is used for validations to prevent different kind of attacks in
368
+ * network protocols, for example in the specifications of IEEE 802.1X.
369
+ *
370
+ * Example
371
+ *
372
+ * ```js
373
+ * const keyingMaterial = tlsSocket.exportKeyingMaterial(
374
+ * 128,
375
+ * 'client finished');
376
+ *
377
+ * /*
378
+ * Example return value of keyingMaterial:
379
+ * <Buffer 76 26 af 99 c5 56 8e 42 09 91 ef 9f 93 cb ad 6c 7b 65 f8 53 f1 d8 d9
380
+ * 12 5a 33 b8 b5 25 df 7b 37 9f e0 e2 4f b8 67 83 a3 2f cd 5d 41 42 4c 91
381
+ * 74 ef 2c ... 78 more bytes>
382
+ *
383
+ * ```
384
+ *
385
+ * See the OpenSSL [`SSL_export_keying_material`](https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html) documentation for more
386
+ * information.
387
+ * @since v13.10.0, v12.17.0
310
388
  * @param length number of bytes to retrieve from keying material
311
- * @param label an application specific label, typically this will be a value from the
312
- * [IANA Exporter Label Registry](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels).
313
- * @param context optionally provide a context.
389
+ * @param label an application specific label, typically this will be a value from the [IANA Exporter Label
390
+ * Registry](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels).
391
+ * @param context Optionally provide a context.
392
+ * @return requested bytes of the keying material
314
393
  */
315
394
  exportKeyingMaterial(length: number, label: string, context: Buffer): Buffer;
316
-
317
395
  addListener(event: string, listener: (...args: any[]) => void): this;
318
- addListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
319
- addListener(event: "secureConnect", listener: () => void): this;
320
- addListener(event: "session", listener: (session: Buffer) => void): this;
321
- addListener(event: "keylog", listener: (line: Buffer) => void): this;
322
-
396
+ addListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
397
+ addListener(event: 'secureConnect', listener: () => void): this;
398
+ addListener(event: 'session', listener: (session: Buffer) => void): this;
399
+ addListener(event: 'keylog', listener: (line: Buffer) => void): this;
323
400
  emit(event: string | symbol, ...args: any[]): boolean;
324
- emit(event: "OCSPResponse", response: Buffer): boolean;
325
- emit(event: "secureConnect"): boolean;
326
- emit(event: "session", session: Buffer): boolean;
327
- emit(event: "keylog", line: Buffer): boolean;
328
-
401
+ emit(event: 'OCSPResponse', response: Buffer): boolean;
402
+ emit(event: 'secureConnect'): boolean;
403
+ emit(event: 'session', session: Buffer): boolean;
404
+ emit(event: 'keylog', line: Buffer): boolean;
329
405
  on(event: string, listener: (...args: any[]) => void): this;
330
- on(event: "OCSPResponse", listener: (response: Buffer) => void): this;
331
- on(event: "secureConnect", listener: () => void): this;
332
- on(event: "session", listener: (session: Buffer) => void): this;
333
- on(event: "keylog", listener: (line: Buffer) => void): this;
334
-
406
+ on(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
407
+ on(event: 'secureConnect', listener: () => void): this;
408
+ on(event: 'session', listener: (session: Buffer) => void): this;
409
+ on(event: 'keylog', listener: (line: Buffer) => void): this;
335
410
  once(event: string, listener: (...args: any[]) => void): this;
336
- once(event: "OCSPResponse", listener: (response: Buffer) => void): this;
337
- once(event: "secureConnect", listener: () => void): this;
338
- once(event: "session", listener: (session: Buffer) => void): this;
339
- once(event: "keylog", listener: (line: Buffer) => void): this;
340
-
411
+ once(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
412
+ once(event: 'secureConnect', listener: () => void): this;
413
+ once(event: 'session', listener: (session: Buffer) => void): this;
414
+ once(event: 'keylog', listener: (line: Buffer) => void): this;
341
415
  prependListener(event: string, listener: (...args: any[]) => void): this;
342
- prependListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
343
- prependListener(event: "secureConnect", listener: () => void): this;
344
- prependListener(event: "session", listener: (session: Buffer) => void): this;
345
- prependListener(event: "keylog", listener: (line: Buffer) => void): this;
346
-
416
+ prependListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
417
+ prependListener(event: 'secureConnect', listener: () => void): this;
418
+ prependListener(event: 'session', listener: (session: Buffer) => void): this;
419
+ prependListener(event: 'keylog', listener: (line: Buffer) => void): this;
347
420
  prependOnceListener(event: string, listener: (...args: any[]) => void): this;
348
- prependOnceListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
349
- prependOnceListener(event: "secureConnect", listener: () => void): this;
350
- prependOnceListener(event: "session", listener: (session: Buffer) => void): this;
351
- prependOnceListener(event: "keylog", listener: (line: Buffer) => void): this;
421
+ prependOnceListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
422
+ prependOnceListener(event: 'secureConnect', listener: () => void): this;
423
+ prependOnceListener(event: 'session', listener: (session: Buffer) => void): this;
424
+ prependOnceListener(event: 'keylog', listener: (line: Buffer) => void): this;
352
425
  }
353
-
354
426
  interface CommonConnectionOptions {
355
427
  /**
356
428
  * An optional TLS context object from tls.createSecureContext()
357
429
  */
358
- secureContext?: SecureContext;
359
-
430
+ secureContext?: SecureContext | undefined;
360
431
  /**
361
432
  * When enabled, TLS packet trace information is written to `stderr`. This can be
362
433
  * used to debug TLS connection problems.
363
434
  * @default false
364
435
  */
365
- enableTrace?: boolean;
436
+ enableTrace?: boolean | undefined;
366
437
  /**
367
438
  * If true the server will request a certificate from clients that
368
439
  * connect and attempt to verify that certificate. Defaults to
369
440
  * false.
370
441
  */
371
- requestCert?: boolean;
442
+ requestCert?: boolean | undefined;
372
443
  /**
373
444
  * An array of strings or a Buffer naming possible ALPN protocols.
374
445
  * (Protocols should be ordered by their priority.)
375
446
  */
376
- ALPNProtocols?: string[] | Uint8Array[] | Uint8Array;
447
+ ALPNProtocols?: string[] | Uint8Array[] | Uint8Array | undefined;
377
448
  /**
378
449
  * SNICallback(servername, cb) <Function> A function that will be
379
450
  * called if the client supports SNI TLS extension. Two arguments
@@ -383,16 +454,15 @@ declare module 'tls' {
383
454
  * SecureContext.) If SNICallback wasn't provided the default callback
384
455
  * with high-level API will be used (see below).
385
456
  */
386
- SNICallback?: (servername: string, cb: (err: Error | null, ctx: SecureContext) => void) => void;
457
+ SNICallback?: ((servername: string, cb: (err: Error | null, ctx?: SecureContext) => void) => void) | undefined;
387
458
  /**
388
459
  * If true the server will reject any connection which is not
389
460
  * authorized with the list of supplied CAs. This option only has an
390
461
  * effect if requestCert is true.
391
462
  * @default true
392
463
  */
393
- rejectUnauthorized?: boolean;
464
+ rejectUnauthorized?: boolean | undefined;
394
465
  }
395
-
396
466
  interface TlsOptions extends SecureContextOptions, CommonConnectionOptions, net.ServerOpts {
397
467
  /**
398
468
  * Abort the connection if the SSL/TLS handshake does not finish in the
@@ -400,18 +470,17 @@ declare module 'tls' {
400
470
  * the tls.Server object whenever a handshake times out. Default:
401
471
  * 120000 (120 seconds).
402
472
  */
403
- handshakeTimeout?: number;
473
+ handshakeTimeout?: number | undefined;
404
474
  /**
405
475
  * The number of seconds after which a TLS session created by the
406
476
  * server will no longer be resumable. See Session Resumption for more
407
477
  * information. Default: 300.
408
478
  */
409
- sessionTimeout?: number;
479
+ sessionTimeout?: number | undefined;
410
480
  /**
411
481
  * 48-bytes of cryptographically strong pseudo-random data.
412
482
  */
413
- ticketKeys?: Buffer;
414
-
483
+ ticketKeys?: Buffer | undefined;
415
484
  /**
416
485
  *
417
486
  * @param socket
@@ -431,7 +500,6 @@ declare module 'tls' {
431
500
  * requires explicitly specifying a cipher suite with the `ciphers` option.
432
501
  * More information can be found in the RFC 4279.
433
502
  */
434
-
435
503
  pskCallback?(socket: TLSSocket, identity: string): DataView | NodeJS.TypedArray | null;
436
504
  /**
437
505
  * hint to send to a client to help
@@ -439,25 +507,23 @@ declare module 'tls' {
439
507
  * in TLS 1.3. Upon failing to set pskIdentityHint `tlsClientError` will be
440
508
  * emitted with `ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED` code.
441
509
  */
442
- pskIdentityHint?: string;
510
+ pskIdentityHint?: string | undefined;
443
511
  }
444
-
445
512
  interface PSKCallbackNegotation {
446
513
  psk: DataView | NodeJS.TypedArray;
447
514
  identity: string;
448
515
  }
449
-
450
516
  interface ConnectionOptions extends SecureContextOptions, CommonConnectionOptions {
451
- host?: string;
452
- port?: number;
453
- path?: string; // Creates unix socket connection to path. If this option is specified, `host` and `port` are ignored.
454
- socket?: net.Socket; // Establish secure connection on a given socket rather than creating a new socket
455
- checkServerIdentity?: typeof checkServerIdentity;
456
- servername?: string; // SNI TLS Extension
457
- session?: Buffer;
458
- minDHSize?: number;
459
- lookup?: net.LookupFunction;
460
- timeout?: number;
517
+ host?: string | undefined;
518
+ port?: number | undefined;
519
+ path?: string | undefined; // Creates unix socket connection to path. If this option is specified, `host` and `port` are ignored.
520
+ socket?: stream.Duplex | undefined; // Establish secure connection on a given socket rather than creating a new socket
521
+ checkServerIdentity?: typeof checkServerIdentity | undefined;
522
+ servername?: string | undefined; // SNI TLS Extension
523
+ session?: Buffer | undefined;
524
+ minDHSize?: number | undefined;
525
+ lookup?: net.LookupFunction | undefined;
526
+ timeout?: number | undefined;
461
527
  /**
462
528
  * When negotiating TLS-PSK (pre-shared keys), this function is called
463
529
  * with optional identity `hint` provided by the server or `null`
@@ -477,35 +543,50 @@ declare module 'tls' {
477
543
  */
478
544
  pskCallback?(hint: string | null): PSKCallbackNegotation | null;
479
545
  }
480
-
546
+ /**
547
+ * Accepts encrypted connections using TLS or SSL.
548
+ * @since v0.3.2
549
+ */
481
550
  class Server extends net.Server {
482
551
  constructor(secureConnectionListener?: (socket: TLSSocket) => void);
483
552
  constructor(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void);
484
-
485
553
  /**
486
- * The server.addContext() method adds a secure context that will be
487
- * used if the client request's SNI name matches the supplied hostname
488
- * (or wildcard).
554
+ * The `server.addContext()` method adds a secure context that will be used if
555
+ * the client request's SNI name matches the supplied `hostname` (or wildcard).
556
+ *
557
+ * When there are multiple matching contexts, the most recently added one is
558
+ * used.
559
+ * @since v0.5.3
560
+ * @param hostname A SNI host name or wildcard (e.g. `'*'`)
561
+ * @param context An object containing any of the possible properties from the {@link createSecureContext} `options` arguments (e.g. `key`, `cert`, `ca`, etc).
489
562
  */
490
- addContext(hostName: string, credentials: SecureContextOptions): void;
563
+ addContext(hostname: string, context: SecureContextOptions): void;
491
564
  /**
492
565
  * Returns the session ticket keys.
566
+ *
567
+ * See `Session Resumption` for more information.
568
+ * @since v3.0.0
569
+ * @return A 48-byte buffer containing the session ticket keys.
493
570
  */
494
571
  getTicketKeys(): Buffer;
495
572
  /**
496
- *
497
- * The server.setSecureContext() method replaces the
498
- * secure context of an existing server. Existing connections to the
499
- * server are not interrupted.
573
+ * The `server.setSecureContext()` method replaces the secure context of an
574
+ * existing server. Existing connections to the server are not interrupted.
575
+ * @since v11.0.0
576
+ * @param options An object containing any of the possible properties from the {@link createSecureContext} `options` arguments (e.g. `key`, `cert`, `ca`, etc).
500
577
  */
501
- setSecureContext(details: SecureContextOptions): void;
578
+ setSecureContext(options: SecureContextOptions): void;
502
579
  /**
503
- * The server.setSecureContext() method replaces the secure context of
504
- * an existing server. Existing connections to the server are not
505
- * interrupted.
580
+ * Sets the session ticket keys.
581
+ *
582
+ * Changes to the ticket keys are effective only for future server connections.
583
+ * Existing or currently pending server connections will use the previous keys.
584
+ *
585
+ * See `Session Resumption` for more information.
586
+ * @since v3.0.0
587
+ * @param keys A 48-byte buffer containing the session ticket keys.
506
588
  */
507
589
  setTicketKeys(keys: Buffer): void;
508
-
509
590
  /**
510
591
  * events.EventEmitter
511
592
  * 1. tlsClientError
@@ -516,54 +597,48 @@ declare module 'tls' {
516
597
  * 6. keylog
517
598
  */
518
599
  addListener(event: string, listener: (...args: any[]) => void): this;
519
- addListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
520
- addListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
521
- addListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
522
- addListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
523
- addListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
524
- addListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
525
-
600
+ addListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
601
+ addListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
602
+ addListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
603
+ addListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
604
+ addListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
605
+ addListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
526
606
  emit(event: string | symbol, ...args: any[]): boolean;
527
- emit(event: "tlsClientError", err: Error, tlsSocket: TLSSocket): boolean;
528
- emit(event: "newSession", sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void): boolean;
529
- emit(event: "OCSPRequest", certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
530
- emit(event: "resumeSession", sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void): boolean;
531
- emit(event: "secureConnection", tlsSocket: TLSSocket): boolean;
532
- emit(event: "keylog", line: Buffer, tlsSocket: TLSSocket): boolean;
533
-
607
+ emit(event: 'tlsClientError', err: Error, tlsSocket: TLSSocket): boolean;
608
+ emit(event: 'newSession', sessionId: Buffer, sessionData: Buffer, callback: () => void): boolean;
609
+ emit(event: 'OCSPRequest', certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
610
+ emit(event: 'resumeSession', sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void): boolean;
611
+ emit(event: 'secureConnection', tlsSocket: TLSSocket): boolean;
612
+ emit(event: 'keylog', line: Buffer, tlsSocket: TLSSocket): boolean;
534
613
  on(event: string, listener: (...args: any[]) => void): this;
535
- on(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
536
- on(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
537
- on(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
538
- on(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
539
- on(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
540
- on(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
541
-
614
+ on(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
615
+ on(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
616
+ on(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
617
+ on(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
618
+ on(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
619
+ on(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
542
620
  once(event: string, listener: (...args: any[]) => void): this;
543
- once(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
544
- once(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
545
- once(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
546
- once(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
547
- once(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
548
- once(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
549
-
621
+ once(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
622
+ once(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
623
+ once(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
624
+ once(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
625
+ once(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
626
+ once(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
550
627
  prependListener(event: string, listener: (...args: any[]) => void): this;
551
- prependListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
552
- prependListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
553
- prependListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
554
- prependListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
555
- prependListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
556
- prependListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
557
-
628
+ prependListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
629
+ prependListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
630
+ prependListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
631
+ prependListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
632
+ prependListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
633
+ prependListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
558
634
  prependOnceListener(event: string, listener: (...args: any[]) => void): this;
559
- prependOnceListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
560
- prependOnceListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
561
- prependOnceListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
562
- prependOnceListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
563
- prependOnceListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
564
- prependOnceListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
635
+ prependOnceListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
636
+ prependOnceListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
637
+ prependOnceListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
638
+ prependOnceListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
639
+ prependOnceListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
640
+ prependOnceListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
565
641
  }
566
-
567
642
  /**
568
643
  * @deprecated since v0.11.3 Use `tls.TLSSocket` instead.
569
644
  */
@@ -571,16 +646,14 @@ declare module 'tls' {
571
646
  encrypted: TLSSocket;
572
647
  cleartext: TLSSocket;
573
648
  }
574
-
575
649
  type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
576
-
577
650
  interface SecureContextOptions {
578
651
  /**
579
652
  * Optionally override the trusted CA certificates. Default is to trust
580
653
  * the well-known CAs curated by Mozilla. Mozilla's CAs are completely
581
654
  * replaced when CAs are explicitly specified using this option.
582
655
  */
583
- ca?: string | Buffer | Array<string | Buffer>;
656
+ ca?: string | Buffer | Array<string | Buffer> | undefined;
584
657
  /**
585
658
  * Cert chains in PEM format. One cert chain should be provided per
586
659
  * private key. Each cert chain should consist of the PEM formatted
@@ -592,29 +665,29 @@ declare module 'tls' {
592
665
  * intermediate certificates are not provided, the peer will not be
593
666
  * able to validate the certificate, and the handshake will fail.
594
667
  */
595
- cert?: string | Buffer | Array<string | Buffer>;
668
+ cert?: string | Buffer | Array<string | Buffer> | undefined;
596
669
  /**
597
670
  * Colon-separated list of supported signature algorithms. The list
598
671
  * can contain digest algorithms (SHA256, MD5 etc.), public key
599
672
  * algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g
600
673
  * 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
601
674
  */
602
- sigalgs?: string;
675
+ sigalgs?: string | undefined;
603
676
  /**
604
677
  * Cipher suite specification, replacing the default. For more
605
678
  * information, see modifying the default cipher suite. Permitted
606
679
  * ciphers can be obtained via tls.getCiphers(). Cipher names must be
607
680
  * uppercased in order for OpenSSL to accept them.
608
681
  */
609
- ciphers?: string;
682
+ ciphers?: string | undefined;
610
683
  /**
611
684
  * Name of an OpenSSL engine which can provide the client certificate.
612
685
  */
613
- clientCertEngine?: string;
686
+ clientCertEngine?: string | undefined;
614
687
  /**
615
688
  * PEM formatted CRLs (Certificate Revocation Lists).
616
689
  */
617
- crl?: string | Buffer | Array<string | Buffer>;
690
+ crl?: string | Buffer | Array<string | Buffer> | undefined;
618
691
  /**
619
692
  * Diffie Hellman parameters, required for Perfect Forward Secrecy. Use
620
693
  * openssl dhparam to create the parameters. The key length must be
@@ -623,7 +696,7 @@ declare module 'tls' {
623
696
  * stronger security. If omitted or invalid, the parameters are
624
697
  * silently discarded and DHE ciphers will not be available.
625
698
  */
626
- dhparam?: string | Buffer;
699
+ dhparam?: string | Buffer | undefined;
627
700
  /**
628
701
  * A string describing a named curve or a colon separated list of curve
629
702
  * NIDs or names, for example P-521:P-384:P-256, to use for ECDH key
@@ -633,13 +706,13 @@ declare module 'tls' {
633
706
  * name and description of each available elliptic curve. Default:
634
707
  * tls.DEFAULT_ECDH_CURVE.
635
708
  */
636
- ecdhCurve?: string;
709
+ ecdhCurve?: string | undefined;
637
710
  /**
638
711
  * Attempt to use the server's cipher suite preferences instead of the
639
712
  * client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be
640
713
  * set in secureOptions
641
714
  */
642
- honorCipherOrder?: boolean;
715
+ honorCipherOrder?: boolean | undefined;
643
716
  /**
644
717
  * Private keys in PEM format. PEM allows the option of private keys
645
718
  * being encrypted. Encrypted keys will be decrypted with
@@ -650,18 +723,18 @@ declare module 'tls' {
650
723
  * object.passphrase is optional. Encrypted keys will be decrypted with
651
724
  * object.passphrase if provided, or options.passphrase if it is not.
652
725
  */
653
- key?: string | Buffer | Array<Buffer | KeyObject>;
726
+ key?: string | Buffer | Array<string | Buffer | KeyObject> | undefined;
654
727
  /**
655
728
  * Name of an OpenSSL engine to get private key from. Should be used
656
729
  * together with privateKeyIdentifier.
657
730
  */
658
- privateKeyEngine?: string;
731
+ privateKeyEngine?: string | undefined;
659
732
  /**
660
733
  * Identifier of a private key managed by an OpenSSL engine. Should be
661
734
  * used together with privateKeyEngine. Should not be set together with
662
735
  * key, because both options define a private key in different ways.
663
736
  */
664
- privateKeyIdentifier?: string;
737
+ privateKeyIdentifier?: string | undefined;
665
738
  /**
666
739
  * Optionally set the maximum TLS version to allow. One
667
740
  * of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
@@ -670,7 +743,7 @@ declare module 'tls' {
670
743
  * `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets the default to
671
744
  * `'TLSv1.3'`. If multiple of the options are provided, the highest maximum is used.
672
745
  */
673
- maxVersion?: SecureVersion;
746
+ maxVersion?: SecureVersion | undefined;
674
747
  /**
675
748
  * Optionally set the minimum TLS version to allow. One
676
749
  * of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
@@ -681,11 +754,11 @@ declare module 'tls' {
681
754
  * `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
682
755
  * 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used.
683
756
  */
684
- minVersion?: SecureVersion;
757
+ minVersion?: SecureVersion | undefined;
685
758
  /**
686
759
  * Shared passphrase used for a single private key and/or a PFX.
687
760
  */
688
- passphrase?: string;
761
+ passphrase?: string | undefined;
689
762
  /**
690
763
  * PFX or PKCS12 encoded private key and certificate chain. pfx is an
691
764
  * alternative to providing key and cert individually. PFX is usually
@@ -696,13 +769,13 @@ declare module 'tls' {
696
769
  * object.passphrase is optional. Encrypted PFX will be decrypted with
697
770
  * object.passphrase if provided, or options.passphrase if it is not.
698
771
  */
699
- pfx?: string | Buffer | Array<string | Buffer | PxfObject>;
772
+ pfx?: string | Buffer | Array<string | Buffer | PxfObject> | undefined;
700
773
  /**
701
774
  * Optionally affect the OpenSSL protocol behavior, which is not
702
775
  * usually necessary. This should be used carefully if at all! Value is
703
776
  * a numeric bitmask of the SSL_OP_* options from OpenSSL Options
704
777
  */
705
- secureOptions?: number; // Value is a numeric bitmask of the `SSL_OP_*` options
778
+ secureOptions?: number | undefined; // Value is a numeric bitmask of the `SSL_OP_*` options
706
779
  /**
707
780
  * Legacy mechanism to select the TLS protocol version to use, it does
708
781
  * not support independent control of the minimum and maximum version,
@@ -714,49 +787,209 @@ declare module 'tls' {
714
787
  * TLS versions less than 1.2, but it may be required for
715
788
  * interoperability. Default: none, see minVersion.
716
789
  */
717
- secureProtocol?: string;
790
+ secureProtocol?: string | undefined;
718
791
  /**
719
792
  * Opaque identifier used by servers to ensure session state is not
720
793
  * shared between applications. Unused by clients.
721
794
  */
722
- sessionIdContext?: string;
795
+ sessionIdContext?: string | undefined;
723
796
  /**
724
797
  * 48-bytes of cryptographically strong pseudo-random data.
725
798
  * See Session Resumption for more information.
726
799
  */
727
- ticketKeys?: Buffer;
800
+ ticketKeys?: Buffer | undefined;
728
801
  /**
729
802
  * The number of seconds after which a TLS session created by the
730
803
  * server will no longer be resumable. See Session Resumption for more
731
804
  * information. Default: 300.
732
805
  */
733
- sessionTimeout?: number;
806
+ sessionTimeout?: number | undefined;
734
807
  }
735
-
736
808
  interface SecureContext {
737
809
  context: any;
738
810
  }
739
-
740
- /*
741
- * Verifies the certificate `cert` is issued to host `host`.
742
- * @host The hostname to verify the certificate against
743
- * @cert PeerCertificate representing the peer's certificate
811
+ /**
812
+ * Verifies the certificate `cert` is issued to `hostname`.
813
+ *
814
+ * Returns [Error](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error) object, populating it with `reason`, `host`, and `cert` on
815
+ * failure. On success, returns [undefined](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Undefined_type).
816
+ *
817
+ * This function is intended to be used in combination with the`checkServerIdentity` option that can be passed to {@link connect} and as
818
+ * such operates on a `certificate object`. For other purposes, consider using `x509.checkHost()` instead.
819
+ *
820
+ * This function can be overwritten by providing an alternative function as the`options.checkServerIdentity` option that is passed to `tls.connect()`. The
821
+ * overwriting function can call `tls.checkServerIdentity()` of course, to augment
822
+ * the checks done with additional verification.
744
823
  *
745
- * Returns Error object, populating it with the reason, host and cert on failure. On success, returns undefined.
824
+ * This function is only called if the certificate passed all other checks, such as
825
+ * being issued by trusted CA (`options.ca`).
826
+ *
827
+ * Earlier versions of Node.js incorrectly accepted certificates for a given`hostname` if a matching `uniformResourceIdentifier` subject alternative name
828
+ * was present (see [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531)). Applications that wish to accept`uniformResourceIdentifier` subject alternative names can use
829
+ * a custom`options.checkServerIdentity` function that implements the desired behavior.
830
+ * @since v0.8.4
831
+ * @param hostname The host name or IP address to verify the certificate against.
832
+ * @param cert A `certificate object` representing the peer's certificate.
833
+ */
834
+ function checkServerIdentity(hostname: string, cert: PeerCertificate): Error | undefined;
835
+ /**
836
+ * Creates a new {@link Server}. The `secureConnectionListener`, if provided, is
837
+ * automatically set as a listener for the `'secureConnection'` event.
838
+ *
839
+ * The `ticketKeys` options is automatically shared between `cluster` module
840
+ * workers.
841
+ *
842
+ * The following illustrates a simple echo server:
843
+ *
844
+ * ```js
845
+ * const tls = require('tls');
846
+ * const fs = require('fs');
847
+ *
848
+ * const options = {
849
+ * key: fs.readFileSync('server-key.pem'),
850
+ * cert: fs.readFileSync('server-cert.pem'),
851
+ *
852
+ * // This is necessary only if using client certificate authentication.
853
+ * requestCert: true,
854
+ *
855
+ * // This is necessary only if the client uses a self-signed certificate.
856
+ * ca: [ fs.readFileSync('client-cert.pem') ]
857
+ * };
858
+ *
859
+ * const server = tls.createServer(options, (socket) => {
860
+ * console.log('server connected',
861
+ * socket.authorized ? 'authorized' : 'unauthorized');
862
+ * socket.write('welcome!\n');
863
+ * socket.setEncoding('utf8');
864
+ * socket.pipe(socket);
865
+ * });
866
+ * server.listen(8000, () => {
867
+ * console.log('server bound');
868
+ * });
869
+ * ```
870
+ *
871
+ * The server can be tested by connecting to it using the example client from {@link connect}.
872
+ * @since v0.3.2
746
873
  */
747
- function checkServerIdentity(host: string, cert: PeerCertificate): Error | undefined;
748
874
  function createServer(secureConnectionListener?: (socket: TLSSocket) => void): Server;
749
875
  function createServer(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void): Server;
876
+ /**
877
+ * The `callback` function, if specified, will be added as a listener for the `'secureConnect'` event.
878
+ *
879
+ * `tls.connect()` returns a {@link TLSSocket} object.
880
+ *
881
+ * Unlike the `https` API, `tls.connect()` does not enable the
882
+ * SNI (Server Name Indication) extension by default, which may cause some
883
+ * servers to return an incorrect certificate or reject the connection
884
+ * altogether. To enable SNI, set the `servername` option in addition
885
+ * to `host`.
886
+ *
887
+ * The following illustrates a client for the echo server example from {@link createServer}:
888
+ *
889
+ * ```js
890
+ * // Assumes an echo server that is listening on port 8000.
891
+ * const tls = require('tls');
892
+ * const fs = require('fs');
893
+ *
894
+ * const options = {
895
+ * // Necessary only if the server requires client certificate authentication.
896
+ * key: fs.readFileSync('client-key.pem'),
897
+ * cert: fs.readFileSync('client-cert.pem'),
898
+ *
899
+ * // Necessary only if the server uses a self-signed certificate.
900
+ * ca: [ fs.readFileSync('server-cert.pem') ],
901
+ *
902
+ * // Necessary only if the server's cert isn't for "localhost".
903
+ * checkServerIdentity: () => { return null; },
904
+ * };
905
+ *
906
+ * const socket = tls.connect(8000, options, () => {
907
+ * console.log('client connected',
908
+ * socket.authorized ? 'authorized' : 'unauthorized');
909
+ * process.stdin.pipe(socket);
910
+ * process.stdin.resume();
911
+ * });
912
+ * socket.setEncoding('utf8');
913
+ * socket.on('data', (data) => {
914
+ * console.log(data);
915
+ * });
916
+ * socket.on('end', () => {
917
+ * console.log('server ends connection');
918
+ * });
919
+ * ```
920
+ * @since v0.11.3
921
+ */
750
922
  function connect(options: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
751
923
  function connect(port: number, host?: string, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
752
924
  function connect(port: number, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
753
925
  /**
754
- * @deprecated since v0.11.3 Use `tls.TLSSocket` instead.
926
+ * Creates a new secure pair object with two streams, one of which reads and writes
927
+ * the encrypted data and the other of which reads and writes the cleartext data.
928
+ * Generally, the encrypted stream is piped to/from an incoming encrypted data
929
+ * stream and the cleartext one is used as a replacement for the initial encrypted
930
+ * stream.
931
+ *
932
+ * `tls.createSecurePair()` returns a `tls.SecurePair` object with `cleartext` and`encrypted` stream properties.
933
+ *
934
+ * Using `cleartext` has the same API as {@link TLSSocket}.
935
+ *
936
+ * The `tls.createSecurePair()` method is now deprecated in favor of`tls.TLSSocket()`. For example, the code:
937
+ *
938
+ * ```js
939
+ * pair = tls.createSecurePair(// ... );
940
+ * pair.encrypted.pipe(socket);
941
+ * socket.pipe(pair.encrypted);
942
+ * ```
943
+ *
944
+ * can be replaced by:
945
+ *
946
+ * ```js
947
+ * secureSocket = tls.TLSSocket(socket, options);
948
+ * ```
949
+ *
950
+ * where `secureSocket` has the same API as `pair.cleartext`.
951
+ * @since v0.3.2
952
+ * @deprecated Since v0.11.3 - Use {@link TLSSocket} instead.
953
+ * @param context A secure context object as returned by `tls.createSecureContext()`
954
+ * @param isServer `true` to specify that this TLS connection should be opened as a server.
955
+ * @param requestCert `true` to specify whether a server should request a certificate from a connecting client. Only applies when `isServer` is `true`.
956
+ * @param rejectUnauthorized If not `false` a server automatically reject clients with invalid certificates. Only applies when `isServer` is `true`.
957
+ */
958
+ function createSecurePair(context?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
959
+ /**
960
+ * {@link createServer} sets the default value of the `honorCipherOrder` option
961
+ * to `true`, other APIs that create secure contexts leave it unset.
962
+ *
963
+ * {@link createServer} uses a 128 bit truncated SHA1 hash value generated
964
+ * from `process.argv` as the default value of the `sessionIdContext` option, other
965
+ * APIs that create secure contexts have no default value.
966
+ *
967
+ * The `tls.createSecureContext()` method creates a `SecureContext` object. It is
968
+ * usable as an argument to several `tls` APIs, such as {@link createServer} and `server.addContext()`, but has no public methods.
969
+ *
970
+ * A key is _required_ for ciphers that use certificates. Either `key` or`pfx` can be used to provide it.
971
+ *
972
+ * If the `ca` option is not given, then Node.js will default to using [Mozilla's publicly trusted list of
973
+ * CAs](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt).
974
+ * @since v0.11.13
755
975
  */
756
- function createSecurePair(credentials?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
757
976
  function createSecureContext(options?: SecureContextOptions): SecureContext;
977
+ /**
978
+ * Returns an array with the names of the supported TLS ciphers. The names are
979
+ * lower-case for historical reasons, but must be uppercased to be used in
980
+ * the `ciphers` option of {@link createSecureContext}.
981
+ *
982
+ * Not all supported ciphers are enabled by default. See `Modifying the default TLS cipher suite`.
983
+ *
984
+ * Cipher names that start with `'tls_'` are for TLSv1.3, all the others are for
985
+ * TLSv1.2 and below.
986
+ *
987
+ * ```js
988
+ * console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...]
989
+ * ```
990
+ * @since v0.10.2
991
+ */
758
992
  function getCiphers(): string[];
759
-
760
993
  /**
761
994
  * The default curve name to use for ECDH key agreement in a tls server.
762
995
  * The default value is 'auto'. See tls.createSecureContext() for further
@@ -783,7 +1016,6 @@ declare module 'tls' {
783
1016
  * are provided, the lowest minimum is used.
784
1017
  */
785
1018
  let DEFAULT_MIN_VERSION: SecureVersion;
786
-
787
1019
  /**
788
1020
  * An immutable array of strings representing the root certificates (in PEM
789
1021
  * format) used for verifying peer certificates. This is the default value
@@ -791,3 +1023,6 @@ declare module 'tls' {
791
1023
  */
792
1024
  const rootCertificates: ReadonlyArray<string>;
793
1025
  }
1026
+ declare module 'node:tls' {
1027
+ export * from 'tls';
1028
+ }