diff --git a/doc/api/tls.md b/doc/api/tls.md index f83ed1df3e449f..158d41a0a283de 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -483,7 +483,12 @@ added: v0.11.4 will be emitted on the socket before establishing a secure communication * `secureContext`: Optional TLS context object created with [`tls.createSecureContext()`][]. If a `secureContext` is _not_ provided, one - will be created by calling [`tls.createSecureContext()`][] with no options. + will be created by passing the entire `options` object to + `tls.createSecureContext()`. *Note*: In effect, all + [`tls.createSecureContext()`][] options can be provided, but they will be + _completely ignored_ unless the `secureContext` option is missing. + * ...: Optional [`tls.createSecureContext()`][] options can be provided, see + the `secureContext` option for more information. Construct a new `tls.TLSSocket` object from an existing TCP socket. diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index b2d30fb25ae6bf..a2236ef17c9673 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -344,7 +344,7 @@ TLSSocket.prototype._wrapHandle = function(wrap) { // Wrap socket's handle var context = options.secureContext || options.credentials || - tls.createSecureContext(); + tls.createSecureContext(options); res = tls_wrap.wrap(handle._externalStream, context.context, !!options.isServer); diff --git a/test/parallel/test-tls-socket-default-options.js b/test/parallel/test-tls-socket-default-options.js index 26199713eff7e7..8114574437c560 100644 --- a/test/parallel/test-tls-socket-default-options.js +++ b/test/parallel/test-tls-socket-default-options.js @@ -1,7 +1,7 @@ 'use strict'; const common = require('../common'); -// Test a directly created TLS socket supports no options, and empty options. +// Test directly created TLS sockets and options. const assert = require('assert'); const join = require('path').join; @@ -26,6 +26,16 @@ test({secureContext: tls.createSecureContext({ca: keys.agent1.ca})}, (err) => { assert.ifError(err); }); +test({ca: keys.agent1.ca}, (err) => { + assert.ifError(err); +}); + +// Secure context options, like ca, are ignored if a sec ctx is explicitly +// provided. +test({secureContext: tls.createSecureContext(), ca: keys.agent1.ca}, (err) => { + assert.strictEqual(err.message, 'unable to verify the first certificate'); +}); + function test(client, callback) { callback = common.mustCall(callback); connect({