@aligent/cdk-prerender-proxy 0.2.4 → 0.2.5-beta
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/handlers/cache-control.ts +7 -20
- package/lib/handlers/error-response.ts +8 -51
- package/lib/handlers/node_modules/.package-lock.json +32 -3
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/index.d.ts +6 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/index.js +14 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/cache-control.d.ts +3 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/cache-control.js +24 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/error-response.d.ts +3 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/error-response.js +50 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender-check.d.ts +3 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender-check.js +28 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender.d.ts +3 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/prerender.js +49 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/redirect.d.ts +3 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/lib/redirect.js +33 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/package.json +27 -0
- package/lib/handlers/node_modules/@aligent/cdk-lambda-at-edge-handlers/tsconfig.json +3 -0
- package/lib/handlers/node_modules/@middy/core/LICENSE +21 -0
- package/lib/handlers/node_modules/@middy/core/README.md +65 -0
- package/lib/handlers/node_modules/@middy/core/index.cjs +207 -0
- package/lib/handlers/node_modules/@middy/core/index.d.ts +91 -0
- package/lib/handlers/node_modules/@middy/core/index.js +199 -0
- package/lib/handlers/node_modules/@middy/core/package.json +65 -0
- package/lib/handlers/node_modules/@types/node/README.md +4 -4
- package/lib/handlers/node_modules/@types/node/assert/strict.d.ts +5 -1
- package/lib/handlers/node_modules/@types/node/assert.d.ts +904 -67
- package/lib/handlers/node_modules/@types/node/async_hooks.d.ts +371 -96
- package/lib/handlers/node_modules/@types/node/buffer.d.ts +2199 -25
- package/lib/handlers/node_modules/@types/node/child_process.d.ts +1151 -308
- package/lib/handlers/node_modules/@types/node/cluster.d.ts +356 -208
- package/lib/handlers/node_modules/@types/node/console.d.ts +324 -45
- package/lib/handlers/node_modules/@types/node/constants.d.ts +8 -3
- package/lib/handlers/node_modules/@types/node/crypto.d.ts +3230 -846
- package/lib/handlers/node_modules/@types/node/dgram.d.ts +478 -74
- package/lib/handlers/node_modules/@types/node/diagnostics_channel.d.ts +153 -0
- package/lib/handlers/node_modules/@types/node/dns/promises.d.ts +308 -35
- package/lib/handlers/node_modules/@types/node/dns.d.ts +444 -107
- package/lib/handlers/node_modules/@types/node/dom-events.d.ts +126 -0
- package/lib/handlers/node_modules/@types/node/domain.d.ts +162 -16
- package/lib/handlers/node_modules/@types/node/events.d.ts +624 -39
- package/lib/handlers/node_modules/@types/node/fs/promises.d.ts +911 -365
- package/lib/handlers/node_modules/@types/node/fs.d.ts +2611 -978
- package/lib/handlers/node_modules/@types/node/globals.d.ts +66 -421
- package/lib/handlers/node_modules/@types/node/globals.global.d.ts +1 -1
- package/lib/handlers/node_modules/@types/node/http.d.ts +1416 -199
- package/lib/handlers/node_modules/@types/node/http2.d.ts +1688 -530
- package/lib/handlers/node_modules/@types/node/https.d.ts +532 -26
- package/lib/handlers/node_modules/@types/node/index.d.ts +92 -16
- package/lib/handlers/node_modules/@types/node/inspector.d.ts +511 -811
- package/lib/handlers/node_modules/@types/node/module.d.ts +75 -13
- package/lib/handlers/node_modules/@types/node/net.d.ts +710 -167
- package/lib/handlers/node_modules/@types/node/os.d.ts +252 -25
- package/lib/handlers/node_modules/@types/node/package.json +30 -25
- package/lib/handlers/node_modules/@types/node/path.d.ts +59 -31
- package/lib/handlers/node_modules/@types/node/perf_hooks.d.ts +420 -105
- package/lib/handlers/node_modules/@types/node/process.d.ts +1249 -228
- package/lib/handlers/node_modules/@types/node/punycode.d.ts +67 -25
- package/lib/handlers/node_modules/@types/node/querystring.d.ts +113 -10
- package/lib/handlers/node_modules/@types/node/readline/promises.d.ts +143 -0
- package/lib/handlers/node_modules/@types/node/readline.d.ts +570 -109
- package/lib/handlers/node_modules/@types/node/repl.d.ts +154 -125
- package/lib/handlers/node_modules/@types/node/stream/consumers.d.ts +12 -0
- package/lib/handlers/node_modules/@types/node/stream/promises.d.ts +18 -43
- package/lib/handlers/node_modules/@types/node/stream/web.d.ts +330 -0
- package/lib/handlers/node_modules/@types/node/stream.d.ts +1117 -248
- package/lib/handlers/node_modules/@types/node/string_decoder.d.ts +60 -0
- package/lib/handlers/node_modules/@types/node/test.d.ts +446 -0
- package/lib/handlers/node_modules/@types/node/timers/promises.d.ts +81 -9
- package/lib/handlers/node_modules/@types/node/timers.d.ts +84 -17
- package/lib/handlers/node_modules/@types/node/tls.d.ts +510 -275
- package/lib/handlers/node_modules/@types/node/trace_events.d.ts +120 -10
- package/lib/handlers/node_modules/@types/node/ts4.8/assert/strict.d.ts +8 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/assert.d.ts +961 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/async_hooks.d.ts +501 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/buffer.d.ts +2259 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/child_process.d.ts +1369 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/cluster.d.ts +410 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/console.d.ts +412 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/constants.d.ts +18 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/crypto.d.ts +3964 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/dgram.d.ts +545 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/diagnostics_channel.d.ts +153 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/dns/promises.d.ts +370 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/dns.d.ts +659 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/dom-events.d.ts +126 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/domain.d.ts +170 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/events.d.ts +678 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/fs/promises.d.ts +1138 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/fs.d.ts +3872 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/globals.d.ts +294 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/globals.global.d.ts +1 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/http.d.ts +1651 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/http2.d.ts +2134 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/https.d.ts +542 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/index.d.ts +88 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/inspector.d.ts +2741 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/module.d.ts +114 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/net.d.ts +869 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/os.d.ts +466 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/path.d.ts +191 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/perf_hooks.d.ts +625 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/process.d.ts +1482 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/punycode.d.ts +117 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/querystring.d.ts +131 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/readline/promises.d.ts +143 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/readline.d.ts +653 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/repl.d.ts +424 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/stream/consumers.d.ts +12 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/stream/promises.d.ts +42 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/stream/web.d.ts +330 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/stream.d.ts +1340 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/string_decoder.d.ts +67 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/test.d.ts +446 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/timers/promises.d.ts +93 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/timers.d.ts +94 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/tls.d.ts +1028 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/trace_events.d.ts +171 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/tty.d.ts +206 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/url.d.ts +897 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/util.d.ts +1926 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/v8.d.ts +396 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/vm.d.ts +509 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/wasi.d.ts +158 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/worker_threads.d.ts +689 -0
- package/lib/handlers/node_modules/@types/node/ts4.8/zlib.d.ts +517 -0
- package/lib/handlers/node_modules/@types/node/tty.d.ts +163 -23
- package/lib/handlers/node_modules/@types/node/url.d.ts +825 -44
- package/lib/handlers/node_modules/@types/node/util.d.ts +1842 -72
- package/lib/handlers/node_modules/@types/node/v8.d.ts +276 -78
- package/lib/handlers/node_modules/@types/node/vm.d.ts +410 -53
- package/lib/handlers/node_modules/@types/node/wasi.d.ts +102 -30
- package/lib/handlers/node_modules/@types/node/worker_threads.d.ts +559 -152
- package/lib/handlers/node_modules/@types/node/zlib.d.ts +234 -78
- package/lib/handlers/node_modules/esbuild/README.md +3 -0
- package/lib/handlers/node_modules/esbuild/bin/esbuild +0 -0
- package/lib/handlers/node_modules/esbuild/install.js +256 -0
- package/lib/handlers/node_modules/esbuild/lib/main.d.ts +397 -0
- package/lib/handlers/node_modules/esbuild/lib/main.js +1939 -0
- package/lib/handlers/node_modules/esbuild/package.json +15 -0
- package/lib/handlers/package-lock.json +62 -6
- package/lib/handlers/package.json +6 -1
- package/lib/handlers/prerender-check.ts +8 -27
- package/lib/handlers/prerender.ts +8 -43
- package/package.json +1 -1
- package/lib/handlers/node_modules/@types/node/base.d.ts +0 -19
- package/lib/handlers/node_modules/@types/node/diagnostic_channel.d.ts +0 -34
- package/lib/handlers/node_modules/@types/node/ts3.6/assert.d.ts +0 -98
- package/lib/handlers/node_modules/@types/node/ts3.6/base.d.ts +0 -68
- package/lib/handlers/node_modules/@types/node/ts3.6/index.d.ts +0 -7
- package/lib/handlers/node_modules/@types/node/util/types.d.ts +0 -53
|
@@ -1,10 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* The `tls` module provides an implementation of the Transport Layer Security
|
|
3
|
+
* (TLS) and Secure Socket Layer (SSL) protocols that is built on top of OpenSSL.
|
|
4
|
+
* The module can be accessed using:
|
|
5
|
+
*
|
|
6
|
+
* ```js
|
|
7
|
+
* const tls = require('tls');
|
|
8
|
+
* ```
|
|
9
|
+
* @see [source](https://github.com/nodejs/node/blob/v18.0.0/lib/tls.js)
|
|
10
|
+
*/
|
|
1
11
|
declare module 'tls' {
|
|
2
|
-
import { X509Certificate } from 'crypto';
|
|
3
|
-
import * as net from 'net';
|
|
4
|
-
|
|
12
|
+
import { X509Certificate } from 'node:crypto';
|
|
13
|
+
import * as net from 'node:net';
|
|
14
|
+
import * as stream from 'stream';
|
|
5
15
|
const CLIENT_RENEG_LIMIT: number;
|
|
6
16
|
const CLIENT_RENEG_WINDOW: number;
|
|
7
|
-
|
|
8
17
|
interface Certificate {
|
|
9
18
|
/**
|
|
10
19
|
* Country code.
|
|
@@ -31,7 +40,6 @@ declare module 'tls' {
|
|
|
31
40
|
*/
|
|
32
41
|
CN: string;
|
|
33
42
|
}
|
|
34
|
-
|
|
35
43
|
interface PeerCertificate {
|
|
36
44
|
subject: Certificate;
|
|
37
45
|
issuer: Certificate;
|
|
@@ -47,11 +55,9 @@ declare module 'tls' {
|
|
|
47
55
|
serialNumber: string;
|
|
48
56
|
raw: Buffer;
|
|
49
57
|
}
|
|
50
|
-
|
|
51
58
|
interface DetailedPeerCertificate extends PeerCertificate {
|
|
52
59
|
issuerCertificate: DetailedPeerCertificate;
|
|
53
60
|
}
|
|
54
|
-
|
|
55
61
|
interface CipherNameAndProtocol {
|
|
56
62
|
/**
|
|
57
63
|
* The cipher name.
|
|
@@ -61,13 +67,11 @@ declare module 'tls' {
|
|
|
61
67
|
* SSL/TLS protocol version.
|
|
62
68
|
*/
|
|
63
69
|
version: string;
|
|
64
|
-
|
|
65
70
|
/**
|
|
66
71
|
* IETF name for the cipher suite.
|
|
67
72
|
*/
|
|
68
73
|
standardName: string;
|
|
69
74
|
}
|
|
70
|
-
|
|
71
75
|
interface EphemeralKeyInfo {
|
|
72
76
|
/**
|
|
73
77
|
* The supported types are 'DH' and 'ECDH'.
|
|
@@ -76,13 +80,12 @@ declare module 'tls' {
|
|
|
76
80
|
/**
|
|
77
81
|
* The name property is available only when type is 'ECDH'.
|
|
78
82
|
*/
|
|
79
|
-
name?: string;
|
|
83
|
+
name?: string | undefined;
|
|
80
84
|
/**
|
|
81
85
|
* The size of parameter of an ephemeral key exchange.
|
|
82
86
|
*/
|
|
83
87
|
size: number;
|
|
84
88
|
}
|
|
85
|
-
|
|
86
89
|
interface KeyObject {
|
|
87
90
|
/**
|
|
88
91
|
* Private keys in PEM format.
|
|
@@ -91,9 +94,8 @@ declare module 'tls' {
|
|
|
91
94
|
/**
|
|
92
95
|
* Optional passphrase.
|
|
93
96
|
*/
|
|
94
|
-
passphrase?: string;
|
|
97
|
+
passphrase?: string | undefined;
|
|
95
98
|
}
|
|
96
|
-
|
|
97
99
|
interface PxfObject {
|
|
98
100
|
/**
|
|
99
101
|
* PFX or PKCS12 encoded private key and certificate chain.
|
|
@@ -102,278 +104,347 @@ declare module 'tls' {
|
|
|
102
104
|
/**
|
|
103
105
|
* Optional passphrase.
|
|
104
106
|
*/
|
|
105
|
-
passphrase?: string;
|
|
107
|
+
passphrase?: string | undefined;
|
|
106
108
|
}
|
|
107
|
-
|
|
108
109
|
interface TLSSocketOptions extends SecureContextOptions, CommonConnectionOptions {
|
|
109
110
|
/**
|
|
110
111
|
* If true the TLS socket will be instantiated in server-mode.
|
|
111
112
|
* Defaults to false.
|
|
112
113
|
*/
|
|
113
|
-
isServer?: boolean;
|
|
114
|
+
isServer?: boolean | undefined;
|
|
114
115
|
/**
|
|
115
116
|
* An optional net.Server instance.
|
|
116
117
|
*/
|
|
117
|
-
server?: net.Server;
|
|
118
|
-
|
|
118
|
+
server?: net.Server | undefined;
|
|
119
119
|
/**
|
|
120
120
|
* An optional Buffer instance containing a TLS session.
|
|
121
121
|
*/
|
|
122
|
-
session?: Buffer;
|
|
122
|
+
session?: Buffer | undefined;
|
|
123
123
|
/**
|
|
124
124
|
* If true, specifies that the OCSP status request extension will be
|
|
125
125
|
* added to the client hello and an 'OCSPResponse' event will be
|
|
126
126
|
* emitted on the socket before establishing a secure communication
|
|
127
127
|
*/
|
|
128
|
-
requestOCSP?: boolean;
|
|
128
|
+
requestOCSP?: boolean | undefined;
|
|
129
129
|
}
|
|
130
|
-
|
|
130
|
+
/**
|
|
131
|
+
* Performs transparent encryption of written data and all required TLS
|
|
132
|
+
* negotiation.
|
|
133
|
+
*
|
|
134
|
+
* Instances of `tls.TLSSocket` implement the duplex `Stream` interface.
|
|
135
|
+
*
|
|
136
|
+
* Methods that return TLS connection metadata (e.g.{@link TLSSocket.getPeerCertificate} will only return data while the
|
|
137
|
+
* connection is open.
|
|
138
|
+
* @since v0.11.4
|
|
139
|
+
*/
|
|
131
140
|
class TLSSocket extends net.Socket {
|
|
132
141
|
/**
|
|
133
142
|
* Construct a new tls.TLSSocket object from an existing TCP socket.
|
|
134
143
|
*/
|
|
135
144
|
constructor(socket: net.Socket, options?: TLSSocketOptions);
|
|
136
|
-
|
|
137
145
|
/**
|
|
138
|
-
*
|
|
146
|
+
* This property is `true` if the peer certificate was signed by one of the CAs
|
|
147
|
+
* specified when creating the `tls.TLSSocket` instance, otherwise `false`.
|
|
148
|
+
* @since v0.11.4
|
|
139
149
|
*/
|
|
140
150
|
authorized: boolean;
|
|
141
151
|
/**
|
|
142
|
-
*
|
|
143
|
-
*
|
|
152
|
+
* Returns the reason why the peer's certificate was not been verified. This
|
|
153
|
+
* property is set only when `tlsSocket.authorized === false`.
|
|
154
|
+
* @since v0.11.4
|
|
144
155
|
*/
|
|
145
156
|
authorizationError: Error;
|
|
146
157
|
/**
|
|
147
|
-
*
|
|
148
|
-
*
|
|
158
|
+
* Always returns `true`. This may be used to distinguish TLS sockets from regular`net.Socket` instances.
|
|
159
|
+
* @since v0.11.4
|
|
149
160
|
*/
|
|
150
|
-
encrypted:
|
|
151
|
-
|
|
161
|
+
encrypted: true;
|
|
152
162
|
/**
|
|
153
163
|
* String containing the selected ALPN protocol.
|
|
154
|
-
*
|
|
164
|
+
* Before a handshake has completed, this value is always null.
|
|
165
|
+
* When a handshake is completed but not ALPN protocol was selected, tlsSocket.alpnProtocol equals false.
|
|
155
166
|
*/
|
|
156
|
-
alpnProtocol
|
|
157
|
-
|
|
167
|
+
alpnProtocol: string | false | null;
|
|
158
168
|
/**
|
|
159
|
-
* Returns an object representing the local certificate. The returned
|
|
160
|
-
*
|
|
161
|
-
* certificate.
|
|
169
|
+
* Returns an object representing the local certificate. The returned object has
|
|
170
|
+
* some properties corresponding to the fields of the certificate.
|
|
162
171
|
*
|
|
163
|
-
* See
|
|
164
|
-
*
|
|
172
|
+
* See {@link TLSSocket.getPeerCertificate} for an example of the certificate
|
|
173
|
+
* structure.
|
|
165
174
|
*
|
|
166
|
-
* If there is no local certificate, an empty object will be returned.
|
|
167
|
-
*
|
|
175
|
+
* If there is no local certificate, an empty object will be returned. If the
|
|
176
|
+
* socket has been destroyed, `null` will be returned.
|
|
177
|
+
* @since v11.2.0
|
|
168
178
|
*/
|
|
169
179
|
getCertificate(): PeerCertificate | object | null;
|
|
170
180
|
/**
|
|
171
|
-
* Returns an object
|
|
172
|
-
*
|
|
173
|
-
*
|
|
181
|
+
* Returns an object containing information on the negotiated cipher suite.
|
|
182
|
+
*
|
|
183
|
+
* For example:
|
|
184
|
+
*
|
|
185
|
+
* ```json
|
|
186
|
+
* {
|
|
187
|
+
* "name": "AES128-SHA256",
|
|
188
|
+
* "standardName": "TLS_RSA_WITH_AES_128_CBC_SHA256",
|
|
189
|
+
* "version": "TLSv1.2"
|
|
190
|
+
* }
|
|
191
|
+
* ```
|
|
192
|
+
*
|
|
193
|
+
* See [SSL\_CIPHER\_get\_name](https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html) for more information.
|
|
194
|
+
* @since v0.11.4
|
|
174
195
|
*/
|
|
175
196
|
getCipher(): CipherNameAndProtocol;
|
|
176
197
|
/**
|
|
177
|
-
* Returns an object representing the type, name, and size of parameter
|
|
178
|
-
*
|
|
198
|
+
* Returns an object representing the type, name, and size of parameter of
|
|
199
|
+
* an ephemeral key exchange in `perfect forward secrecy` on a client
|
|
179
200
|
* connection. It returns an empty object when the key exchange is not
|
|
180
|
-
* ephemeral. As this is only supported on a client socket; null is
|
|
181
|
-
*
|
|
182
|
-
* and 'ECDH'. The name property is available only when type is 'ECDH'.
|
|
201
|
+
* ephemeral. As this is only supported on a client socket; `null` is returned
|
|
202
|
+
* if called on a server socket. The supported types are `'DH'` and `'ECDH'`. The`name` property is available only when type is `'ECDH'`.
|
|
183
203
|
*
|
|
184
|
-
* For example: { type: 'ECDH', name: 'prime256v1', size: 256 }
|
|
204
|
+
* For example: `{ type: 'ECDH', name: 'prime256v1', size: 256 }`.
|
|
205
|
+
* @since v5.0.0
|
|
185
206
|
*/
|
|
186
207
|
getEphemeralKeyInfo(): EphemeralKeyInfo | object | null;
|
|
187
208
|
/**
|
|
188
|
-
*
|
|
189
|
-
*
|
|
190
|
-
*
|
|
191
|
-
*
|
|
192
|
-
* As the Finished messages are message digests of the complete
|
|
193
|
-
* handshake (with a total of 192 bits for TLS 1.0 and more for SSL
|
|
194
|
-
* 3.0), they can be used for external authentication procedures when
|
|
195
|
-
* the authentication provided by SSL/TLS is not desired or is not
|
|
196
|
-
* enough.
|
|
209
|
+
* As the `Finished` messages are message digests of the complete handshake
|
|
210
|
+
* (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
|
|
211
|
+
* be used for external authentication procedures when the authentication
|
|
212
|
+
* provided by SSL/TLS is not desired or is not enough.
|
|
197
213
|
*
|
|
198
|
-
* Corresponds to the SSL_get_finished routine in OpenSSL and may be
|
|
199
|
-
*
|
|
214
|
+
* Corresponds to the `SSL_get_finished` routine in OpenSSL and may be used
|
|
215
|
+
* to implement the `tls-unique` channel binding from [RFC 5929](https://tools.ietf.org/html/rfc5929).
|
|
216
|
+
* @since v9.9.0
|
|
217
|
+
* @return The latest `Finished` message that has been sent to the socket as part of a SSL/TLS handshake, or `undefined` if no `Finished` message has been sent yet.
|
|
200
218
|
*/
|
|
201
219
|
getFinished(): Buffer | undefined;
|
|
202
220
|
/**
|
|
203
|
-
* Returns an object representing the peer's certificate.
|
|
204
|
-
*
|
|
205
|
-
*
|
|
206
|
-
*
|
|
207
|
-
* If the
|
|
208
|
-
*
|
|
209
|
-
* @
|
|
221
|
+
* Returns an object representing the peer's certificate. If the peer does not
|
|
222
|
+
* provide a certificate, an empty object will be returned. If the socket has been
|
|
223
|
+
* destroyed, `null` will be returned.
|
|
224
|
+
*
|
|
225
|
+
* If the full certificate chain was requested, each certificate will include an`issuerCertificate` property containing an object representing its issuer's
|
|
226
|
+
* certificate.
|
|
227
|
+
* @since v0.11.4
|
|
228
|
+
* @param detailed Include the full certificate chain if `true`, otherwise include just the peer's certificate.
|
|
229
|
+
* @return A certificate object.
|
|
210
230
|
*/
|
|
211
231
|
getPeerCertificate(detailed: true): DetailedPeerCertificate;
|
|
212
232
|
getPeerCertificate(detailed?: false): PeerCertificate;
|
|
213
233
|
getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate;
|
|
214
234
|
/**
|
|
215
|
-
*
|
|
216
|
-
*
|
|
217
|
-
*
|
|
235
|
+
* As the `Finished` messages are message digests of the complete handshake
|
|
236
|
+
* (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
|
|
237
|
+
* be used for external authentication procedures when the authentication
|
|
238
|
+
* provided by SSL/TLS is not desired or is not enough.
|
|
218
239
|
*
|
|
219
|
-
*
|
|
220
|
-
*
|
|
221
|
-
*
|
|
222
|
-
* the
|
|
223
|
-
*
|
|
224
|
-
*
|
|
225
|
-
* Corresponds to the SSL_get_peer_finished routine in OpenSSL and may
|
|
226
|
-
* be used to implement the tls-unique channel binding from RFC 5929.
|
|
240
|
+
* Corresponds to the `SSL_get_peer_finished` routine in OpenSSL and may be used
|
|
241
|
+
* to implement the `tls-unique` channel binding from [RFC 5929](https://tools.ietf.org/html/rfc5929).
|
|
242
|
+
* @since v9.9.0
|
|
243
|
+
* @return The latest `Finished` message that is expected or has actually been received from the socket as part of a SSL/TLS handshake, or `undefined` if there is no `Finished` message so
|
|
244
|
+
* far.
|
|
227
245
|
*/
|
|
228
246
|
getPeerFinished(): Buffer | undefined;
|
|
229
247
|
/**
|
|
230
|
-
* Returns a string containing the negotiated SSL/TLS protocol version of the
|
|
231
|
-
* The value `'unknown'` will be returned for connected
|
|
232
|
-
*
|
|
233
|
-
*
|
|
234
|
-
*
|
|
248
|
+
* Returns a string containing the negotiated SSL/TLS protocol version of the
|
|
249
|
+
* current connection. The value `'unknown'` will be returned for connected
|
|
250
|
+
* sockets that have not completed the handshaking process. The value `null` will
|
|
251
|
+
* be returned for server sockets or disconnected client sockets.
|
|
252
|
+
*
|
|
253
|
+
* Protocol versions are:
|
|
254
|
+
*
|
|
255
|
+
* * `'SSLv3'`
|
|
256
|
+
* * `'TLSv1'`
|
|
257
|
+
* * `'TLSv1.1'`
|
|
258
|
+
* * `'TLSv1.2'`
|
|
259
|
+
* * `'TLSv1.3'`
|
|
260
|
+
*
|
|
261
|
+
* See the OpenSSL [`SSL_get_version`](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html) documentation for more information.
|
|
262
|
+
* @since v5.7.0
|
|
235
263
|
*/
|
|
236
264
|
getProtocol(): string | null;
|
|
237
265
|
/**
|
|
238
|
-
*
|
|
239
|
-
*
|
|
266
|
+
* Returns the TLS session data or `undefined` if no session was
|
|
267
|
+
* negotiated. On the client, the data can be provided to the `session` option of {@link connect} to resume the connection. On the server, it may be useful
|
|
268
|
+
* for debugging.
|
|
269
|
+
*
|
|
270
|
+
* See `Session Resumption` for more information.
|
|
271
|
+
*
|
|
272
|
+
* Note: `getSession()` works only for TLSv1.2 and below. For TLSv1.3, applications
|
|
273
|
+
* must use the `'session'` event (it also works for TLSv1.2 and below).
|
|
274
|
+
* @since v0.11.4
|
|
240
275
|
*/
|
|
241
276
|
getSession(): Buffer | undefined;
|
|
242
277
|
/**
|
|
243
|
-
*
|
|
244
|
-
*
|
|
278
|
+
* See [SSL\_get\_shared\_sigalgs](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html) for more information.
|
|
279
|
+
* @since v12.11.0
|
|
280
|
+
* @return List of signature algorithms shared between the server and the client in the order of decreasing preference.
|
|
245
281
|
*/
|
|
246
282
|
getSharedSigalgs(): string[];
|
|
247
283
|
/**
|
|
248
|
-
*
|
|
249
|
-
*
|
|
250
|
-
*
|
|
284
|
+
* For a client, returns the TLS session ticket if one is available, or`undefined`. For a server, always returns `undefined`.
|
|
285
|
+
*
|
|
286
|
+
* It may be useful for debugging.
|
|
287
|
+
*
|
|
288
|
+
* See `Session Resumption` for more information.
|
|
289
|
+
* @since v0.11.4
|
|
251
290
|
*/
|
|
252
291
|
getTLSTicket(): Buffer | undefined;
|
|
253
292
|
/**
|
|
254
|
-
*
|
|
293
|
+
* See `Session Resumption` for more information.
|
|
294
|
+
* @since v0.5.6
|
|
295
|
+
* @return `true` if the session was reused, `false` otherwise.
|
|
255
296
|
*/
|
|
256
297
|
isSessionReused(): boolean;
|
|
257
298
|
/**
|
|
258
|
-
*
|
|
299
|
+
* The `tlsSocket.renegotiate()` method initiates a TLS renegotiation process.
|
|
300
|
+
* Upon completion, the `callback` function will be passed a single argument
|
|
301
|
+
* that is either an `Error` (if the request failed) or `null`.
|
|
259
302
|
*
|
|
260
|
-
*
|
|
261
|
-
*
|
|
262
|
-
*
|
|
263
|
-
*
|
|
264
|
-
*
|
|
265
|
-
* is
|
|
266
|
-
*
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
*
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
303
|
+
* This method can be used to request a peer's certificate after the secure
|
|
304
|
+
* connection has been established.
|
|
305
|
+
*
|
|
306
|
+
* When running as the server, the socket will be destroyed with an error after`handshakeTimeout` timeout.
|
|
307
|
+
*
|
|
308
|
+
* For TLSv1.3, renegotiation cannot be initiated, it is not supported by the
|
|
309
|
+
* protocol.
|
|
310
|
+
* @since v0.11.8
|
|
311
|
+
* @param callback If `renegotiate()` returned `true`, callback is attached once to the `'secure'` event. If `renegotiate()` returned `false`, `callback` will be called in the next tick with
|
|
312
|
+
* an error, unless the `tlsSocket` has been destroyed, in which case `callback` will not be called at all.
|
|
313
|
+
* @return `true` if renegotiation was initiated, `false` otherwise.
|
|
314
|
+
*/
|
|
315
|
+
renegotiate(
|
|
316
|
+
options: {
|
|
317
|
+
rejectUnauthorized?: boolean | undefined;
|
|
318
|
+
requestCert?: boolean | undefined;
|
|
319
|
+
},
|
|
320
|
+
callback: (err: Error | null) => void
|
|
321
|
+
): undefined | boolean;
|
|
322
|
+
/**
|
|
323
|
+
* The `tlsSocket.setMaxSendFragment()` method sets the maximum TLS fragment size.
|
|
324
|
+
* Returns `true` if setting the limit succeeded; `false` otherwise.
|
|
325
|
+
*
|
|
326
|
+
* Smaller fragment sizes decrease the buffering latency on the client: larger
|
|
327
|
+
* fragments are buffered by the TLS layer until the entire fragment is received
|
|
328
|
+
* and its integrity is verified; large fragments can span multiple roundtrips
|
|
329
|
+
* and their processing can be delayed due to packet loss or reordering. However,
|
|
330
|
+
* smaller fragments add extra TLS framing bytes and CPU overhead, which may
|
|
331
|
+
* decrease overall server throughput.
|
|
332
|
+
* @since v0.11.11
|
|
333
|
+
* @param [size=16384] The maximum TLS fragment size. The maximum value is `16384`.
|
|
278
334
|
*/
|
|
279
335
|
setMaxSendFragment(size: number): boolean;
|
|
280
|
-
|
|
281
336
|
/**
|
|
282
|
-
* Disables TLS renegotiation for this TLSSocket instance. Once called,
|
|
283
|
-
*
|
|
284
|
-
*
|
|
337
|
+
* Disables TLS renegotiation for this `TLSSocket` instance. Once called, attempts
|
|
338
|
+
* to renegotiate will trigger an `'error'` event on the `TLSSocket`.
|
|
339
|
+
* @since v8.4.0
|
|
285
340
|
*/
|
|
286
341
|
disableRenegotiation(): void;
|
|
287
|
-
|
|
288
342
|
/**
|
|
289
343
|
* When enabled, TLS packet trace information is written to `stderr`. This can be
|
|
290
344
|
* used to debug TLS connection problems.
|
|
291
345
|
*
|
|
292
|
-
*
|
|
293
|
-
*
|
|
294
|
-
*
|
|
295
|
-
*
|
|
346
|
+
* The format of the output is identical to the output of`openssl s_client -trace` or `openssl s_server -trace`. While it is produced by
|
|
347
|
+
* OpenSSL's `SSL_trace()` function, the format is undocumented, can change
|
|
348
|
+
* without notice, and should not be relied on.
|
|
349
|
+
* @since v12.2.0
|
|
296
350
|
*/
|
|
297
351
|
enableTrace(): void;
|
|
298
|
-
|
|
299
352
|
/**
|
|
300
|
-
*
|
|
353
|
+
* Returns the peer certificate as an `X509Certificate` object.
|
|
354
|
+
*
|
|
355
|
+
* If there is no peer certificate, or the socket has been destroyed,`undefined` will be returned.
|
|
356
|
+
* @since v15.9.0
|
|
301
357
|
*/
|
|
302
358
|
getPeerX509Certificate(): X509Certificate | undefined;
|
|
303
|
-
|
|
304
359
|
/**
|
|
305
|
-
*
|
|
360
|
+
* Returns the local certificate as an `X509Certificate` object.
|
|
361
|
+
*
|
|
362
|
+
* If there is no local certificate, or the socket has been destroyed,`undefined` will be returned.
|
|
363
|
+
* @since v15.9.0
|
|
306
364
|
*/
|
|
307
365
|
getX509Certificate(): X509Certificate | undefined;
|
|
308
|
-
|
|
309
366
|
/**
|
|
367
|
+
* Keying material is used for validations to prevent different kind of attacks in
|
|
368
|
+
* network protocols, for example in the specifications of IEEE 802.1X.
|
|
369
|
+
*
|
|
370
|
+
* Example
|
|
371
|
+
*
|
|
372
|
+
* ```js
|
|
373
|
+
* const keyingMaterial = tlsSocket.exportKeyingMaterial(
|
|
374
|
+
* 128,
|
|
375
|
+
* 'client finished');
|
|
376
|
+
*
|
|
377
|
+
* /*
|
|
378
|
+
* Example return value of keyingMaterial:
|
|
379
|
+
* <Buffer 76 26 af 99 c5 56 8e 42 09 91 ef 9f 93 cb ad 6c 7b 65 f8 53 f1 d8 d9
|
|
380
|
+
* 12 5a 33 b8 b5 25 df 7b 37 9f e0 e2 4f b8 67 83 a3 2f cd 5d 41 42 4c 91
|
|
381
|
+
* 74 ef 2c ... 78 more bytes>
|
|
382
|
+
*
|
|
383
|
+
* ```
|
|
384
|
+
*
|
|
385
|
+
* See the OpenSSL [`SSL_export_keying_material`](https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html) documentation for more
|
|
386
|
+
* information.
|
|
387
|
+
* @since v13.10.0, v12.17.0
|
|
310
388
|
* @param length number of bytes to retrieve from keying material
|
|
311
|
-
* @param label an application specific label, typically this will be a value from the
|
|
312
|
-
*
|
|
313
|
-
* @param context
|
|
389
|
+
* @param label an application specific label, typically this will be a value from the [IANA Exporter Label
|
|
390
|
+
* Registry](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels).
|
|
391
|
+
* @param context Optionally provide a context.
|
|
392
|
+
* @return requested bytes of the keying material
|
|
314
393
|
*/
|
|
315
394
|
exportKeyingMaterial(length: number, label: string, context: Buffer): Buffer;
|
|
316
|
-
|
|
317
395
|
addListener(event: string, listener: (...args: any[]) => void): this;
|
|
318
|
-
addListener(event:
|
|
319
|
-
addListener(event:
|
|
320
|
-
addListener(event:
|
|
321
|
-
addListener(event:
|
|
322
|
-
|
|
396
|
+
addListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
|
|
397
|
+
addListener(event: 'secureConnect', listener: () => void): this;
|
|
398
|
+
addListener(event: 'session', listener: (session: Buffer) => void): this;
|
|
399
|
+
addListener(event: 'keylog', listener: (line: Buffer) => void): this;
|
|
323
400
|
emit(event: string | symbol, ...args: any[]): boolean;
|
|
324
|
-
emit(event:
|
|
325
|
-
emit(event:
|
|
326
|
-
emit(event:
|
|
327
|
-
emit(event:
|
|
328
|
-
|
|
401
|
+
emit(event: 'OCSPResponse', response: Buffer): boolean;
|
|
402
|
+
emit(event: 'secureConnect'): boolean;
|
|
403
|
+
emit(event: 'session', session: Buffer): boolean;
|
|
404
|
+
emit(event: 'keylog', line: Buffer): boolean;
|
|
329
405
|
on(event: string, listener: (...args: any[]) => void): this;
|
|
330
|
-
on(event:
|
|
331
|
-
on(event:
|
|
332
|
-
on(event:
|
|
333
|
-
on(event:
|
|
334
|
-
|
|
406
|
+
on(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
|
|
407
|
+
on(event: 'secureConnect', listener: () => void): this;
|
|
408
|
+
on(event: 'session', listener: (session: Buffer) => void): this;
|
|
409
|
+
on(event: 'keylog', listener: (line: Buffer) => void): this;
|
|
335
410
|
once(event: string, listener: (...args: any[]) => void): this;
|
|
336
|
-
once(event:
|
|
337
|
-
once(event:
|
|
338
|
-
once(event:
|
|
339
|
-
once(event:
|
|
340
|
-
|
|
411
|
+
once(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
|
|
412
|
+
once(event: 'secureConnect', listener: () => void): this;
|
|
413
|
+
once(event: 'session', listener: (session: Buffer) => void): this;
|
|
414
|
+
once(event: 'keylog', listener: (line: Buffer) => void): this;
|
|
341
415
|
prependListener(event: string, listener: (...args: any[]) => void): this;
|
|
342
|
-
prependListener(event:
|
|
343
|
-
prependListener(event:
|
|
344
|
-
prependListener(event:
|
|
345
|
-
prependListener(event:
|
|
346
|
-
|
|
416
|
+
prependListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
|
|
417
|
+
prependListener(event: 'secureConnect', listener: () => void): this;
|
|
418
|
+
prependListener(event: 'session', listener: (session: Buffer) => void): this;
|
|
419
|
+
prependListener(event: 'keylog', listener: (line: Buffer) => void): this;
|
|
347
420
|
prependOnceListener(event: string, listener: (...args: any[]) => void): this;
|
|
348
|
-
prependOnceListener(event:
|
|
349
|
-
prependOnceListener(event:
|
|
350
|
-
prependOnceListener(event:
|
|
351
|
-
prependOnceListener(event:
|
|
421
|
+
prependOnceListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
|
|
422
|
+
prependOnceListener(event: 'secureConnect', listener: () => void): this;
|
|
423
|
+
prependOnceListener(event: 'session', listener: (session: Buffer) => void): this;
|
|
424
|
+
prependOnceListener(event: 'keylog', listener: (line: Buffer) => void): this;
|
|
352
425
|
}
|
|
353
|
-
|
|
354
426
|
interface CommonConnectionOptions {
|
|
355
427
|
/**
|
|
356
428
|
* An optional TLS context object from tls.createSecureContext()
|
|
357
429
|
*/
|
|
358
|
-
secureContext?: SecureContext;
|
|
359
|
-
|
|
430
|
+
secureContext?: SecureContext | undefined;
|
|
360
431
|
/**
|
|
361
432
|
* When enabled, TLS packet trace information is written to `stderr`. This can be
|
|
362
433
|
* used to debug TLS connection problems.
|
|
363
434
|
* @default false
|
|
364
435
|
*/
|
|
365
|
-
enableTrace?: boolean;
|
|
436
|
+
enableTrace?: boolean | undefined;
|
|
366
437
|
/**
|
|
367
438
|
* If true the server will request a certificate from clients that
|
|
368
439
|
* connect and attempt to verify that certificate. Defaults to
|
|
369
440
|
* false.
|
|
370
441
|
*/
|
|
371
|
-
requestCert?: boolean;
|
|
442
|
+
requestCert?: boolean | undefined;
|
|
372
443
|
/**
|
|
373
444
|
* An array of strings or a Buffer naming possible ALPN protocols.
|
|
374
445
|
* (Protocols should be ordered by their priority.)
|
|
375
446
|
*/
|
|
376
|
-
ALPNProtocols?: string[] | Uint8Array[] | Uint8Array;
|
|
447
|
+
ALPNProtocols?: string[] | Uint8Array[] | Uint8Array | undefined;
|
|
377
448
|
/**
|
|
378
449
|
* SNICallback(servername, cb) <Function> A function that will be
|
|
379
450
|
* called if the client supports SNI TLS extension. Two arguments
|
|
@@ -383,16 +454,15 @@ declare module 'tls' {
|
|
|
383
454
|
* SecureContext.) If SNICallback wasn't provided the default callback
|
|
384
455
|
* with high-level API will be used (see below).
|
|
385
456
|
*/
|
|
386
|
-
SNICallback?: (servername: string, cb: (err: Error | null, ctx
|
|
457
|
+
SNICallback?: ((servername: string, cb: (err: Error | null, ctx?: SecureContext) => void) => void) | undefined;
|
|
387
458
|
/**
|
|
388
459
|
* If true the server will reject any connection which is not
|
|
389
460
|
* authorized with the list of supplied CAs. This option only has an
|
|
390
461
|
* effect if requestCert is true.
|
|
391
462
|
* @default true
|
|
392
463
|
*/
|
|
393
|
-
rejectUnauthorized?: boolean;
|
|
464
|
+
rejectUnauthorized?: boolean | undefined;
|
|
394
465
|
}
|
|
395
|
-
|
|
396
466
|
interface TlsOptions extends SecureContextOptions, CommonConnectionOptions, net.ServerOpts {
|
|
397
467
|
/**
|
|
398
468
|
* Abort the connection if the SSL/TLS handshake does not finish in the
|
|
@@ -400,18 +470,17 @@ declare module 'tls' {
|
|
|
400
470
|
* the tls.Server object whenever a handshake times out. Default:
|
|
401
471
|
* 120000 (120 seconds).
|
|
402
472
|
*/
|
|
403
|
-
handshakeTimeout?: number;
|
|
473
|
+
handshakeTimeout?: number | undefined;
|
|
404
474
|
/**
|
|
405
475
|
* The number of seconds after which a TLS session created by the
|
|
406
476
|
* server will no longer be resumable. See Session Resumption for more
|
|
407
477
|
* information. Default: 300.
|
|
408
478
|
*/
|
|
409
|
-
sessionTimeout?: number;
|
|
479
|
+
sessionTimeout?: number | undefined;
|
|
410
480
|
/**
|
|
411
481
|
* 48-bytes of cryptographically strong pseudo-random data.
|
|
412
482
|
*/
|
|
413
|
-
ticketKeys?: Buffer;
|
|
414
|
-
|
|
483
|
+
ticketKeys?: Buffer | undefined;
|
|
415
484
|
/**
|
|
416
485
|
*
|
|
417
486
|
* @param socket
|
|
@@ -431,7 +500,6 @@ declare module 'tls' {
|
|
|
431
500
|
* requires explicitly specifying a cipher suite with the `ciphers` option.
|
|
432
501
|
* More information can be found in the RFC 4279.
|
|
433
502
|
*/
|
|
434
|
-
|
|
435
503
|
pskCallback?(socket: TLSSocket, identity: string): DataView | NodeJS.TypedArray | null;
|
|
436
504
|
/**
|
|
437
505
|
* hint to send to a client to help
|
|
@@ -439,25 +507,23 @@ declare module 'tls' {
|
|
|
439
507
|
* in TLS 1.3. Upon failing to set pskIdentityHint `tlsClientError` will be
|
|
440
508
|
* emitted with `ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED` code.
|
|
441
509
|
*/
|
|
442
|
-
pskIdentityHint?: string;
|
|
510
|
+
pskIdentityHint?: string | undefined;
|
|
443
511
|
}
|
|
444
|
-
|
|
445
512
|
interface PSKCallbackNegotation {
|
|
446
513
|
psk: DataView | NodeJS.TypedArray;
|
|
447
514
|
identity: string;
|
|
448
515
|
}
|
|
449
|
-
|
|
450
516
|
interface ConnectionOptions extends SecureContextOptions, CommonConnectionOptions {
|
|
451
|
-
host?: string;
|
|
452
|
-
port?: number;
|
|
453
|
-
path?: string; // Creates unix socket connection to path. If this option is specified, `host` and `port` are ignored.
|
|
454
|
-
socket?:
|
|
455
|
-
checkServerIdentity?: typeof checkServerIdentity;
|
|
456
|
-
servername?: string; // SNI TLS Extension
|
|
457
|
-
session?: Buffer;
|
|
458
|
-
minDHSize?: number;
|
|
459
|
-
lookup?: net.LookupFunction;
|
|
460
|
-
timeout?: number;
|
|
517
|
+
host?: string | undefined;
|
|
518
|
+
port?: number | undefined;
|
|
519
|
+
path?: string | undefined; // Creates unix socket connection to path. If this option is specified, `host` and `port` are ignored.
|
|
520
|
+
socket?: stream.Duplex | undefined; // Establish secure connection on a given socket rather than creating a new socket
|
|
521
|
+
checkServerIdentity?: typeof checkServerIdentity | undefined;
|
|
522
|
+
servername?: string | undefined; // SNI TLS Extension
|
|
523
|
+
session?: Buffer | undefined;
|
|
524
|
+
minDHSize?: number | undefined;
|
|
525
|
+
lookup?: net.LookupFunction | undefined;
|
|
526
|
+
timeout?: number | undefined;
|
|
461
527
|
/**
|
|
462
528
|
* When negotiating TLS-PSK (pre-shared keys), this function is called
|
|
463
529
|
* with optional identity `hint` provided by the server or `null`
|
|
@@ -477,35 +543,50 @@ declare module 'tls' {
|
|
|
477
543
|
*/
|
|
478
544
|
pskCallback?(hint: string | null): PSKCallbackNegotation | null;
|
|
479
545
|
}
|
|
480
|
-
|
|
546
|
+
/**
|
|
547
|
+
* Accepts encrypted connections using TLS or SSL.
|
|
548
|
+
* @since v0.3.2
|
|
549
|
+
*/
|
|
481
550
|
class Server extends net.Server {
|
|
482
551
|
constructor(secureConnectionListener?: (socket: TLSSocket) => void);
|
|
483
552
|
constructor(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void);
|
|
484
|
-
|
|
485
553
|
/**
|
|
486
|
-
* The server.addContext() method adds a secure context that will be
|
|
487
|
-
*
|
|
488
|
-
*
|
|
554
|
+
* The `server.addContext()` method adds a secure context that will be used if
|
|
555
|
+
* the client request's SNI name matches the supplied `hostname` (or wildcard).
|
|
556
|
+
*
|
|
557
|
+
* When there are multiple matching contexts, the most recently added one is
|
|
558
|
+
* used.
|
|
559
|
+
* @since v0.5.3
|
|
560
|
+
* @param hostname A SNI host name or wildcard (e.g. `'*'`)
|
|
561
|
+
* @param context An object containing any of the possible properties from the {@link createSecureContext} `options` arguments (e.g. `key`, `cert`, `ca`, etc).
|
|
489
562
|
*/
|
|
490
|
-
addContext(
|
|
563
|
+
addContext(hostname: string, context: SecureContextOptions): void;
|
|
491
564
|
/**
|
|
492
565
|
* Returns the session ticket keys.
|
|
566
|
+
*
|
|
567
|
+
* See `Session Resumption` for more information.
|
|
568
|
+
* @since v3.0.0
|
|
569
|
+
* @return A 48-byte buffer containing the session ticket keys.
|
|
493
570
|
*/
|
|
494
571
|
getTicketKeys(): Buffer;
|
|
495
572
|
/**
|
|
496
|
-
*
|
|
497
|
-
*
|
|
498
|
-
*
|
|
499
|
-
*
|
|
573
|
+
* The `server.setSecureContext()` method replaces the secure context of an
|
|
574
|
+
* existing server. Existing connections to the server are not interrupted.
|
|
575
|
+
* @since v11.0.0
|
|
576
|
+
* @param options An object containing any of the possible properties from the {@link createSecureContext} `options` arguments (e.g. `key`, `cert`, `ca`, etc).
|
|
500
577
|
*/
|
|
501
|
-
setSecureContext(
|
|
578
|
+
setSecureContext(options: SecureContextOptions): void;
|
|
502
579
|
/**
|
|
503
|
-
*
|
|
504
|
-
*
|
|
505
|
-
*
|
|
580
|
+
* Sets the session ticket keys.
|
|
581
|
+
*
|
|
582
|
+
* Changes to the ticket keys are effective only for future server connections.
|
|
583
|
+
* Existing or currently pending server connections will use the previous keys.
|
|
584
|
+
*
|
|
585
|
+
* See `Session Resumption` for more information.
|
|
586
|
+
* @since v3.0.0
|
|
587
|
+
* @param keys A 48-byte buffer containing the session ticket keys.
|
|
506
588
|
*/
|
|
507
589
|
setTicketKeys(keys: Buffer): void;
|
|
508
|
-
|
|
509
590
|
/**
|
|
510
591
|
* events.EventEmitter
|
|
511
592
|
* 1. tlsClientError
|
|
@@ -516,54 +597,48 @@ declare module 'tls' {
|
|
|
516
597
|
* 6. keylog
|
|
517
598
|
*/
|
|
518
599
|
addListener(event: string, listener: (...args: any[]) => void): this;
|
|
519
|
-
addListener(event:
|
|
520
|
-
addListener(event:
|
|
521
|
-
addListener(event:
|
|
522
|
-
addListener(event:
|
|
523
|
-
addListener(event:
|
|
524
|
-
addListener(event:
|
|
525
|
-
|
|
600
|
+
addListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
|
601
|
+
addListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
|
|
602
|
+
addListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
|
603
|
+
addListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
|
|
604
|
+
addListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
|
|
605
|
+
addListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
|
526
606
|
emit(event: string | symbol, ...args: any[]): boolean;
|
|
527
|
-
emit(event:
|
|
528
|
-
emit(event:
|
|
529
|
-
emit(event:
|
|
530
|
-
emit(event:
|
|
531
|
-
emit(event:
|
|
532
|
-
emit(event:
|
|
533
|
-
|
|
607
|
+
emit(event: 'tlsClientError', err: Error, tlsSocket: TLSSocket): boolean;
|
|
608
|
+
emit(event: 'newSession', sessionId: Buffer, sessionData: Buffer, callback: () => void): boolean;
|
|
609
|
+
emit(event: 'OCSPRequest', certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
|
|
610
|
+
emit(event: 'resumeSession', sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void): boolean;
|
|
611
|
+
emit(event: 'secureConnection', tlsSocket: TLSSocket): boolean;
|
|
612
|
+
emit(event: 'keylog', line: Buffer, tlsSocket: TLSSocket): boolean;
|
|
534
613
|
on(event: string, listener: (...args: any[]) => void): this;
|
|
535
|
-
on(event:
|
|
536
|
-
on(event:
|
|
537
|
-
on(event:
|
|
538
|
-
on(event:
|
|
539
|
-
on(event:
|
|
540
|
-
on(event:
|
|
541
|
-
|
|
614
|
+
on(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
|
615
|
+
on(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
|
|
616
|
+
on(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
|
617
|
+
on(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
|
|
618
|
+
on(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
|
|
619
|
+
on(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
|
542
620
|
once(event: string, listener: (...args: any[]) => void): this;
|
|
543
|
-
once(event:
|
|
544
|
-
once(event:
|
|
545
|
-
once(event:
|
|
546
|
-
once(event:
|
|
547
|
-
once(event:
|
|
548
|
-
once(event:
|
|
549
|
-
|
|
621
|
+
once(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
|
622
|
+
once(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
|
|
623
|
+
once(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
|
624
|
+
once(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
|
|
625
|
+
once(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
|
|
626
|
+
once(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
|
550
627
|
prependListener(event: string, listener: (...args: any[]) => void): this;
|
|
551
|
-
prependListener(event:
|
|
552
|
-
prependListener(event:
|
|
553
|
-
prependListener(event:
|
|
554
|
-
prependListener(event:
|
|
555
|
-
prependListener(event:
|
|
556
|
-
prependListener(event:
|
|
557
|
-
|
|
628
|
+
prependListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
|
629
|
+
prependListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
|
|
630
|
+
prependListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
|
631
|
+
prependListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
|
|
632
|
+
prependListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
|
|
633
|
+
prependListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
|
558
634
|
prependOnceListener(event: string, listener: (...args: any[]) => void): this;
|
|
559
|
-
prependOnceListener(event:
|
|
560
|
-
prependOnceListener(event:
|
|
561
|
-
prependOnceListener(event:
|
|
562
|
-
prependOnceListener(event:
|
|
563
|
-
prependOnceListener(event:
|
|
564
|
-
prependOnceListener(event:
|
|
635
|
+
prependOnceListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
|
|
636
|
+
prependOnceListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: () => void) => void): this;
|
|
637
|
+
prependOnceListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
|
|
638
|
+
prependOnceListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error | null, sessionData: Buffer | null) => void) => void): this;
|
|
639
|
+
prependOnceListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
|
|
640
|
+
prependOnceListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
|
|
565
641
|
}
|
|
566
|
-
|
|
567
642
|
/**
|
|
568
643
|
* @deprecated since v0.11.3 Use `tls.TLSSocket` instead.
|
|
569
644
|
*/
|
|
@@ -571,16 +646,14 @@ declare module 'tls' {
|
|
|
571
646
|
encrypted: TLSSocket;
|
|
572
647
|
cleartext: TLSSocket;
|
|
573
648
|
}
|
|
574
|
-
|
|
575
649
|
type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
|
|
576
|
-
|
|
577
650
|
interface SecureContextOptions {
|
|
578
651
|
/**
|
|
579
652
|
* Optionally override the trusted CA certificates. Default is to trust
|
|
580
653
|
* the well-known CAs curated by Mozilla. Mozilla's CAs are completely
|
|
581
654
|
* replaced when CAs are explicitly specified using this option.
|
|
582
655
|
*/
|
|
583
|
-
ca?: string | Buffer | Array<string | Buffer
|
|
656
|
+
ca?: string | Buffer | Array<string | Buffer> | undefined;
|
|
584
657
|
/**
|
|
585
658
|
* Cert chains in PEM format. One cert chain should be provided per
|
|
586
659
|
* private key. Each cert chain should consist of the PEM formatted
|
|
@@ -592,29 +665,29 @@ declare module 'tls' {
|
|
|
592
665
|
* intermediate certificates are not provided, the peer will not be
|
|
593
666
|
* able to validate the certificate, and the handshake will fail.
|
|
594
667
|
*/
|
|
595
|
-
cert?: string | Buffer | Array<string | Buffer
|
|
668
|
+
cert?: string | Buffer | Array<string | Buffer> | undefined;
|
|
596
669
|
/**
|
|
597
670
|
* Colon-separated list of supported signature algorithms. The list
|
|
598
671
|
* can contain digest algorithms (SHA256, MD5 etc.), public key
|
|
599
672
|
* algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g
|
|
600
673
|
* 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
|
|
601
674
|
*/
|
|
602
|
-
sigalgs?: string;
|
|
675
|
+
sigalgs?: string | undefined;
|
|
603
676
|
/**
|
|
604
677
|
* Cipher suite specification, replacing the default. For more
|
|
605
678
|
* information, see modifying the default cipher suite. Permitted
|
|
606
679
|
* ciphers can be obtained via tls.getCiphers(). Cipher names must be
|
|
607
680
|
* uppercased in order for OpenSSL to accept them.
|
|
608
681
|
*/
|
|
609
|
-
ciphers?: string;
|
|
682
|
+
ciphers?: string | undefined;
|
|
610
683
|
/**
|
|
611
684
|
* Name of an OpenSSL engine which can provide the client certificate.
|
|
612
685
|
*/
|
|
613
|
-
clientCertEngine?: string;
|
|
686
|
+
clientCertEngine?: string | undefined;
|
|
614
687
|
/**
|
|
615
688
|
* PEM formatted CRLs (Certificate Revocation Lists).
|
|
616
689
|
*/
|
|
617
|
-
crl?: string | Buffer | Array<string | Buffer
|
|
690
|
+
crl?: string | Buffer | Array<string | Buffer> | undefined;
|
|
618
691
|
/**
|
|
619
692
|
* Diffie Hellman parameters, required for Perfect Forward Secrecy. Use
|
|
620
693
|
* openssl dhparam to create the parameters. The key length must be
|
|
@@ -623,7 +696,7 @@ declare module 'tls' {
|
|
|
623
696
|
* stronger security. If omitted or invalid, the parameters are
|
|
624
697
|
* silently discarded and DHE ciphers will not be available.
|
|
625
698
|
*/
|
|
626
|
-
dhparam?: string | Buffer;
|
|
699
|
+
dhparam?: string | Buffer | undefined;
|
|
627
700
|
/**
|
|
628
701
|
* A string describing a named curve or a colon separated list of curve
|
|
629
702
|
* NIDs or names, for example P-521:P-384:P-256, to use for ECDH key
|
|
@@ -633,13 +706,13 @@ declare module 'tls' {
|
|
|
633
706
|
* name and description of each available elliptic curve. Default:
|
|
634
707
|
* tls.DEFAULT_ECDH_CURVE.
|
|
635
708
|
*/
|
|
636
|
-
ecdhCurve?: string;
|
|
709
|
+
ecdhCurve?: string | undefined;
|
|
637
710
|
/**
|
|
638
711
|
* Attempt to use the server's cipher suite preferences instead of the
|
|
639
712
|
* client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be
|
|
640
713
|
* set in secureOptions
|
|
641
714
|
*/
|
|
642
|
-
honorCipherOrder?: boolean;
|
|
715
|
+
honorCipherOrder?: boolean | undefined;
|
|
643
716
|
/**
|
|
644
717
|
* Private keys in PEM format. PEM allows the option of private keys
|
|
645
718
|
* being encrypted. Encrypted keys will be decrypted with
|
|
@@ -650,18 +723,18 @@ declare module 'tls' {
|
|
|
650
723
|
* object.passphrase is optional. Encrypted keys will be decrypted with
|
|
651
724
|
* object.passphrase if provided, or options.passphrase if it is not.
|
|
652
725
|
*/
|
|
653
|
-
key?: string | Buffer | Array<Buffer | KeyObject
|
|
726
|
+
key?: string | Buffer | Array<string | Buffer | KeyObject> | undefined;
|
|
654
727
|
/**
|
|
655
728
|
* Name of an OpenSSL engine to get private key from. Should be used
|
|
656
729
|
* together with privateKeyIdentifier.
|
|
657
730
|
*/
|
|
658
|
-
privateKeyEngine?: string;
|
|
731
|
+
privateKeyEngine?: string | undefined;
|
|
659
732
|
/**
|
|
660
733
|
* Identifier of a private key managed by an OpenSSL engine. Should be
|
|
661
734
|
* used together with privateKeyEngine. Should not be set together with
|
|
662
735
|
* key, because both options define a private key in different ways.
|
|
663
736
|
*/
|
|
664
|
-
privateKeyIdentifier?: string;
|
|
737
|
+
privateKeyIdentifier?: string | undefined;
|
|
665
738
|
/**
|
|
666
739
|
* Optionally set the maximum TLS version to allow. One
|
|
667
740
|
* of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
|
|
@@ -670,7 +743,7 @@ declare module 'tls' {
|
|
|
670
743
|
* `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets the default to
|
|
671
744
|
* `'TLSv1.3'`. If multiple of the options are provided, the highest maximum is used.
|
|
672
745
|
*/
|
|
673
|
-
maxVersion?: SecureVersion;
|
|
746
|
+
maxVersion?: SecureVersion | undefined;
|
|
674
747
|
/**
|
|
675
748
|
* Optionally set the minimum TLS version to allow. One
|
|
676
749
|
* of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
|
|
@@ -681,11 +754,11 @@ declare module 'tls' {
|
|
|
681
754
|
* `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
|
|
682
755
|
* 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used.
|
|
683
756
|
*/
|
|
684
|
-
minVersion?: SecureVersion;
|
|
757
|
+
minVersion?: SecureVersion | undefined;
|
|
685
758
|
/**
|
|
686
759
|
* Shared passphrase used for a single private key and/or a PFX.
|
|
687
760
|
*/
|
|
688
|
-
passphrase?: string;
|
|
761
|
+
passphrase?: string | undefined;
|
|
689
762
|
/**
|
|
690
763
|
* PFX or PKCS12 encoded private key and certificate chain. pfx is an
|
|
691
764
|
* alternative to providing key and cert individually. PFX is usually
|
|
@@ -696,13 +769,13 @@ declare module 'tls' {
|
|
|
696
769
|
* object.passphrase is optional. Encrypted PFX will be decrypted with
|
|
697
770
|
* object.passphrase if provided, or options.passphrase if it is not.
|
|
698
771
|
*/
|
|
699
|
-
pfx?: string | Buffer | Array<string | Buffer | PxfObject
|
|
772
|
+
pfx?: string | Buffer | Array<string | Buffer | PxfObject> | undefined;
|
|
700
773
|
/**
|
|
701
774
|
* Optionally affect the OpenSSL protocol behavior, which is not
|
|
702
775
|
* usually necessary. This should be used carefully if at all! Value is
|
|
703
776
|
* a numeric bitmask of the SSL_OP_* options from OpenSSL Options
|
|
704
777
|
*/
|
|
705
|
-
secureOptions?: number; // Value is a numeric bitmask of the `SSL_OP_*` options
|
|
778
|
+
secureOptions?: number | undefined; // Value is a numeric bitmask of the `SSL_OP_*` options
|
|
706
779
|
/**
|
|
707
780
|
* Legacy mechanism to select the TLS protocol version to use, it does
|
|
708
781
|
* not support independent control of the minimum and maximum version,
|
|
@@ -714,49 +787,209 @@ declare module 'tls' {
|
|
|
714
787
|
* TLS versions less than 1.2, but it may be required for
|
|
715
788
|
* interoperability. Default: none, see minVersion.
|
|
716
789
|
*/
|
|
717
|
-
secureProtocol?: string;
|
|
790
|
+
secureProtocol?: string | undefined;
|
|
718
791
|
/**
|
|
719
792
|
* Opaque identifier used by servers to ensure session state is not
|
|
720
793
|
* shared between applications. Unused by clients.
|
|
721
794
|
*/
|
|
722
|
-
sessionIdContext?: string;
|
|
795
|
+
sessionIdContext?: string | undefined;
|
|
723
796
|
/**
|
|
724
797
|
* 48-bytes of cryptographically strong pseudo-random data.
|
|
725
798
|
* See Session Resumption for more information.
|
|
726
799
|
*/
|
|
727
|
-
ticketKeys?: Buffer;
|
|
800
|
+
ticketKeys?: Buffer | undefined;
|
|
728
801
|
/**
|
|
729
802
|
* The number of seconds after which a TLS session created by the
|
|
730
803
|
* server will no longer be resumable. See Session Resumption for more
|
|
731
804
|
* information. Default: 300.
|
|
732
805
|
*/
|
|
733
|
-
sessionTimeout?: number;
|
|
806
|
+
sessionTimeout?: number | undefined;
|
|
734
807
|
}
|
|
735
|
-
|
|
736
808
|
interface SecureContext {
|
|
737
809
|
context: any;
|
|
738
810
|
}
|
|
739
|
-
|
|
740
|
-
|
|
741
|
-
*
|
|
742
|
-
*
|
|
743
|
-
*
|
|
811
|
+
/**
|
|
812
|
+
* Verifies the certificate `cert` is issued to `hostname`.
|
|
813
|
+
*
|
|
814
|
+
* Returns [Error](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error) object, populating it with `reason`, `host`, and `cert` on
|
|
815
|
+
* failure. On success, returns [undefined](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Undefined_type).
|
|
816
|
+
*
|
|
817
|
+
* This function is intended to be used in combination with the`checkServerIdentity` option that can be passed to {@link connect} and as
|
|
818
|
+
* such operates on a `certificate object`. For other purposes, consider using `x509.checkHost()` instead.
|
|
819
|
+
*
|
|
820
|
+
* This function can be overwritten by providing an alternative function as the`options.checkServerIdentity` option that is passed to `tls.connect()`. The
|
|
821
|
+
* overwriting function can call `tls.checkServerIdentity()` of course, to augment
|
|
822
|
+
* the checks done with additional verification.
|
|
744
823
|
*
|
|
745
|
-
*
|
|
824
|
+
* This function is only called if the certificate passed all other checks, such as
|
|
825
|
+
* being issued by trusted CA (`options.ca`).
|
|
826
|
+
*
|
|
827
|
+
* Earlier versions of Node.js incorrectly accepted certificates for a given`hostname` if a matching `uniformResourceIdentifier` subject alternative name
|
|
828
|
+
* was present (see [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531)). Applications that wish to accept`uniformResourceIdentifier` subject alternative names can use
|
|
829
|
+
* a custom`options.checkServerIdentity` function that implements the desired behavior.
|
|
830
|
+
* @since v0.8.4
|
|
831
|
+
* @param hostname The host name or IP address to verify the certificate against.
|
|
832
|
+
* @param cert A `certificate object` representing the peer's certificate.
|
|
833
|
+
*/
|
|
834
|
+
function checkServerIdentity(hostname: string, cert: PeerCertificate): Error | undefined;
|
|
835
|
+
/**
|
|
836
|
+
* Creates a new {@link Server}. The `secureConnectionListener`, if provided, is
|
|
837
|
+
* automatically set as a listener for the `'secureConnection'` event.
|
|
838
|
+
*
|
|
839
|
+
* The `ticketKeys` options is automatically shared between `cluster` module
|
|
840
|
+
* workers.
|
|
841
|
+
*
|
|
842
|
+
* The following illustrates a simple echo server:
|
|
843
|
+
*
|
|
844
|
+
* ```js
|
|
845
|
+
* const tls = require('tls');
|
|
846
|
+
* const fs = require('fs');
|
|
847
|
+
*
|
|
848
|
+
* const options = {
|
|
849
|
+
* key: fs.readFileSync('server-key.pem'),
|
|
850
|
+
* cert: fs.readFileSync('server-cert.pem'),
|
|
851
|
+
*
|
|
852
|
+
* // This is necessary only if using client certificate authentication.
|
|
853
|
+
* requestCert: true,
|
|
854
|
+
*
|
|
855
|
+
* // This is necessary only if the client uses a self-signed certificate.
|
|
856
|
+
* ca: [ fs.readFileSync('client-cert.pem') ]
|
|
857
|
+
* };
|
|
858
|
+
*
|
|
859
|
+
* const server = tls.createServer(options, (socket) => {
|
|
860
|
+
* console.log('server connected',
|
|
861
|
+
* socket.authorized ? 'authorized' : 'unauthorized');
|
|
862
|
+
* socket.write('welcome!\n');
|
|
863
|
+
* socket.setEncoding('utf8');
|
|
864
|
+
* socket.pipe(socket);
|
|
865
|
+
* });
|
|
866
|
+
* server.listen(8000, () => {
|
|
867
|
+
* console.log('server bound');
|
|
868
|
+
* });
|
|
869
|
+
* ```
|
|
870
|
+
*
|
|
871
|
+
* The server can be tested by connecting to it using the example client from {@link connect}.
|
|
872
|
+
* @since v0.3.2
|
|
746
873
|
*/
|
|
747
|
-
function checkServerIdentity(host: string, cert: PeerCertificate): Error | undefined;
|
|
748
874
|
function createServer(secureConnectionListener?: (socket: TLSSocket) => void): Server;
|
|
749
875
|
function createServer(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void): Server;
|
|
876
|
+
/**
|
|
877
|
+
* The `callback` function, if specified, will be added as a listener for the `'secureConnect'` event.
|
|
878
|
+
*
|
|
879
|
+
* `tls.connect()` returns a {@link TLSSocket} object.
|
|
880
|
+
*
|
|
881
|
+
* Unlike the `https` API, `tls.connect()` does not enable the
|
|
882
|
+
* SNI (Server Name Indication) extension by default, which may cause some
|
|
883
|
+
* servers to return an incorrect certificate or reject the connection
|
|
884
|
+
* altogether. To enable SNI, set the `servername` option in addition
|
|
885
|
+
* to `host`.
|
|
886
|
+
*
|
|
887
|
+
* The following illustrates a client for the echo server example from {@link createServer}:
|
|
888
|
+
*
|
|
889
|
+
* ```js
|
|
890
|
+
* // Assumes an echo server that is listening on port 8000.
|
|
891
|
+
* const tls = require('tls');
|
|
892
|
+
* const fs = require('fs');
|
|
893
|
+
*
|
|
894
|
+
* const options = {
|
|
895
|
+
* // Necessary only if the server requires client certificate authentication.
|
|
896
|
+
* key: fs.readFileSync('client-key.pem'),
|
|
897
|
+
* cert: fs.readFileSync('client-cert.pem'),
|
|
898
|
+
*
|
|
899
|
+
* // Necessary only if the server uses a self-signed certificate.
|
|
900
|
+
* ca: [ fs.readFileSync('server-cert.pem') ],
|
|
901
|
+
*
|
|
902
|
+
* // Necessary only if the server's cert isn't for "localhost".
|
|
903
|
+
* checkServerIdentity: () => { return null; },
|
|
904
|
+
* };
|
|
905
|
+
*
|
|
906
|
+
* const socket = tls.connect(8000, options, () => {
|
|
907
|
+
* console.log('client connected',
|
|
908
|
+
* socket.authorized ? 'authorized' : 'unauthorized');
|
|
909
|
+
* process.stdin.pipe(socket);
|
|
910
|
+
* process.stdin.resume();
|
|
911
|
+
* });
|
|
912
|
+
* socket.setEncoding('utf8');
|
|
913
|
+
* socket.on('data', (data) => {
|
|
914
|
+
* console.log(data);
|
|
915
|
+
* });
|
|
916
|
+
* socket.on('end', () => {
|
|
917
|
+
* console.log('server ends connection');
|
|
918
|
+
* });
|
|
919
|
+
* ```
|
|
920
|
+
* @since v0.11.3
|
|
921
|
+
*/
|
|
750
922
|
function connect(options: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
|
|
751
923
|
function connect(port: number, host?: string, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
|
|
752
924
|
function connect(port: number, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
|
|
753
925
|
/**
|
|
754
|
-
*
|
|
926
|
+
* Creates a new secure pair object with two streams, one of which reads and writes
|
|
927
|
+
* the encrypted data and the other of which reads and writes the cleartext data.
|
|
928
|
+
* Generally, the encrypted stream is piped to/from an incoming encrypted data
|
|
929
|
+
* stream and the cleartext one is used as a replacement for the initial encrypted
|
|
930
|
+
* stream.
|
|
931
|
+
*
|
|
932
|
+
* `tls.createSecurePair()` returns a `tls.SecurePair` object with `cleartext` and`encrypted` stream properties.
|
|
933
|
+
*
|
|
934
|
+
* Using `cleartext` has the same API as {@link TLSSocket}.
|
|
935
|
+
*
|
|
936
|
+
* The `tls.createSecurePair()` method is now deprecated in favor of`tls.TLSSocket()`. For example, the code:
|
|
937
|
+
*
|
|
938
|
+
* ```js
|
|
939
|
+
* pair = tls.createSecurePair(// ... );
|
|
940
|
+
* pair.encrypted.pipe(socket);
|
|
941
|
+
* socket.pipe(pair.encrypted);
|
|
942
|
+
* ```
|
|
943
|
+
*
|
|
944
|
+
* can be replaced by:
|
|
945
|
+
*
|
|
946
|
+
* ```js
|
|
947
|
+
* secureSocket = tls.TLSSocket(socket, options);
|
|
948
|
+
* ```
|
|
949
|
+
*
|
|
950
|
+
* where `secureSocket` has the same API as `pair.cleartext`.
|
|
951
|
+
* @since v0.3.2
|
|
952
|
+
* @deprecated Since v0.11.3 - Use {@link TLSSocket} instead.
|
|
953
|
+
* @param context A secure context object as returned by `tls.createSecureContext()`
|
|
954
|
+
* @param isServer `true` to specify that this TLS connection should be opened as a server.
|
|
955
|
+
* @param requestCert `true` to specify whether a server should request a certificate from a connecting client. Only applies when `isServer` is `true`.
|
|
956
|
+
* @param rejectUnauthorized If not `false` a server automatically reject clients with invalid certificates. Only applies when `isServer` is `true`.
|
|
957
|
+
*/
|
|
958
|
+
function createSecurePair(context?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
|
|
959
|
+
/**
|
|
960
|
+
* {@link createServer} sets the default value of the `honorCipherOrder` option
|
|
961
|
+
* to `true`, other APIs that create secure contexts leave it unset.
|
|
962
|
+
*
|
|
963
|
+
* {@link createServer} uses a 128 bit truncated SHA1 hash value generated
|
|
964
|
+
* from `process.argv` as the default value of the `sessionIdContext` option, other
|
|
965
|
+
* APIs that create secure contexts have no default value.
|
|
966
|
+
*
|
|
967
|
+
* The `tls.createSecureContext()` method creates a `SecureContext` object. It is
|
|
968
|
+
* usable as an argument to several `tls` APIs, such as {@link createServer} and `server.addContext()`, but has no public methods.
|
|
969
|
+
*
|
|
970
|
+
* A key is _required_ for ciphers that use certificates. Either `key` or`pfx` can be used to provide it.
|
|
971
|
+
*
|
|
972
|
+
* If the `ca` option is not given, then Node.js will default to using [Mozilla's publicly trusted list of
|
|
973
|
+
* CAs](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt).
|
|
974
|
+
* @since v0.11.13
|
|
755
975
|
*/
|
|
756
|
-
function createSecurePair(credentials?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
|
|
757
976
|
function createSecureContext(options?: SecureContextOptions): SecureContext;
|
|
977
|
+
/**
|
|
978
|
+
* Returns an array with the names of the supported TLS ciphers. The names are
|
|
979
|
+
* lower-case for historical reasons, but must be uppercased to be used in
|
|
980
|
+
* the `ciphers` option of {@link createSecureContext}.
|
|
981
|
+
*
|
|
982
|
+
* Not all supported ciphers are enabled by default. See `Modifying the default TLS cipher suite`.
|
|
983
|
+
*
|
|
984
|
+
* Cipher names that start with `'tls_'` are for TLSv1.3, all the others are for
|
|
985
|
+
* TLSv1.2 and below.
|
|
986
|
+
*
|
|
987
|
+
* ```js
|
|
988
|
+
* console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...]
|
|
989
|
+
* ```
|
|
990
|
+
* @since v0.10.2
|
|
991
|
+
*/
|
|
758
992
|
function getCiphers(): string[];
|
|
759
|
-
|
|
760
993
|
/**
|
|
761
994
|
* The default curve name to use for ECDH key agreement in a tls server.
|
|
762
995
|
* The default value is 'auto'. See tls.createSecureContext() for further
|
|
@@ -783,7 +1016,6 @@ declare module 'tls' {
|
|
|
783
1016
|
* are provided, the lowest minimum is used.
|
|
784
1017
|
*/
|
|
785
1018
|
let DEFAULT_MIN_VERSION: SecureVersion;
|
|
786
|
-
|
|
787
1019
|
/**
|
|
788
1020
|
* An immutable array of strings representing the root certificates (in PEM
|
|
789
1021
|
* format) used for verifying peer certificates. This is the default value
|
|
@@ -791,3 +1023,6 @@ declare module 'tls' {
|
|
|
791
1023
|
*/
|
|
792
1024
|
const rootCertificates: ReadonlyArray<string>;
|
|
793
1025
|
}
|
|
1026
|
+
declare module 'node:tls' {
|
|
1027
|
+
export * from 'tls';
|
|
1028
|
+
}
|