npm - @types/node - Versions diffs - 16.3.3 → 16.4.3 - Mend

@types/node 16.3.3 → 16.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

node/tls.d.ts CHANGED Viewed

@@ -1,10 +1,18 @@
+/**
+ * The `tls` module provides an implementation of the Transport Layer Security
+ * (TLS) and Secure Socket Layer (SSL) protocols that is built on top of OpenSSL.
+ * The module can be accessed using:
+ *
+ * ```js
+ * const tls = require('tls');
+ * ```
+ * @see [source](https://github.com/nodejs/node/blob/v16.4.2/lib/tls.js)
+ */
 declare module 'tls' {
     import { X509Certificate } from 'node:crypto';
     import * as net from 'node:net';
     const CLIENT_RENEG_LIMIT: number;
     const CLIENT_RENEG_WINDOW: number;
     interface Certificate {
         /**
          * Country code.
@@ -31,7 +39,6 @@ declare module 'tls' {
          */
         CN: string;
     }
     interface PeerCertificate {
         subject: Certificate;
         issuer: Certificate;
@@ -47,11 +54,9 @@ declare module 'tls' {
         serialNumber: string;
         raw: Buffer;
     }
     interface DetailedPeerCertificate extends PeerCertificate {
         issuerCertificate: DetailedPeerCertificate;
     }
     interface CipherNameAndProtocol {
         /**
          * The cipher name.
@@ -61,13 +66,11 @@ declare module 'tls' {
          * SSL/TLS protocol version.
          */
         version: string;
         /**
          * IETF name for the cipher suite.
          */
         standardName: string;
     }
     interface EphemeralKeyInfo {
         /**
          * The supported types are 'DH' and 'ECDH'.
@@ -82,7 +85,6 @@ declare module 'tls' {
          */
         size: number;
     }
     interface KeyObject {
         /**
          * Private keys in PEM format.
@@ -93,7 +95,6 @@ declare module 'tls' {
          */
         passphrase?: string | undefined;
     }
     interface PxfObject {
         /**
          * PFX or PKCS12 encoded private key and certificate chain.
@@ -104,7 +105,6 @@ declare module 'tls' {
          */
         passphrase?: string | undefined;
     }
     interface TLSSocketOptions extends SecureContextOptions, CommonConnectionOptions {
         /**
          * If true the TLS socket will be instantiated in server-mode.
@@ -115,7 +115,6 @@ declare module 'tls' {
          * An optional net.Server instance.
          */
         server?: net.Server | undefined;
         /**
          * An optional Buffer instance containing a TLS session.
          */
@@ -127,236 +126,306 @@ declare module 'tls' {
          */
         requestOCSP?: boolean | undefined;
     }
+    /**
+     * * Extends: `<net.Socket>`
+     *
+     * Performs transparent encryption of written data and all required TLS
+     * negotiation.
+     *
+     * Instances of `tls.TLSSocket` implement the duplex `Stream` interface.
+     *
+     * Methods that return TLS connection metadata (e.g.{@link TLSSocket.getPeerCertificate} will only return data while the
+     * connection is open.
+     * @since v0.11.4
+     */
     class TLSSocket extends net.Socket {
         /**
          * Construct a new tls.TLSSocket object from an existing TCP socket.
          */
         constructor(socket: net.Socket, options?: TLSSocketOptions);
         /**
          * A boolean that is true if the peer certificate was signed by one of the specified CAs, otherwise false.
          */
         authorized: boolean;
         /**
-         * The reason why the peer's certificate has not been verified.
-         * This property becomes available only when tlsSocket.authorized === false.
+         * Returns the reason why the peer's certificate was not been verified. This
+         * property is set only when `tlsSocket.authorized === false`.
+         * @since v0.11.4
          */
         authorizationError: Error;
         /**
-         * Static boolean value, always true.
-         * May be used to distinguish TLS sockets from regular ones.
+         * Always returns `true`. This may be used to distinguish TLS sockets from regular`net.Socket` instances.
+         * @since v0.11.4
          */
         encrypted: boolean;
         /**
          * String containing the selected ALPN protocol.
          * When ALPN has no selected protocol, tlsSocket.alpnProtocol equals false.
          */
         alpnProtocol?: string | undefined;
         /**
-         * Returns an object representing the local certificate. The returned
-         * object has some properties corresponding to the fields of the
-         * certificate.
+         * Returns an object representing the local certificate. The returned object has
+         * some properties corresponding to the fields of the certificate.
          *
-         * See tls.TLSSocket.getPeerCertificate() for an example of the
-         * certificate structure.
+         * See {@link TLSSocket.getPeerCertificate} for an example of the certificate
+         * structure.
          *
-         * If there is no local certificate, an empty object will be returned.
-         * If the socket has been destroyed, null will be returned.
+         * If there is no local certificate, an empty object will be returned. If the
+         * socket has been destroyed, `null` will be returned.
+         * @since v11.2.0
          */
         getCertificate(): PeerCertificate | object | null;
         /**
-         * Returns an object representing the cipher name and the SSL/TLS protocol version of the current connection.
-         * @returns Returns an object representing the cipher name
-         * and the SSL/TLS protocol version of the current connection.
+         * Returns an object containing information on the negotiated cipher suite.
+         *
+         * For example:
+         *
+         * ```json
+         * {
+         *     "name": "AES128-SHA256",
+         *     "standardName": "TLS_RSA_WITH_AES_128_CBC_SHA256",
+         *     "version": "TLSv1.2"
+         * }
+         * ```
+         *
+         * See[SSL\_CIPHER\_get\_name](https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html)for more information.
+         * @since v0.11.4
          */
         getCipher(): CipherNameAndProtocol;
         /**
-         * Returns an object representing the type, name, and size of parameter
-         * of an ephemeral key exchange in Perfect Forward Secrecy on a client
+         * Returns an object representing the type, name, and size of parameter of
+         * an ephemeral key exchange in `perfect forward secrecy` on a client
          * connection. It returns an empty object when the key exchange is not
-         * ephemeral. As this is only supported on a client socket; null is
-         * returned if called on a server socket. The supported types are 'DH'
-         * and 'ECDH'. The name property is available only when type is 'ECDH'.
+         * ephemeral. As this is only supported on a client socket; `null` is returned
+         * if called on a server socket. The supported types are `'DH'` and `'ECDH'`. The`name` property is available only when type is `'ECDH'`.
          *
-         * For example: { type: 'ECDH', name: 'prime256v1', size: 256 }.
+         * For example: `{ type: 'ECDH', name: 'prime256v1', size: 256 }`.
+         * @since v5.0.0
          */
         getEphemeralKeyInfo(): EphemeralKeyInfo | object | null;
         /**
-         * Returns the latest Finished message that has
-         * been sent to the socket as part of a SSL/TLS handshake, or undefined
-         * if no Finished message has been sent yet.
+         * As the `Finished` messages are message digests of the complete handshake
+         * (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
+         * be used for external authentication procedures when the authentication
+         * provided by SSL/TLS is not desired or is not enough.
          *
-         * As the Finished messages are message digests of the complete
-         * handshake (with a total of 192 bits for TLS 1.0 and more for SSL
-         * 3.0), they can be used for external authentication procedures when
-         * the authentication provided by SSL/TLS is not desired or is not
-         * enough.
-         *
-         * Corresponds to the SSL_get_finished routine in OpenSSL and may be
-         * used to implement the tls-unique channel binding from RFC 5929.
+         * Corresponds to the `SSL_get_finished` routine in OpenSSL and may be used
+         * to implement the `tls-unique` channel binding from [RFC 5929](https://tools.ietf.org/html/rfc5929).
+         * @since v9.9.0
+         * @return The latest `Finished` message that has been sent to the socket as part of a SSL/TLS handshake, or `undefined` if no `Finished` message has been sent yet.
          */
         getFinished(): Buffer | undefined;
         /**
-         * Returns an object representing the peer's certificate.
-         * The returned object has some properties corresponding to the field of the certificate.
-         * If detailed argument is true the full chain with issuer property will be returned,
-         * if false only the top certificate without issuer property.
-         * If the peer does not provide a certificate, it returns null or an empty object.
-         * @param detailed - If true; the full chain with issuer property will be returned.
-         * @returns An object representing the peer's certificate.
+         * Returns an object representing the peer's certificate. If the peer does not
+         * provide a certificate, an empty object will be returned. If the socket has been
+         * destroyed, `null` will be returned.
+         *
+         * If the full certificate chain was requested, each certificate will include an`issuerCertificate` property containing an object representing its issuer's
+         * certificate.
+         * @since v0.11.4
+         * @param detailed Include the full certificate chain if `true`, otherwise include just the peer's certificate.
+         * @return A certificate object.
          */
         getPeerCertificate(detailed: true): DetailedPeerCertificate;
         getPeerCertificate(detailed?: false): PeerCertificate;
         getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate;
         /**
-         * Returns the latest Finished message that is expected or has actually
-         * been received from the socket as part of a SSL/TLS handshake, or
-         * undefined if there is no Finished message so far.
-         *
-         * As the Finished messages are message digests of the complete
-         * handshake (with a total of 192 bits for TLS 1.0 and more for SSL
-         * 3.0), they can be used for external authentication procedures when
-         * the authentication provided by SSL/TLS is not desired or is not
-         * enough.
+         * As the `Finished` messages are message digests of the complete handshake
+         * (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
+         * be used for external authentication procedures when the authentication
+         * provided by SSL/TLS is not desired or is not enough.
          *
-         * Corresponds to the SSL_get_peer_finished routine in OpenSSL and may
-         * be used to implement the tls-unique channel binding from RFC 5929.
+         * Corresponds to the `SSL_get_peer_finished` routine in OpenSSL and may be used
+         * to implement the `tls-unique` channel binding from [RFC 5929](https://tools.ietf.org/html/rfc5929).
+         * @since v9.9.0
+         * @return The latest `Finished` message that is expected or has actually been received from the socket as part of a SSL/TLS handshake, or `undefined` if there is no `Finished` message so
+         * far.
          */
         getPeerFinished(): Buffer | undefined;
         /**
-         * Returns a string containing the negotiated SSL/TLS protocol version of the current connection.
-         * The value `'unknown'` will be returned for connected sockets that have not completed the handshaking process.
-         * The value `null` will be returned for server sockets or disconnected client sockets.
-         * See https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_version.html for more information.
-         * @returns negotiated SSL/TLS protocol version of the current connection
+         * Returns a string containing the negotiated SSL/TLS protocol version of the
+         * current connection. The value `'unknown'` will be returned for connected
+         * sockets that have not completed the handshaking process. The value `null` will
+         * be returned for server sockets or disconnected client sockets.
+         *
+         * Protocol versions are:
+         *
+         * * `'SSLv3'`
+         * * `'TLSv1'`
+         * * `'TLSv1.1'`
+         * * `'TLSv1.2'`
+         * * `'TLSv1.3'`
+         *
+         * See the OpenSSL [`SSL_get_version`](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html) documentation for more information.
+         * @since v5.7.0
          */
         getProtocol(): string | null;
         /**
-         * Could be used to speed up handshake establishment when reconnecting to the server.
-         * @returns ASN.1 encoded TLS session or undefined if none was negotiated.
+         * Returns the TLS session data or `undefined` if no session was
+         * negotiated. On the client, the data can be provided to the `session` option of {@link connect} to resume the connection. On the server, it may be useful
+         * for debugging.
+         *
+         * See `Session Resumption` for more information.
+         *
+         * Note: `getSession()` works only for TLSv1.2 and below. For TLSv1.3, applications
+         * must use the `'session'` event (it also works for TLSv1.2 and below).
+         * @since v0.11.4
          */
         getSession(): Buffer | undefined;
         /**
-         * Returns a list of signature algorithms shared between the server and
-         * the client in the order of decreasing preference.
+         * See[SSL\_get\_shared\_sigalgs](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html)for more information.
+         * @since v12.11.0
+         * @return List of signature algorithms shared between the server and the client in the order of decreasing preference.
          */
         getSharedSigalgs(): string[];
         /**
-         * NOTE: Works only with client TLS sockets.
-         * Useful only for debugging, for session reuse provide session option to tls.connect().
-         * @returns TLS session ticket or undefined if none was negotiated.
+         * For a client, returns the TLS session ticket if one is available, or`undefined`. For a server, always returns `undefined`.
+         *
+         * It may be useful for debugging.
+         *
+         * See `Session Resumption` for more information.
+         * @since v0.11.4
          */
         getTLSTicket(): Buffer | undefined;
         /**
-         * Returns true if the session was reused, false otherwise.
+         * See `Session Resumption` for more information.
+         * @since v0.5.6
+         * @return `true` if the session was reused, `false` otherwise.
          */
         isSessionReused(): boolean;
         /**
-         * Initiate TLS renegotiation process.
+         * The `tlsSocket.renegotiate()` method initiates a TLS renegotiation process.
+         * Upon completion, the `callback` function will be passed a single argument
+         * that is either an `Error` (if the request failed) or `null`.
          *
-         * NOTE: Can be used to request peer's certificate after the secure connection has been established.
-         * ANOTHER NOTE: When running as the server, socket will be destroyed with an error after handshakeTimeout timeout.
-         * @param options - The options may contain the following fields: rejectUnauthorized,
-         * requestCert (See tls.createServer() for details).
-         * @param callback - callback(err) will be executed with null as err, once the renegotiation
-         * is successfully completed.
-         * @return `undefined` when socket is destroy, `false` if negotiaion can't be initiated.
-         */
-        renegotiate(options: { rejectUnauthorized?: boolean | undefined, requestCert?: boolean | undefined }, callback: (err: Error | null) => void): undefined | boolean;
-        /**
-         * Set maximum TLS fragment size (default and maximum value is: 16384, minimum is: 512).
-         * Smaller fragment size decreases buffering latency on the client: large fragments are buffered by
-         * the TLS layer until the entire fragment is received and its integrity is verified;
-         * large fragments can span multiple roundtrips, and their processing can be delayed due to packet
-         * loss or reordering. However, smaller fragments add extra TLS framing bytes and CPU overhead,
-         * which may decrease overall server throughput.
-         * @param size - TLS fragment size (default and maximum value is: 16384, minimum is: 512).
-         * @returns Returns true on success, false otherwise.
+         * This method can be used to request a peer's certificate after the secure
+         * connection has been established.
+         *
+         * When running as the server, the socket will be destroyed with an error after`handshakeTimeout` timeout.
+         *
+         * For TLSv1.3, renegotiation cannot be initiated, it is not supported by the
+         * protocol.
+         * @since v0.11.8
+         * @param callback If `renegotiate()` returned `true`, callback is attached once to the `'secure'` event. If `renegotiate()` returned `false`, `callback` will be called in the next tick with
+         * an error, unless the `tlsSocket` has been destroyed, in which case `callback` will not be called at all.
+         * @return `true` if renegotiation was initiated, `false` otherwise.
+         */
+        renegotiate(
+            options: {
+                rejectUnauthorized?: boolean | undefined;
+                requestCert?: boolean | undefined;
+            },
+            callback: (err: Error | null) => void
+        ): undefined | boolean;
+        /**
+         * The `tlsSocket.setMaxSendFragment()` method sets the maximum TLS fragment size.
+         * Returns `true` if setting the limit succeeded; `false` otherwise.
+         *
+         * Smaller fragment sizes decrease the buffering latency on the client: larger
+         * fragments are buffered by the TLS layer until the entire fragment is received
+         * and its integrity is verified; large fragments can span multiple roundtrips
+         * and their processing can be delayed due to packet loss or reordering. However,
+         * smaller fragments add extra TLS framing bytes and CPU overhead, which may
+         * decrease overall server throughput.
+         * @since v0.11.11
+         * @param size The maximum TLS fragment size. The maximum value is `16384`.
          */
         setMaxSendFragment(size: number): boolean;
         /**
-         * Disables TLS renegotiation for this TLSSocket instance. Once called,
-         * attempts to renegotiate will trigger an 'error' event on the
-         * TLSSocket.
+         * Disables TLS renegotiation for this `TLSSocket` instance. Once called, attempts
+         * to renegotiate will trigger an `'error'` event on the `TLSSocket`.
+         * @since v8.4.0
          */
         disableRenegotiation(): void;
         /**
          * When enabled, TLS packet trace information is written to `stderr`. This can be
          * used to debug TLS connection problems.
          *
-         * Note: The format of the output is identical to the output of `openssl s_client
-         * -trace` or `openssl s_server -trace`. While it is produced by OpenSSL's
-         * `SSL_trace()` function, the format is undocumented, can change without notice,
+         * Note: The format of the output is identical to the output of `openssl s_client -trace` or `openssl s_server -trace`. While it is produced by OpenSSL's`SSL_trace()` function, the format is
+         * undocumented, can change without notice,
          * and should not be relied on.
+         * @since v12.2.0
          */
         enableTrace(): void;
         /**
-         * If there is no peer certificate, or the socket has been destroyed, `undefined` will be returned.
+         * Returns the peer certificate as an `<X509Certificate>` object.
+         *
+         * If there is no peer certificate, or the socket has been destroyed,`undefined` will be returned.
+         * @since v15.9.0
          */
         getPeerX509Certificate(): X509Certificate | undefined;
         /**
-         * If there is no local certificate, or the socket has been destroyed, `undefined` will be returned.
+         * Returns the local certificate as an `<X509Certificate>` object.
+         *
+         * If there is no local certificate, or the socket has been destroyed,`undefined` will be returned.
+         * @since v15.9.0
          */
         getX509Certificate(): X509Certificate | undefined;
         /**
+         * Keying material is used for validations to prevent different kind of attacks in
+         * network protocols, for example in the specifications of IEEE 802.1X.
+         *
+         * Example
+         *
+         * ```js
+         * const keyingMaterial = tlsSocket.exportKeyingMaterial(
+         *   128,
+         *   'client finished');
+         *
+         *
+         *  Example return value of keyingMaterial:
+         *  <Buffer 76 26 af 99 c5 56 8e 42 09 91 ef 9f 93 cb ad 6c 7b 65 f8 53 f1 d8 d9
+         *     12 5a 33 b8 b5 25 df 7b 37 9f e0 e2 4f b8 67 83 a3 2f cd 5d 41 42 4c 91
+         *     74 ef 2c ... 78 more bytes>
+         *
+         * ```
+         *
+         * See the OpenSSL [`SSL_export_keying_material`](https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html) documentation for more
+         * information.
+         * @since v13.10.0, v12.17.0
          * @param length number of bytes to retrieve from keying material
-         * @param label an application specific label, typically this will be a value from the
-         * [IANA Exporter Label Registry](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels).
-         * @param context optionally provide a context.
+         * @param label an application specific label, typically this will be a value from the [IANA Exporter Label
+         * Registry](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels).
+         * @param context Optionally provide a context.
+         * @return requested bytes of the keying material
          */
         exportKeyingMaterial(length: number, label: string, context: Buffer): Buffer;
         addListener(event: string, listener: (...args: any[]) => void): this;
-        addListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
-        addListener(event: "secureConnect", listener: () => void): this;
-        addListener(event: "session", listener: (session: Buffer) => void): this;
-        addListener(event: "keylog", listener: (line: Buffer) => void): this;
+        addListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
+        addListener(event: 'secureConnect', listener: () => void): this;
+        addListener(event: 'session', listener: (session: Buffer) => void): this;
+        addListener(event: 'keylog', listener: (line: Buffer) => void): this;
         emit(event: string | symbol, ...args: any[]): boolean;
-        emit(event: "OCSPResponse", response: Buffer): boolean;
-        emit(event: "secureConnect"): boolean;
-        emit(event: "session", session: Buffer): boolean;
-        emit(event: "keylog", line: Buffer): boolean;
+        emit(event: 'OCSPResponse', response: Buffer): boolean;
+        emit(event: 'secureConnect'): boolean;
+        emit(event: 'session', session: Buffer): boolean;
+        emit(event: 'keylog', line: Buffer): boolean;
         on(event: string, listener: (...args: any[]) => void): this;
-        on(event: "OCSPResponse", listener: (response: Buffer) => void): this;
-        on(event: "secureConnect", listener: () => void): this;
-        on(event: "session", listener: (session: Buffer) => void): this;
-        on(event: "keylog", listener: (line: Buffer) => void): this;
+        on(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
+        on(event: 'secureConnect', listener: () => void): this;
+        on(event: 'session', listener: (session: Buffer) => void): this;
+        on(event: 'keylog', listener: (line: Buffer) => void): this;
         once(event: string, listener: (...args: any[]) => void): this;
-        once(event: "OCSPResponse", listener: (response: Buffer) => void): this;
-        once(event: "secureConnect", listener: () => void): this;
-        once(event: "session", listener: (session: Buffer) => void): this;
-        once(event: "keylog", listener: (line: Buffer) => void): this;
+        once(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
+        once(event: 'secureConnect', listener: () => void): this;
+        once(event: 'session', listener: (session: Buffer) => void): this;
+        once(event: 'keylog', listener: (line: Buffer) => void): this;
         prependListener(event: string, listener: (...args: any[]) => void): this;
-        prependListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
-        prependListener(event: "secureConnect", listener: () => void): this;
-        prependListener(event: "session", listener: (session: Buffer) => void): this;
-        prependListener(event: "keylog", listener: (line: Buffer) => void): this;
+        prependListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
+        prependListener(event: 'secureConnect', listener: () => void): this;
+        prependListener(event: 'session', listener: (session: Buffer) => void): this;
+        prependListener(event: 'keylog', listener: (line: Buffer) => void): this;
         prependOnceListener(event: string, listener: (...args: any[]) => void): this;
-        prependOnceListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
-        prependOnceListener(event: "secureConnect", listener: () => void): this;
-        prependOnceListener(event: "session", listener: (session: Buffer) => void): this;
-        prependOnceListener(event: "keylog", listener: (line: Buffer) => void): this;
+        prependOnceListener(event: 'OCSPResponse', listener: (response: Buffer) => void): this;
+        prependOnceListener(event: 'secureConnect', listener: () => void): this;
+        prependOnceListener(event: 'session', listener: (session: Buffer) => void): this;
+        prependOnceListener(event: 'keylog', listener: (line: Buffer) => void): this;
     }
     interface CommonConnectionOptions {
         /**
          * An optional TLS context object from tls.createSecureContext()
          */
         secureContext?: SecureContext | undefined;
         /**
          * When enabled, TLS packet trace information is written to `stderr`. This can be
          * used to debug TLS connection problems.
@@ -392,7 +461,6 @@ declare module 'tls' {
          */
         rejectUnauthorized?: boolean | undefined;
     }
     interface TlsOptions extends SecureContextOptions, CommonConnectionOptions, net.ServerOpts {
         /**
          * Abort the connection if the SSL/TLS handshake does not finish in the
@@ -411,7 +479,6 @@ declare module 'tls' {
          * 48-bytes of cryptographically strong pseudo-random data.
          */
         ticketKeys?: Buffer | undefined;
         /**
          *
          * @param socket
@@ -431,7 +498,6 @@ declare module 'tls' {
          * requires explicitly specifying a cipher suite with the `ciphers` option.
          * More information can be found in the RFC 4279.
          */
         pskCallback?(socket: TLSSocket, identity: string): DataView | NodeJS.TypedArray | null;
         /**
          * hint to send to a client to help
@@ -441,12 +507,10 @@ declare module 'tls' {
          */
         pskIdentityHint?: string | undefined;
     }
     interface PSKCallbackNegotation {
         psk: DataView | NodeJS.TypedArray;
         identity: string;
     }
     interface ConnectionOptions extends SecureContextOptions, CommonConnectionOptions {
         host?: string | undefined;
         port?: number | undefined;
@@ -477,35 +541,52 @@ declare module 'tls' {
          */
         pskCallback?(hint: string | null): PSKCallbackNegotation | null;
     }
+    /**
+     * * Extends: `<net.Server>`
+     *
+     * Accepts encrypted connections using TLS or SSL.
+     * @since v0.3.2
+     */
     class Server extends net.Server {
         constructor(secureConnectionListener?: (socket: TLSSocket) => void);
         constructor(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void);
         /**
-         * The server.addContext() method adds a secure context that will be
-         * used if the client request's SNI name matches the supplied hostname
-         * (or wildcard).
+         * The `server.addContext()` method adds a secure context that will be used if
+         * the client request's SNI name matches the supplied `hostname` (or wildcard).
+         *
+         * When there are multiple matching contexts, the most recently added one is
+         * used.
+         * @since v0.5.3
+         * @param hostname A SNI host name or wildcard (e.g. `'*'`)
+         * @param context An object containing any of the possible properties from the {@link createSecureContext} `options` arguments (e.g. `key`, `cert`, `ca`, etc).
          */
         addContext(hostName: string, credentials: SecureContextOptions): void;
         /**
          * Returns the session ticket keys.
+         *
+         * See `Session Resumption` for more information.
+         * @since v3.0.0
+         * @return A 48-byte buffer containing the session ticket keys.
          */
         getTicketKeys(): Buffer;
         /**
-         *
-         * The server.setSecureContext() method replaces the
-         * secure context of an existing server. Existing connections to the
-         * server are not interrupted.
+         * The `server.setSecureContext()` method replaces the secure context of an
+         * existing server. Existing connections to the server are not interrupted.
+         * @since v11.0.0
+         * @param options An object containing any of the possible properties from the {@link createSecureContext} `options` arguments (e.g. `key`, `cert`, `ca`, etc).
          */
         setSecureContext(details: SecureContextOptions): void;
         /**
-         * The server.setSecureContext() method replaces the secure context of
-         * an existing server. Existing connections to the server are not
-         * interrupted.
+         * Sets the session ticket keys.
+         *
+         * Changes to the ticket keys are effective only for future server connections.
+         * Existing or currently pending server connections will use the previous keys.
+         *
+         * See `Session Resumption` for more information.
+         * @since v3.0.0
+         * @param keys A 48-byte buffer containing the session ticket keys.
          */
         setTicketKeys(keys: Buffer): void;
         /**
          * events.EventEmitter
          * 1. tlsClientError
@@ -516,54 +597,48 @@ declare module 'tls' {
          * 6. keylog
          */
         addListener(event: string, listener: (...args: any[]) => void): this;
-        addListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
-        addListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
-        addListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
-        addListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
-        addListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
-        addListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
+        addListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
+        addListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
+        addListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
+        addListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
+        addListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
+        addListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
         emit(event: string | symbol, ...args: any[]): boolean;
-        emit(event: "tlsClientError", err: Error, tlsSocket: TLSSocket): boolean;
-        emit(event: "newSession", sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void): boolean;
-        emit(event: "OCSPRequest", certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
-        emit(event: "resumeSession", sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void): boolean;
-        emit(event: "secureConnection", tlsSocket: TLSSocket): boolean;
-        emit(event: "keylog", line: Buffer, tlsSocket: TLSSocket): boolean;
+        emit(event: 'tlsClientError', err: Error, tlsSocket: TLSSocket): boolean;
+        emit(event: 'newSession', sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void): boolean;
+        emit(event: 'OCSPRequest', certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
+        emit(event: 'resumeSession', sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void): boolean;
+        emit(event: 'secureConnection', tlsSocket: TLSSocket): boolean;
+        emit(event: 'keylog', line: Buffer, tlsSocket: TLSSocket): boolean;
         on(event: string, listener: (...args: any[]) => void): this;
-        on(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
-        on(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
-        on(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
-        on(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
-        on(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
-        on(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
+        on(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
+        on(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
+        on(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
+        on(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
+        on(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
+        on(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
         once(event: string, listener: (...args: any[]) => void): this;
-        once(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
-        once(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
-        once(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
-        once(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
-        once(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
-        once(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
+        once(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
+        once(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
+        once(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
+        once(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
+        once(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
+        once(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
         prependListener(event: string, listener: (...args: any[]) => void): this;
-        prependListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
-        prependListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
-        prependListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
-        prependListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
-        prependListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
-        prependListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
+        prependListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
+        prependListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
+        prependListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
+        prependListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
+        prependListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
+        prependListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
         prependOnceListener(event: string, listener: (...args: any[]) => void): this;
-        prependOnceListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
-        prependOnceListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
-        prependOnceListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
-        prependOnceListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
-        prependOnceListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
-        prependOnceListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
+        prependOnceListener(event: 'tlsClientError', listener: (err: Error, tlsSocket: TLSSocket) => void): this;
+        prependOnceListener(event: 'newSession', listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
+        prependOnceListener(event: 'OCSPRequest', listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
+        prependOnceListener(event: 'resumeSession', listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
+        prependOnceListener(event: 'secureConnection', listener: (tlsSocket: TLSSocket) => void): this;
+        prependOnceListener(event: 'keylog', listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
     }
     /**
      * @deprecated since v0.11.3 Use `tls.TLSSocket` instead.
      */
@@ -571,9 +646,7 @@ declare module 'tls' {
         encrypted: TLSSocket;
         cleartext: TLSSocket;
     }
     type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
     interface SecureContextOptions {
         /**
          * Optionally override the trusted CA certificates. Default is to trust
@@ -732,31 +805,183 @@ declare module 'tls' {
          */
         sessionTimeout?: number | undefined;
     }
     interface SecureContext {
         context: any;
     }
-    /*
-     * Verifies the certificate `cert` is issued to host `host`.
-     * @host The hostname to verify the certificate against
-     * @cert PeerCertificate representing the peer's certificate
+    /**
+     * Verifies the certificate `cert` is issued to `hostname`.
+     *
+     * Returns [&lt;Error&gt;](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error) object, populating it with `reason`, `host`, and `cert` on
+     * failure. On success, returns [&lt;undefined&gt;](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Undefined_type).
+     *
+     * This function can be overwritten by providing alternative function as part of
+     * the `options.checkServerIdentity` option passed to `tls.connect()`. The
+     * overwriting function can call `tls.checkServerIdentity()` of course, to augment
+     * the checks done with additional verification.
      *
-     * Returns Error object, populating it with the reason, host and cert on failure.  On success, returns undefined.
+     * This function is only called if the certificate passed all other checks, such as
+     * being issued by trusted CA (`options.ca`).
+     * @since v0.8.4
+     * @param hostname The host name or IP address to verify the certificate against.
+     * @param cert A `certificate object` representing the peer's certificate.
      */
     function checkServerIdentity(host: string, cert: PeerCertificate): Error | undefined;
+    /**
+     * Creates a new {@link Server}. The `secureConnectionListener`, if provided, is
+     * automatically set as a listener for the `'secureConnection'` event.
+     *
+     * The `ticketKeys` options is automatically shared between `cluster` module
+     * workers.
+     *
+     * The following illustrates a simple echo server:
+     *
+     * ```js
+     * const tls = require('tls');
+     * const fs = require('fs');
+     *
+     * const options = {
+     *   key: fs.readFileSync('server-key.pem'),
+     *   cert: fs.readFileSync('server-cert.pem'),
+     *
+     *   // This is necessary only if using client certificate authentication.
+     *   requestCert: true,
+     *
+     *   // This is necessary only if the client uses a self-signed certificate.
+     *   ca: [ fs.readFileSync('client-cert.pem') ]
+     * };
+     *
+     * const server = tls.createServer(options, (socket) => {
+     *   console.log('server connected',
+     *               socket.authorized ? 'authorized' : 'unauthorized');
+     *   socket.write('welcome!\n');
+     *   socket.setEncoding('utf8');
+     *   socket.pipe(socket);
+     * });
+     * server.listen(8000, () => {
+     *   console.log('server bound');
+     * });
+     * ```
+     *
+     * The server can be tested by connecting to it using the example client from {@link connect}.
+     * @since v0.3.2
+     */
     function createServer(secureConnectionListener?: (socket: TLSSocket) => void): Server;
     function createServer(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void): Server;
+    /**
+     * The `callback` function, if specified, will be added as a listener for the `'secureConnect'` event.
+     *
+     * `tls.connect()` returns a {@link TLSSocket} object.
+     *
+     * Unlike the `https` API, `tls.connect()` does not enable the
+     * SNI (Server Name Indication) extension by default, which may cause some
+     * servers to return an incorrect certificate or reject the connection
+     * altogether. To enable SNI, set the `servername` option in addition
+     * to `host`.
+     *
+     * The following illustrates a client for the echo server example from {@link createServer}:
+     *
+     * ```js
+     * // Assumes an echo server that is listening on port 8000.
+     * const tls = require('tls');
+     * const fs = require('fs');
+     *
+     * const options = {
+     *   // Necessary only if the server requires client certificate authentication.
+     *   key: fs.readFileSync('client-key.pem'),
+     *   cert: fs.readFileSync('client-cert.pem'),
+     *
+     *   // Necessary only if the server uses a self-signed certificate.
+     *   ca: [ fs.readFileSync('server-cert.pem') ],
+     *
+     *   // Necessary only if the server's cert isn't for "localhost".
+     *   checkServerIdentity: () => { return null; },
+     * };
+     *
+     * const socket = tls.connect(8000, options, () => {
+     *   console.log('client connected',
+     *               socket.authorized ? 'authorized' : 'unauthorized');
+     *   process.stdin.pipe(socket);
+     *   process.stdin.resume();
+     * });
+     * socket.setEncoding('utf8');
+     * socket.on('data', (data) => {
+     *   console.log(data);
+     * });
+     * socket.on('end', () => {
+     *   console.log('server ends connection');
+     * });
+     * ```
+     * @since v0.11.3
+     */
     function connect(options: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
     function connect(port: number, host?: string, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
     function connect(port: number, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
     /**
-     * @deprecated since v0.11.3 Use `tls.TLSSocket` instead.
+     * Creates a new secure pair object with two streams, one of which reads and writes
+     * the encrypted data and the other of which reads and writes the cleartext data.
+     * Generally, the encrypted stream is piped to/from an incoming encrypted data
+     * stream and the cleartext one is used as a replacement for the initial encrypted
+     * stream.
+     *
+     * `tls.createSecurePair()` returns a `tls.SecurePair` object with `cleartext` and`encrypted` stream properties.
+     *
+     * Using `cleartext` has the same API as {@link TLSSocket}.
+     *
+     * The `tls.createSecurePair()` method is now deprecated in favor of`tls.TLSSocket()`. For example, the code:
+     *
+     * ```js
+     * pair = tls.createSecurePair(// ... );
+     * pair.encrypted.pipe(socket);
+     * socket.pipe(pair.encrypted);
+     * ```
+     *
+     * can be replaced by:
+     *
+     * ```js
+     * secureSocket = tls.TLSSocket(socket, options);
+     * ```
+     *
+     * where `secureSocket` has the same API as `pair.cleartext`.
+     * @since v0.3.2
+     * @deprecated Since v0.11.3 - Use {@link TLSSocket} instead.
+     * @param context A secure context object as returned by `tls.createSecureContext()`
+     * @param isServer `true` to specify that this TLS connection should be opened as a server.
+     * @param requestCert `true` to specify whether a server should request a certificate from a connecting client. Only applies when `isServer` is `true`.
+     * @param rejectUnauthorized If not `false` a server automatically reject clients with invalid certificates. Only applies when `isServer` is `true`.
      */
     function createSecurePair(credentials?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
+    /**
+     * {@link createServer} sets the default value of the `honorCipherOrder` option
+     * to `true`, other APIs that create secure contexts leave it unset.
+     *
+     * {@link createServer} uses a 128 bit truncated SHA1 hash value generated
+     * from `process.argv` as the default value of the `sessionIdContext` option, other
+     * APIs that create secure contexts have no default value.
+     *
+     * The `tls.createSecureContext()` method creates a `SecureContext` object. It is
+     * usable as an argument to several `tls` APIs, such as {@link createServer} and `server.addContext()`, but has no public methods.
+     *
+     * A key is _required_ for ciphers that use certificates. Either `key` or`pfx` can be used to provide it.
+     *
+     * If the `ca` option is not given, then Node.js will default to using[Mozilla's publicly trusted list of
+     * CAs](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt).
+     * @since v0.11.13
+     */
     function createSecureContext(options?: SecureContextOptions): SecureContext;
+    /**
+     * Returns an array with the names of the supported TLS ciphers. The names are
+     * lower-case for historical reasons, but must be uppercased to be used in
+     * the `ciphers` option of {@link createSecureContext}.
+     *
+     * Cipher names that start with `'tls_'` are for TLSv1.3, all the others are for
+     * TLSv1.2 and below.
+     *
+     * ```js
+     * console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...]
+     * ```
+     * @since v0.10.2
+     */
     function getCiphers(): string[];
     /**
      * The default curve name to use for ECDH key agreement in a tls server.
      * The default value is 'auto'. See tls.createSecureContext() for further
@@ -783,7 +1008,6 @@ declare module 'tls' {
      * are provided, the lowest minimum is used.
      */
     let DEFAULT_MIN_VERSION: SecureVersion;
     /**
      * An immutable array of strings representing the root certificates (in PEM
      * format) used for verifying peer certificates. This is the default value
@@ -791,7 +1015,6 @@ declare module 'tls' {
      */
     const rootCertificates: ReadonlyArray<string>;
 }
 declare module 'node:tls' {
     export * from 'tls';
 }