@@ -1024,34 +1024,6 @@ changes:
10241024-->
10251025
10261026* ` options ` {Object}
1027- * ` pfx ` {string|string[ ] |Buffer|Buffer[ ] |Object[ ] } Optional PFX or PKCS12
1028- encoded private key and certificate chain. ` pfx ` is an alternative to
1029- providing ` key ` and ` cert ` individually. PFX is usually encrypted, if it is,
1030- ` passphrase ` will be used to decrypt it. Multiple PFX can be provided either
1031- as an array of unencrypted PFX buffers, or an array of objects in the form
1032- ` {buf: <string|buffer>[, passphrase: <string>]} ` . The object form can only
1033- occur in an array. ` object.passphrase ` is optional. Encrypted PFX will be
1034- decrypted with ` object.passphrase ` if provided, or ` options.passphrase ` if
1035- it is not.
1036- * ` key ` {string|string[ ] |Buffer|Buffer[ ] |Object[ ] } Optional private keys in
1037- PEM format. PEM allows the option of private keys being encrypted. Encrypted
1038- keys will be decrypted with ` options.passphrase ` . Multiple keys using
1039- different algorithms can be provided either as an array of unencrypted key
1040- strings or buffers, or an array of objects in the form `{pem:
1041- <string|buffer>[ , passphrase: <string >] }`. The object form can only occur in
1042- an array. ` object.passphrase ` is optional. Encrypted keys will be decrypted
1043- with ` object.passphrase ` if provided, or ` options.passphrase ` if it is not.
1044- * ` passphrase ` {string} Optional shared passphrase used for a single private
1045- key and/or a PFX.
1046- * ` cert ` {string|string[ ] |Buffer|Buffer[ ] } Optional cert chains in PEM format.
1047- One cert chain should be provided per private key. Each cert chain should
1048- consist of the PEM formatted certificate for a provided private ` key ` ,
1049- followed by the PEM formatted intermediate certificates (if any), in order,
1050- and not including the root CA (the root CA must be pre-known to the peer,
1051- see ` ca ` ). When providing multiple cert chains, they do not have to be in
1052- the same order as their private keys in ` key ` . If the intermediate
1053- certificates are not provided, the peer will not be able to validate the
1054- certificate, and the handshake will fail.
10551027 * ` ca ` {string|string[ ] |Buffer|Buffer[ ] } Optionally override the trusted CA
10561028 certificates. Default is to trust the well-known CAs curated by Mozilla.
10571029 Mozilla's CAs are completely replaced when CAs are explicitly specified
@@ -1067,19 +1039,17 @@ changes:
10671039 certificate can match or chain to.
10681040 For self-signed certificates, the certificate is its own CA, and must be
10691041 provided.
1042+ * ` cert ` {string|string[ ] |Buffer|Buffer[ ] } Optional cert chains in PEM format.
1043+ One cert chain should be provided per private key. Each cert chain should
1044+ consist of the PEM formatted certificate for a provided private ` key ` ,
1045+ followed by the PEM formatted intermediate certificates (if any), in order,
1046+ and not including the root CA (the root CA must be pre-known to the peer,
1047+ see ` ca ` ). When providing multiple cert chains, they do not have to be in
1048+ the same order as their private keys in ` key ` . If the intermediate
1049+ certificates are not provided, the peer will not be able to validate the
1050+ certificate, and the handshake will fail.
10701051 * ` ciphers ` {string} Optional cipher suite specification, replacing the
10711052 default. For more information, see [ modifying the default cipher suite] [ ] .
1072- * ` honorCipherOrder ` {boolean} Attempt to use the server's cipher suite
1073- preferences instead of the client's. When ` true ` , causes
1074- ` SSL_OP_CIPHER_SERVER_PREFERENCE ` to be set in ` secureOptions ` , see
1075- [ OpenSSL Options] [ ] for more information.
1076- * ` ecdhCurve ` {string} A string describing a named curve or a colon separated
1077- list of curve NIDs or names, for example ` P-521:P-384:P-256 ` , to use for
1078- ECDH key agreement, or ` false ` to disable ECDH. Set to ` auto ` to select the
1079- curve automatically. Use [ ` crypto.getCurves() ` ] [ ] to obtain a list of
1080- available curve names. On recent releases, ` openssl ecparam -list_curves `
1081- will also display the name and description of each available elliptic curve.
1082- ** Default:** [ ` tls.DEFAULT_ECDH_CURVE ` ] .
10831053 * ` clientCertEngine ` {string} Optional name of an OpenSSL engine which can
10841054 provide the client certificate.
10851055 * ` crl ` {string|string[ ] |Buffer|Buffer[ ] } Optional PEM formatted
@@ -1090,6 +1060,36 @@ changes:
10901060 error will be thrown. It is strongly recommended to use 2048 bits or larger
10911061 for stronger security. If omitted or invalid, the parameters are silently
10921062 discarded and DHE ciphers will not be available.
1063+ * ` ecdhCurve ` {string} A string describing a named curve or a colon separated
1064+ list of curve NIDs or names, for example ` P-521:P-384:P-256 ` , to use for
1065+ ECDH key agreement, or ` false ` to disable ECDH. Set to ` auto ` to select the
1066+ curve automatically. Use [ ` crypto.getCurves() ` ] [ ] to obtain a list of
1067+ available curve names. On recent releases, ` openssl ecparam -list_curves `
1068+ will also display the name and description of each available elliptic curve.
1069+ ** Default:** [ ` tls.DEFAULT_ECDH_CURVE ` ] .
1070+ * ` honorCipherOrder ` {boolean} Attempt to use the server's cipher suite
1071+ preferences instead of the client's. When ` true ` , causes
1072+ ` SSL_OP_CIPHER_SERVER_PREFERENCE ` to be set in ` secureOptions ` , see
1073+ [ OpenSSL Options] [ ] for more information.
1074+ * ` key ` {string|string[ ] |Buffer|Buffer[ ] |Object[ ] } Optional private keys in
1075+ PEM format. PEM allows the option of private keys being encrypted. Encrypted
1076+ keys will be decrypted with ` options.passphrase ` . Multiple keys using
1077+ different algorithms can be provided either as an array of unencrypted key
1078+ strings or buffers, or an array of objects in the form `{pem:
1079+ <string|buffer>[ , passphrase: <string >] }`. The object form can only occur in
1080+ an array. ` object.passphrase ` is optional. Encrypted keys will be decrypted
1081+ with ` object.passphrase ` if provided, or ` options.passphrase ` if it is not.
1082+ * ` passphrase ` {string} Optional shared passphrase used for a single private
1083+ key and/or a PFX.
1084+ * ` pfx ` {string|string[ ] |Buffer|Buffer[ ] |Object[ ] } Optional PFX or PKCS12
1085+ encoded private key and certificate chain. ` pfx ` is an alternative to
1086+ providing ` key ` and ` cert ` individually. PFX is usually encrypted, if it is,
1087+ ` passphrase ` will be used to decrypt it. Multiple PFX can be provided either
1088+ as an array of unencrypted PFX buffers, or an array of objects in the form
1089+ ` {buf: <string|buffer>[, passphrase: <string>]} ` . The object form can only
1090+ occur in an array. ` object.passphrase ` is optional. Encrypted PFX will be
1091+ decrypted with ` object.passphrase ` if provided, or ` options.passphrase ` if
1092+ it is not.
10931093 * ` secureOptions ` {number} Optionally affect the OpenSSL protocol behavior,
10941094 which is not usually necessary. This should be used carefully if at all!
10951095 Value is a numeric bitmask of the ` SSL_OP_* ` options from
@@ -1133,38 +1133,38 @@ changes:
11331133-->
11341134
11351135* ` options ` {Object}
1136+ * ` ALPNProtocols ` : {string[ ] |Buffer[ ] |Uint8Array[ ] |Buffer|Uint8Array}
1137+ An array of strings, ` Buffer ` s or ` Uint8Array ` s, or a single ` Buffer ` or
1138+ ` Uint8Array ` containing the supported ALPN protocols. ` Buffer ` s should have
1139+ the format ` [len][name][len][name]... ` e.g. ` 0x05hello0x05world ` , where the
1140+ first byte is the length of the next protocol name. Passing an array is
1141+ usually much simpler, e.g. ` ['hello', 'world'] ` .
1142+ (Protocols should be ordered by their priority.)
11361143 * ` clientCertEngine ` {string} Optional name of an OpenSSL engine which can
11371144 provide the client certificate.
11381145 * ` handshakeTimeout ` {number} Abort the connection if the SSL/TLS handshake
11391146 does not finish in the specified number of milliseconds.
11401147 A ` 'tlsClientError' ` is emitted on the ` tls.Server ` object whenever
11411148 a handshake times out. ** Default:** ` 120000 ` (120 seconds).
1142- * ` requestCert ` {boolean} If ` true ` the server will request a certificate from
1143- clients that connect and attempt to verify that certificate. ** Default:**
1144- ` false ` .
11451149 * ` rejectUnauthorized ` {boolean} If not ` false ` the server will reject any
11461150 connection which is not authorized with the list of supplied CAs. This
11471151 option only has an effect if ` requestCert ` is ` true ` . ** Default:** ` true ` .
1148- * ` ALPNProtocols ` : {string[ ] |Buffer[ ] |Uint8Array[ ] |Buffer|Uint8Array}
1149- An array of strings, ` Buffer ` s or ` Uint8Array ` s, or a single ` Buffer ` or
1150- ` Uint8Array ` containing the supported ALPN protocols. ` Buffer ` s should have
1151- the format ` [len][name][len][name]... ` e.g. ` 0x05hello0x05world ` , where the
1152- first byte is the length of the next protocol name. Passing an array is
1153- usually much simpler, e.g. ` ['hello', 'world'] ` .
1154- (Protocols should be ordered by their priority.)
1152+ * ` requestCert ` {boolean} If ` true ` the server will request a certificate from
1153+ clients that connect and attempt to verify that certificate. ** Default:**
1154+ ` false ` .
1155+ * ` sessionTimeout ` {number} An integer specifying the number of seconds after
1156+ which the TLS session identifiers and TLS session tickets created by the
1157+ server will time out. See [ ` SSL_CTX_set_timeout ` ] for more details.
11551158 * ` SNICallback(servername, cb) ` {Function} A function that will be called if
11561159 the client supports SNI TLS extension. Two arguments will be passed when
11571160 called: ` servername ` and ` cb ` . ` SNICallback ` should invoke ` cb(null, ctx) ` ,
11581161 where ` ctx ` is a ` SecureContext ` instance. (` tls.createSecureContext(...) `
11591162 can be used to get a proper ` SecureContext ` .) If ` SNICallback ` wasn't
11601163 provided the default callback with high-level API will be used (see below).
1161- * ` sessionTimeout ` {number} An integer specifying the number of seconds after
1162- which the TLS session identifiers and TLS session tickets created by the
1163- server will time out. See [ ` SSL_CTX_set_timeout ` ] for more details.
11641164 * ` ticketKeys ` : A 48-byte ` Buffer ` instance consisting of a 16-byte prefix,
11651165 a 16-byte HMAC key, and a 16-byte AES key. This can be used to accept TLS
11661166 session tickets on multiple instances of the TLS server.
1167- * ...: Any [ ` tls.createSecureContext() ` ] [ ] options can be provided. For
1167+ * ...: Any [ ` tls.createSecureContext() ` ] [ ] option can be provided. For
11681168 servers, the identity options (` pfx ` or ` key ` /` cert ` ) are usually required.
11691169* ` secureConnectionListener ` {Function}
11701170
0 commit comments