1 | /**
|
2 | * Interface describing Https Options that can be set.
|
3 | *
|
4 | * @see https://nodejs.org/api/tls.html
|
5 | *
|
6 | * @publicApi
|
7 | */
|
8 | export interface HttpsOptions {
|
9 | /**
|
10 | * PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative
|
11 | * to providing key and cert individually. PFX is usually encrypted, if it is,
|
12 | * passphrase will be used to decrypt it. Multiple PFX can be provided either
|
13 | * as an array of unencrypted PFX buffers, or an array of objects in the form
|
14 | * {buf: <string|buffer>[, passphrase: <string>]}. The object form can only
|
15 | * occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted
|
16 | * with object.passphrase if provided, or options.passphrase if it is not.
|
17 | */
|
18 | pfx?: any;
|
19 | /**
|
20 | * Private keys in PEM format. PEM allows the option of private keys being encrypted.
|
21 | * Encrypted keys will be decrypted with options.passphrase. Multiple keys using
|
22 | * different algorithms can be provided either as an array of unencrypted key
|
23 | * strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}.
|
24 | * The object form can only occur in an array. object.passphrase is optional.
|
25 | * Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase
|
26 | * if it is not
|
27 | */
|
28 | key?: any;
|
29 | /**
|
30 | * Shared passphrase used for a single private key and/or a PFX.
|
31 | */
|
32 | passphrase?: string;
|
33 | /**
|
34 | * Cert chains in PEM format. One cert chain should be provided per private key.
|
35 | * Each cert chain should consist of the PEM formatted certificate for a provided
|
36 | * private key, followed by the PEM formatted intermediate certificates (if any),
|
37 | * in order, and not including the root CA (the root CA must be pre-known to the
|
38 | * peer, see ca). When providing multiple cert chains, they do not have to be
|
39 | * in the same order as their private keys in key. If the intermediate certificates
|
40 | * are not provided, the peer will not be able to validate the certificate, and
|
41 | * the handshake will fail.
|
42 | */
|
43 | cert?: any;
|
44 | /**
|
45 | * Optionally override the trusted CA certificates. Default is to trust the well-known
|
46 | * CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are
|
47 | * explicitly specified using this option. The value can be a string or Buffer,
|
48 | * or an Array of strings and/or Buffers. Any string or Buffer can contain multiple
|
49 | * PEM CAs concatenated together. The peer's certificate must be chainable to
|
50 | * a CA trusted by the server for the connection to be authenticated. When using
|
51 | * certificates that are not chainable to a well-known CA, the certificate's CA
|
52 | * must be explicitly specified as a trusted or the connection will fail to authenticate.
|
53 | * If the peer uses a certificate that doesn't match or chain to one of the default
|
54 | * CAs, use the ca option to provide a CA certificate that the peer's certificate
|
55 | * can match or chain to. For self-signed certificates, the certificate is its
|
56 | * own CA, and must be provided. For PEM encoded certificates, supported types
|
57 | * are "TRUSTED CERTIFICATE", "X509 CERTIFICATE", and "CERTIFICATE". See also tls.rootCertificates.
|
58 | */
|
59 | ca?: any;
|
60 | /**
|
61 | * PEM formatted CRLs (Certificate Revocation Lists).
|
62 | */
|
63 | crl?: any;
|
64 | /**
|
65 | * Cipher suite specification, replacing the default. For more information, see
|
66 | * modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers().
|
67 | * Cipher names must be uppercased in order for OpenSSL to accept them.
|
68 | */
|
69 | ciphers?: string;
|
70 | /**
|
71 | * Attempt to use the server's cipher suite preferences instead of the client's.
|
72 | * When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions,
|
73 | * see OpenSSL Options for more information.
|
74 | */
|
75 | honorCipherOrder?: boolean;
|
76 | /**
|
77 | * If true the server will request a certificate from clients that connect and
|
78 | * attempt to verify that certificate. Default: false.
|
79 | */
|
80 | requestCert?: boolean;
|
81 | /**
|
82 | * If not false the server will reject any connection which is not authorized
|
83 | * with the list of supplied CAs. This option only has an effect if requestCert is true. Default: true
|
84 | */
|
85 | rejectUnauthorized?: boolean;
|
86 | /**
|
87 | * An array or Buffer of possible NPN protocols. (Protocols should be ordered
|
88 | * by their priority).
|
89 | */
|
90 | NPNProtocols?: any;
|
91 | /**
|
92 | * A function that will be called if the client supports SNI TLS extension. Two
|
93 | * arguments will be passed when called: servername and cb. SNICallback should
|
94 | * invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...)
|
95 | * can be used to get a proper SecureContext.) If SNICallback wasn't provided
|
96 | * the default callback with high-level API will be used.
|
97 | */
|
98 | SNICallback?: (servername: string, cb: (err: Error, ctx: any) => any) => any;
|
99 | }
|