|
@ -56,10 +56,10 @@ openssl pkcs12 -export -in agent5-cert.pem -inkey agent5-key.pem \ |
|
|
|
|
|
|
|
|
ALPN (Application-Layer Protocol Negotiation Extension), NPN (Next |
|
|
ALPN (Application-Layer Protocol Negotiation Extension), NPN (Next |
|
|
Protocol Negotiation) and SNI (Server Name Indication) are TLS |
|
|
Protocol Negotiation) and SNI (Server Name Indication) are TLS |
|
|
handshake extensions allowing you: |
|
|
handshake extensions: |
|
|
|
|
|
|
|
|
* ALPN/NPN - to use one TLS server for multiple protocols (HTTP, SPDY, HTTP/2) |
|
|
* ALPN/NPN - Allows the use of one TLS server for multiple protocols (HTTP, SPDY, HTTP/2) |
|
|
* SNI - to use one TLS server for multiple hostnames with different SSL |
|
|
* SNI - Allows the use of one TLS server for multiple hostnames with different SSL |
|
|
certificates. |
|
|
certificates. |
|
|
|
|
|
|
|
|
## Client-initiated renegotiation attack mitigation |
|
|
## Client-initiated renegotiation attack mitigation |
|
@ -187,8 +187,8 @@ connections using TLS or SSL. |
|
|
|
|
|
|
|
|
`function (exception, tlsSocket) { }` |
|
|
`function (exception, tlsSocket) { }` |
|
|
|
|
|
|
|
|
When a client connection emits an `'error'` event before secure connection is |
|
|
When a client connection emits an `'error'` event before a secure connection is |
|
|
established - it will be forwarded here. |
|
|
established it will be forwarded here. |
|
|
|
|
|
|
|
|
`tlsSocket` is the [`tls.TLSSocket`][] that the error originated from. |
|
|
`tlsSocket` is the [`tls.TLSSocket`][] that the error originated from. |
|
|
|
|
|
|
|
@ -370,7 +370,7 @@ Construct a new TLSSocket object from existing TCP socket. |
|
|
- `secureContext`: An optional TLS context object from |
|
|
- `secureContext`: An optional TLS context object from |
|
|
[`tls.createSecureContext()`][] |
|
|
[`tls.createSecureContext()`][] |
|
|
|
|
|
|
|
|
- `isServer`: If `true` - TLS socket will be instantiated in server-mode. |
|
|
- `isServer`: If `true` the TLS socket will be instantiated in server-mode. |
|
|
Default: `false` |
|
|
Default: `false` |
|
|
|
|
|
|
|
|
- `server`: An optional [`net.Server`][] instance |
|
|
- `server`: An optional [`net.Server`][] instance |
|
@ -387,9 +387,9 @@ Construct a new TLSSocket object from existing TCP socket. |
|
|
|
|
|
|
|
|
- `session`: Optional, a `Buffer` instance, containing TLS session |
|
|
- `session`: Optional, a `Buffer` instance, containing TLS session |
|
|
|
|
|
|
|
|
- `requestOCSP`: Optional, if `true` - OCSP status request extension would |
|
|
- `requestOCSP`: Optional, if `true` the OCSP status request extension will |
|
|
be added to client hello, and `'OCSPResponse'` event will be emitted on socket |
|
|
be added to the client hello, and an `'OCSPResponse'` event will be emitted |
|
|
before establishing secure communication |
|
|
on the socket before establishing a secure communication |
|
|
|
|
|
|
|
|
### Event: 'OCSPResponse' |
|
|
### Event: 'OCSPResponse' |
|
|
|
|
|
|
|
@ -408,7 +408,7 @@ The listener will be called no matter if the server's certificate was |
|
|
authorized or not. It is up to the user to test `tlsSocket.authorized` |
|
|
authorized or not. It is up to the user to test `tlsSocket.authorized` |
|
|
to see if the server certificate was signed by one of the specified CAs. |
|
|
to see if the server certificate was signed by one of the specified CAs. |
|
|
If `tlsSocket.authorized === false` then the error can be found in |
|
|
If `tlsSocket.authorized === false` then the error can be found in |
|
|
`tlsSocket.authorizationError`. Also if ALPN or NPN was used - you can |
|
|
`tlsSocket.authorizationError`. Also, if ALPN or NPN was used you can |
|
|
check `tlsSocket.alpnProtocol` or `tlsSocket.npnProtocol` for the |
|
|
check `tlsSocket.alpnProtocol` or `tlsSocket.npnProtocol` for the |
|
|
negotiated protocol. |
|
|
negotiated protocol. |
|
|
|
|
|
|
|
@ -463,8 +463,8 @@ Example: |
|
|
|
|
|
|
|
|
Returns an object representing the peer's certificate. The returned object has |
|
|
Returns an object representing the peer's certificate. The returned object has |
|
|
some properties corresponding to the field of the certificate. If `detailed` |
|
|
some properties corresponding to the field of the certificate. If `detailed` |
|
|
argument is `true` - the full chain with `issuer` property will be returned, |
|
|
argument is `true` the full chain with `issuer` property will be returned, |
|
|
if `false` - only the top certificate without `issuer` property. |
|
|
if `false` only the top certificate without `issuer` property. |
|
|
|
|
|
|
|
|
Example: |
|
|
Example: |
|
|
|
|
|
|
|
@ -876,7 +876,7 @@ automatically set as a listener for the [`'secureConnection'`][] event. The |
|
|
and `cb`. `SNICallback` should invoke `cb(null, ctx)`, where `ctx` is a |
|
|
and `cb`. `SNICallback` should invoke `cb(null, ctx)`, where `ctx` is a |
|
|
SecureContext instance. |
|
|
SecureContext instance. |
|
|
(You can use `tls.createSecureContext(...)` to get proper |
|
|
(You can use `tls.createSecureContext(...)` to get proper |
|
|
SecureContext). If `SNICallback` wasn't provided - default callback with |
|
|
SecureContext). If `SNICallback` wasn't provided the default callback with |
|
|
high-level API will be used (see below). |
|
|
high-level API will be used (see below). |
|
|
|
|
|
|
|
|
- `sessionTimeout`: An integer specifying the seconds after which TLS |
|
|
- `sessionTimeout`: An integer specifying the seconds after which TLS |
|
|