UNPKG

36.8 kBTypeScriptView Raw
1declare module "tls" {
2 import * as crypto from "crypto";
3 import * as dns from "dns";
4 import * as net from "net";
5 import * as stream from "stream";
6
7 const CLIENT_RENEG_LIMIT: number;
8 const CLIENT_RENEG_WINDOW: number;
9
10 interface Certificate {
11 /**
12 * Country code.
13 */
14 C: string;
15 /**
16 * Street.
17 */
18 ST: string;
19 /**
20 * Locality.
21 */
22 L: string;
23 /**
24 * Organization.
25 */
26 O: string;
27 /**
28 * Organizational unit.
29 */
30 OU: string;
31 /**
32 * Common name.
33 */
34 CN: string;
35 }
36
37 interface PeerCertificate {
38 subject: Certificate;
39 issuer: Certificate;
40 subjectaltname: string;
41 infoAccess: { [index: string]: string[] | undefined };
42 modulus: string;
43 exponent: string;
44 valid_from: string;
45 valid_to: string;
46 fingerprint: string;
47 ext_key_usage: string[];
48 serialNumber: string;
49 raw: Buffer;
50 }
51
52 interface DetailedPeerCertificate extends PeerCertificate {
53 issuerCertificate: DetailedPeerCertificate;
54 }
55
56 interface CipherNameAndProtocol {
57 /**
58 * The cipher name.
59 */
60 name: string;
61 /**
62 * SSL/TLS protocol version.
63 */
64 version: string;
65
66 /**
67 * IETF name for the cipher suite.
68 */
69 standardName: string;
70 }
71
72 interface EphemeralKeyInfo {
73 /**
74 * The supported types are 'DH' and 'ECDH'.
75 */
76 type: string;
77 /**
78 * The name property is available only when type is 'ECDH'.
79 */
80 name?: string;
81 /**
82 * The size of parameter of an ephemeral key exchange.
83 */
84 size: number;
85 }
86
87 interface KeyObject {
88 /**
89 * Private keys in PEM format.
90 */
91 pem: string | Buffer;
92 /**
93 * Optional passphrase.
94 */
95 passphrase?: string;
96 }
97
98 interface PxfObject {
99 /**
100 * PFX or PKCS12 encoded private key and certificate chain.
101 */
102 buf: string | Buffer;
103 /**
104 * Optional passphrase.
105 */
106 passphrase?: string;
107 }
108
109 interface TLSSocketOptions extends SecureContextOptions, CommonConnectionOptions {
110 /**
111 * If true the TLS socket will be instantiated in server-mode.
112 * Defaults to false.
113 */
114 isServer?: boolean;
115 /**
116 * An optional net.Server instance.
117 */
118 server?: net.Server;
119
120 /**
121 * An optional Buffer instance containing a TLS session.
122 */
123 session?: Buffer;
124 /**
125 * If true, specifies that the OCSP status request extension will be
126 * added to the client hello and an 'OCSPResponse' event will be
127 * emitted on the socket before establishing a secure communication
128 */
129 requestOCSP?: boolean;
130 }
131
132 class TLSSocket extends net.Socket {
133 /**
134 * Construct a new tls.TLSSocket object from an existing TCP socket.
135 */
136 constructor(socket: net.Socket, options?: TLSSocketOptions);
137
138 /**
139 * A boolean that is true if the peer certificate was signed by one of the specified CAs, otherwise false.
140 */
141 authorized: boolean;
142 /**
143 * The reason why the peer's certificate has not been verified.
144 * This property becomes available only when tlsSocket.authorized === false.
145 */
146 authorizationError: Error;
147 /**
148 * Static boolean value, always true.
149 * May be used to distinguish TLS sockets from regular ones.
150 */
151 encrypted: boolean;
152
153 /**
154 * String containing the selected ALPN protocol.
155 * When ALPN has no selected protocol, tlsSocket.alpnProtocol equals false.
156 */
157 alpnProtocol?: string;
158
159 /**
160 * Returns an object representing the local certificate. The returned
161 * object has some properties corresponding to the fields of the
162 * certificate.
163 *
164 * See tls.TLSSocket.getPeerCertificate() for an example of the
165 * certificate structure.
166 *
167 * If there is no local certificate, an empty object will be returned.
168 * If the socket has been destroyed, null will be returned.
169 */
170 getCertificate(): PeerCertificate | object | null;
171 /**
172 * Returns an object representing the cipher name and the SSL/TLS protocol version of the current connection.
173 * @returns Returns an object representing the cipher name
174 * and the SSL/TLS protocol version of the current connection.
175 */
176 getCipher(): CipherNameAndProtocol;
177 /**
178 * Returns an object representing the type, name, and size of parameter
179 * of an ephemeral key exchange in Perfect Forward Secrecy on a client
180 * connection. It returns an empty object when the key exchange is not
181 * ephemeral. As this is only supported on a client socket; null is
182 * returned if called on a server socket. The supported types are 'DH'
183 * and 'ECDH'. The name property is available only when type is 'ECDH'.
184 *
185 * For example: { type: 'ECDH', name: 'prime256v1', size: 256 }.
186 */
187 getEphemeralKeyInfo(): EphemeralKeyInfo | object | null;
188 /**
189 * Returns the latest Finished message that has
190 * been sent to the socket as part of a SSL/TLS handshake, or undefined
191 * if no Finished message has been sent yet.
192 *
193 * As the Finished messages are message digests of the complete
194 * handshake (with a total of 192 bits for TLS 1.0 and more for SSL
195 * 3.0), they can be used for external authentication procedures when
196 * the authentication provided by SSL/TLS is not desired or is not
197 * enough.
198 *
199 * Corresponds to the SSL_get_finished routine in OpenSSL and may be
200 * used to implement the tls-unique channel binding from RFC 5929.
201 */
202 getFinished(): Buffer | undefined;
203 /**
204 * Returns an object representing the peer's certificate.
205 * The returned object has some properties corresponding to the field of the certificate.
206 * If detailed argument is true the full chain with issuer property will be returned,
207 * if false only the top certificate without issuer property.
208 * If the peer does not provide a certificate, it returns null or an empty object.
209 * @param detailed - If true; the full chain with issuer property will be returned.
210 * @returns An object representing the peer's certificate.
211 */
212 getPeerCertificate(detailed: true): DetailedPeerCertificate;
213 getPeerCertificate(detailed?: false): PeerCertificate;
214 getPeerCertificate(detailed?: boolean): PeerCertificate | DetailedPeerCertificate;
215 /**
216 * Returns the latest Finished message that is expected or has actually
217 * been received from the socket as part of a SSL/TLS handshake, or
218 * undefined if there is no Finished message so far.
219 *
220 * As the Finished messages are message digests of the complete
221 * handshake (with a total of 192 bits for TLS 1.0 and more for SSL
222 * 3.0), they can be used for external authentication procedures when
223 * the authentication provided by SSL/TLS is not desired or is not
224 * enough.
225 *
226 * Corresponds to the SSL_get_peer_finished routine in OpenSSL and may
227 * be used to implement the tls-unique channel binding from RFC 5929.
228 */
229 getPeerFinished(): Buffer | undefined;
230 /**
231 * Returns a string containing the negotiated SSL/TLS protocol version of the current connection.
232 * The value `'unknown'` will be returned for connected sockets that have not completed the handshaking process.
233 * The value `null` will be returned for server sockets or disconnected client sockets.
234 * See https://www.openssl.org/docs/man1.0.2/ssl/SSL_get_version.html for more information.
235 * @returns negotiated SSL/TLS protocol version of the current connection
236 */
237 getProtocol(): string | null;
238 /**
239 * Could be used to speed up handshake establishment when reconnecting to the server.
240 * @returns ASN.1 encoded TLS session or undefined if none was negotiated.
241 */
242 getSession(): Buffer | undefined;
243 /**
244 * Returns a list of signature algorithms shared between the server and
245 * the client in the order of decreasing preference.
246 */
247 getSharedSigalgs(): string[];
248 /**
249 * NOTE: Works only with client TLS sockets.
250 * Useful only for debugging, for session reuse provide session option to tls.connect().
251 * @returns TLS session ticket or undefined if none was negotiated.
252 */
253 getTLSTicket(): Buffer | undefined;
254 /**
255 * Returns true if the session was reused, false otherwise.
256 */
257 isSessionReused(): boolean;
258 /**
259 * Initiate TLS renegotiation process.
260 *
261 * NOTE: Can be used to request peer's certificate after the secure connection has been established.
262 * ANOTHER NOTE: When running as the server, socket will be destroyed with an error after handshakeTimeout timeout.
263 * @param options - The options may contain the following fields: rejectUnauthorized,
264 * requestCert (See tls.createServer() for details).
265 * @param callback - callback(err) will be executed with null as err, once the renegotiation
266 * is successfully completed.
267 * @return `undefined` when socket is destroy, `false` if negotiaion can't be initiated.
268 */
269 renegotiate(options: { rejectUnauthorized?: boolean, requestCert?: boolean }, callback: (err: Error | null) => void): undefined | boolean;
270 /**
271 * Set maximum TLS fragment size (default and maximum value is: 16384, minimum is: 512).
272 * Smaller fragment size decreases buffering latency on the client: large fragments are buffered by
273 * the TLS layer until the entire fragment is received and its integrity is verified;
274 * large fragments can span multiple roundtrips, and their processing can be delayed due to packet
275 * loss or reordering. However, smaller fragments add extra TLS framing bytes and CPU overhead,
276 * which may decrease overall server throughput.
277 * @param size - TLS fragment size (default and maximum value is: 16384, minimum is: 512).
278 * @returns Returns true on success, false otherwise.
279 */
280 setMaxSendFragment(size: number): boolean;
281
282 /**
283 * Disables TLS renegotiation for this TLSSocket instance. Once called,
284 * attempts to renegotiate will trigger an 'error' event on the
285 * TLSSocket.
286 */
287 disableRenegotiation(): void;
288
289 /**
290 * When enabled, TLS packet trace information is written to `stderr`. This can be
291 * used to debug TLS connection problems.
292 *
293 * Note: The format of the output is identical to the output of `openssl s_client
294 * -trace` or `openssl s_server -trace`. While it is produced by OpenSSL's
295 * `SSL_trace()` function, the format is undocumented, can change without notice,
296 * and should not be relied on.
297 */
298 enableTrace(): void;
299
300 addListener(event: string, listener: (...args: any[]) => void): this;
301 addListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
302 addListener(event: "secureConnect", listener: () => void): this;
303 addListener(event: "session", listener: (session: Buffer) => void): this;
304 addListener(event: "keylog", listener: (line: Buffer) => void): this;
305
306 emit(event: string | symbol, ...args: any[]): boolean;
307 emit(event: "OCSPResponse", response: Buffer): boolean;
308 emit(event: "secureConnect"): boolean;
309 emit(event: "session", session: Buffer): boolean;
310 emit(event: "keylog", line: Buffer): boolean;
311
312 on(event: string, listener: (...args: any[]) => void): this;
313 on(event: "OCSPResponse", listener: (response: Buffer) => void): this;
314 on(event: "secureConnect", listener: () => void): this;
315 on(event: "session", listener: (session: Buffer) => void): this;
316 on(event: "keylog", listener: (line: Buffer) => void): this;
317
318 once(event: string, listener: (...args: any[]) => void): this;
319 once(event: "OCSPResponse", listener: (response: Buffer) => void): this;
320 once(event: "secureConnect", listener: () => void): this;
321 once(event: "session", listener: (session: Buffer) => void): this;
322 once(event: "keylog", listener: (line: Buffer) => void): this;
323
324 prependListener(event: string, listener: (...args: any[]) => void): this;
325 prependListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
326 prependListener(event: "secureConnect", listener: () => void): this;
327 prependListener(event: "session", listener: (session: Buffer) => void): this;
328 prependListener(event: "keylog", listener: (line: Buffer) => void): this;
329
330 prependOnceListener(event: string, listener: (...args: any[]) => void): this;
331 prependOnceListener(event: "OCSPResponse", listener: (response: Buffer) => void): this;
332 prependOnceListener(event: "secureConnect", listener: () => void): this;
333 prependOnceListener(event: "session", listener: (session: Buffer) => void): this;
334 prependOnceListener(event: "keylog", listener: (line: Buffer) => void): this;
335 }
336
337 interface CommonConnectionOptions {
338 /**
339 * An optional TLS context object from tls.createSecureContext()
340 */
341 secureContext?: SecureContext;
342
343 /**
344 * When enabled, TLS packet trace information is written to `stderr`. This can be
345 * used to debug TLS connection problems.
346 * @default false
347 */
348 enableTrace?: boolean;
349 /**
350 * If true the server will request a certificate from clients that
351 * connect and attempt to verify that certificate. Defaults to
352 * false.
353 */
354 requestCert?: boolean;
355 /**
356 * An array of strings or a Buffer naming possible ALPN protocols.
357 * (Protocols should be ordered by their priority.)
358 */
359 ALPNProtocols?: string[] | Uint8Array[] | Uint8Array;
360 /**
361 * SNICallback(servername, cb) <Function> A function that will be
362 * called if the client supports SNI TLS extension. Two arguments
363 * will be passed when called: servername and cb. SNICallback should
364 * invoke cb(null, ctx), where ctx is a SecureContext instance.
365 * (tls.createSecureContext(...) can be used to get a proper
366 * SecureContext.) If SNICallback wasn't provided the default callback
367 * with high-level API will be used (see below).
368 */
369 SNICallback?: (servername: string, cb: (err: Error | null, ctx: SecureContext) => void) => void;
370 /**
371 * If true the server will reject any connection which is not
372 * authorized with the list of supplied CAs. This option only has an
373 * effect if requestCert is true.
374 * @default true
375 */
376 rejectUnauthorized?: boolean;
377 }
378
379 interface TlsOptions extends SecureContextOptions, CommonConnectionOptions {
380 /**
381 * Abort the connection if the SSL/TLS handshake does not finish in the
382 * specified number of milliseconds. A 'tlsClientError' is emitted on
383 * the tls.Server object whenever a handshake times out. Default:
384 * 120000 (120 seconds).
385 */
386 handshakeTimeout?: number;
387 /**
388 * The number of seconds after which a TLS session created by the
389 * server will no longer be resumable. See Session Resumption for more
390 * information. Default: 300.
391 */
392 sessionTimeout?: number;
393 /**
394 * 48-bytes of cryptographically strong pseudo-random data.
395 */
396 ticketKeys?: Buffer;
397
398 /**
399 *
400 * @param socket
401 * @param identity identity parameter sent from the client.
402 * @return pre-shared key that must either be
403 * a buffer or `null` to stop the negotiation process. Returned PSK must be
404 * compatible with the selected cipher's digest.
405 *
406 * When negotiating TLS-PSK (pre-shared keys), this function is called
407 * with the identity provided by the client.
408 * If the return value is `null` the negotiation process will stop and an
409 * "unknown_psk_identity" alert message will be sent to the other party.
410 * If the server wishes to hide the fact that the PSK identity was not known,
411 * the callback must provide some random data as `psk` to make the connection
412 * fail with "decrypt_error" before negotiation is finished.
413 * PSK ciphers are disabled by default, and using TLS-PSK thus
414 * requires explicitly specifying a cipher suite with the `ciphers` option.
415 * More information can be found in the RFC 4279.
416 */
417
418 pskCallback?(socket: TLSSocket, identity: string): DataView | NodeJS.TypedArray | null;
419 /**
420 * hint to send to a client to help
421 * with selecting the identity during TLS-PSK negotiation. Will be ignored
422 * in TLS 1.3. Upon failing to set pskIdentityHint `tlsClientError` will be
423 * emitted with `ERR_TLS_PSK_SET_IDENTIY_HINT_FAILED` code.
424 */
425 pskIdentityHint?: string;
426 }
427
428 interface PSKCallbackNegotation {
429 psk: DataView | NodeJS.TypedArray;
430 identitty: string;
431 }
432
433 interface ConnectionOptions extends SecureContextOptions, CommonConnectionOptions {
434 host?: string;
435 port?: number;
436 path?: string; // Creates unix socket connection to path. If this option is specified, `host` and `port` are ignored.
437 socket?: net.Socket; // Establish secure connection on a given socket rather than creating a new socket
438 checkServerIdentity?: typeof checkServerIdentity;
439 servername?: string; // SNI TLS Extension
440 session?: Buffer;
441 minDHSize?: number;
442 lookup?: net.LookupFunction;
443 timeout?: number;
444 /**
445 * When negotiating TLS-PSK (pre-shared keys), this function is called
446 * with optional identity `hint` provided by the server or `null`
447 * in case of TLS 1.3 where `hint` was removed.
448 * It will be necessary to provide a custom `tls.checkServerIdentity()`
449 * for the connection as the default one will try to check hostname/IP
450 * of the server against the certificate but that's not applicable for PSK
451 * because there won't be a certificate present.
452 * More information can be found in the RFC 4279.
453 *
454 * @param hint message sent from the server to help client
455 * decide which identity to use during negotiation.
456 * Always `null` if TLS 1.3 is used.
457 * @returns Return `null` to stop the negotiation process. `psk` must be
458 * compatible with the selected cipher's digest.
459 * `identity` must use UTF-8 encoding.
460 */
461 pskCallback?(hint: string | null): PSKCallbackNegotation | null;
462 }
463
464 class Server extends net.Server {
465 /**
466 * The server.addContext() method adds a secure context that will be
467 * used if the client request's SNI name matches the supplied hostname
468 * (or wildcard).
469 */
470 addContext(hostName: string, credentials: SecureContextOptions): void;
471 /**
472 * Returns the session ticket keys.
473 */
474 getTicketKeys(): Buffer;
475 /**
476 *
477 * The server.setSecureContext() method replaces the
478 * secure context of an existing server. Existing connections to the
479 * server are not interrupted.
480 */
481 setSecureContext(details: SecureContextOptions): void;
482 /**
483 * The server.setSecureContext() method replaces the secure context of
484 * an existing server. Existing connections to the server are not
485 * interrupted.
486 */
487 setTicketKeys(keys: Buffer): void;
488
489 /**
490 * events.EventEmitter
491 * 1. tlsClientError
492 * 2. newSession
493 * 3. OCSPRequest
494 * 4. resumeSession
495 * 5. secureConnection
496 * 6. keylog
497 */
498 addListener(event: string, listener: (...args: any[]) => void): this;
499 addListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
500 addListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
501 addListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
502 addListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
503 addListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
504 addListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
505
506 emit(event: string | symbol, ...args: any[]): boolean;
507 emit(event: "tlsClientError", err: Error, tlsSocket: TLSSocket): boolean;
508 emit(event: "newSession", sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void): boolean;
509 emit(event: "OCSPRequest", certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void): boolean;
510 emit(event: "resumeSession", sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void): boolean;
511 emit(event: "secureConnection", tlsSocket: TLSSocket): boolean;
512 emit(event: "keylog", line: Buffer, tlsSocket: TLSSocket): boolean;
513
514 on(event: string, listener: (...args: any[]) => void): this;
515 on(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
516 on(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
517 on(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
518 on(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
519 on(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
520 on(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
521
522 once(event: string, listener: (...args: any[]) => void): this;
523 once(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
524 once(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
525 once(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
526 once(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
527 once(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
528 once(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
529
530 prependListener(event: string, listener: (...args: any[]) => void): this;
531 prependListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
532 prependListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
533 prependListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
534 prependListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
535 prependListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
536 prependListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
537
538 prependOnceListener(event: string, listener: (...args: any[]) => void): this;
539 prependOnceListener(event: "tlsClientError", listener: (err: Error, tlsSocket: TLSSocket) => void): this;
540 prependOnceListener(event: "newSession", listener: (sessionId: Buffer, sessionData: Buffer, callback: (err: Error, resp: Buffer) => void) => void): this;
541 prependOnceListener(event: "OCSPRequest", listener: (certificate: Buffer, issuer: Buffer, callback: (err: Error | null, resp: Buffer) => void) => void): this;
542 prependOnceListener(event: "resumeSession", listener: (sessionId: Buffer, callback: (err: Error, sessionData: Buffer) => void) => void): this;
543 prependOnceListener(event: "secureConnection", listener: (tlsSocket: TLSSocket) => void): this;
544 prependOnceListener(event: "keylog", listener: (line: Buffer, tlsSocket: TLSSocket) => void): this;
545 }
546
547 interface SecurePair {
548 encrypted: TLSSocket;
549 cleartext: TLSSocket;
550 }
551
552 type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1';
553
554 interface SecureContextOptions {
555 /**
556 * Optionally override the trusted CA certificates. Default is to trust
557 * the well-known CAs curated by Mozilla. Mozilla's CAs are completely
558 * replaced when CAs are explicitly specified using this option.
559 */
560 ca?: string | Buffer | Array<string | Buffer>;
561 /**
562 * Cert chains in PEM format. One cert chain should be provided per
563 * private key. Each cert chain should consist of the PEM formatted
564 * certificate for a provided private key, followed by the PEM
565 * formatted intermediate certificates (if any), in order, and not
566 * including the root CA (the root CA must be pre-known to the peer,
567 * see ca). When providing multiple cert chains, they do not have to
568 * be in the same order as their private keys in key. If the
569 * intermediate certificates are not provided, the peer will not be
570 * able to validate the certificate, and the handshake will fail.
571 */
572 cert?: string | Buffer | Array<string | Buffer>;
573 /**
574 * Colon-separated list of supported signature algorithms. The list
575 * can contain digest algorithms (SHA256, MD5 etc.), public key
576 * algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g
577 * 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
578 */
579 sigalgs?: string;
580 /**
581 * Cipher suite specification, replacing the default. For more
582 * information, see modifying the default cipher suite. Permitted
583 * ciphers can be obtained via tls.getCiphers(). Cipher names must be
584 * uppercased in order for OpenSSL to accept them.
585 */
586 ciphers?: string;
587 /**
588 * Name of an OpenSSL engine which can provide the client certificate.
589 */
590 clientCertEngine?: string;
591 /**
592 * PEM formatted CRLs (Certificate Revocation Lists).
593 */
594 crl?: string | Buffer | Array<string | Buffer>;
595 /**
596 * Diffie Hellman parameters, required for Perfect Forward Secrecy. Use
597 * openssl dhparam to create the parameters. The key length must be
598 * greater than or equal to 1024 bits or else an error will be thrown.
599 * Although 1024 bits is permissible, use 2048 bits or larger for
600 * stronger security. If omitted or invalid, the parameters are
601 * silently discarded and DHE ciphers will not be available.
602 */
603 dhparam?: string | Buffer;
604 /**
605 * A string describing a named curve or a colon separated list of curve
606 * NIDs or names, for example P-521:P-384:P-256, to use for ECDH key
607 * agreement. Set to auto to select the curve automatically. Use
608 * crypto.getCurves() to obtain a list of available curve names. On
609 * recent releases, openssl ecparam -list_curves will also display the
610 * name and description of each available elliptic curve. Default:
611 * tls.DEFAULT_ECDH_CURVE.
612 */
613 ecdhCurve?: string;
614 /**
615 * Attempt to use the server's cipher suite preferences instead of the
616 * client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be
617 * set in secureOptions
618 */
619 honorCipherOrder?: boolean;
620 /**
621 * Private keys in PEM format. PEM allows the option of private keys
622 * being encrypted. Encrypted keys will be decrypted with
623 * options.passphrase. Multiple keys using different algorithms can be
624 * provided either as an array of unencrypted key strings or buffers,
625 * or an array of objects in the form {pem: <string|buffer>[,
626 * passphrase: <string>]}. The object form can only occur in an array.
627 * object.passphrase is optional. Encrypted keys will be decrypted with
628 * object.passphrase if provided, or options.passphrase if it is not.
629 */
630 key?: string | Buffer | Array<Buffer | KeyObject>;
631 /**
632 * Name of an OpenSSL engine to get private key from. Should be used
633 * together with privateKeyIdentifier.
634 */
635 privateKeyEngine?: string;
636 /**
637 * Identifier of a private key managed by an OpenSSL engine. Should be
638 * used together with privateKeyEngine. Should not be set together with
639 * key, because both options define a private key in different ways.
640 */
641 privateKeyIdentifier?: string;
642 /**
643 * Optionally set the maximum TLS version to allow. One
644 * of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
645 * `secureProtocol` option, use one or the other.
646 * **Default:** `'TLSv1.3'`, unless changed using CLI options. Using
647 * `--tls-max-v1.2` sets the default to `'TLSv1.2'`. Using `--tls-max-v1.3` sets the default to
648 * `'TLSv1.3'`. If multiple of the options are provided, the highest maximum is used.
649 */
650 maxVersion?: SecureVersion;
651 /**
652 * Optionally set the minimum TLS version to allow. One
653 * of `'TLSv1.3'`, `'TLSv1.2'`, `'TLSv1.1'`, or `'TLSv1'`. Cannot be specified along with the
654 * `secureProtocol` option, use one or the other. It is not recommended to use
655 * less than TLSv1.2, but it may be required for interoperability.
656 * **Default:** `'TLSv1.2'`, unless changed using CLI options. Using
657 * `--tls-v1.0` sets the default to `'TLSv1'`. Using `--tls-v1.1` sets the default to
658 * `'TLSv1.1'`. Using `--tls-min-v1.3` sets the default to
659 * 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used.
660 */
661 minVersion?: SecureVersion;
662 /**
663 * Shared passphrase used for a single private key and/or a PFX.
664 */
665 passphrase?: string;
666 /**
667 * PFX or PKCS12 encoded private key and certificate chain. pfx is an
668 * alternative to providing key and cert individually. PFX is usually
669 * encrypted, if it is, passphrase will be used to decrypt it. Multiple
670 * PFX can be provided either as an array of unencrypted PFX buffers,
671 * or an array of objects in the form {buf: <string|buffer>[,
672 * passphrase: <string>]}. The object form can only occur in an array.
673 * object.passphrase is optional. Encrypted PFX will be decrypted with
674 * object.passphrase if provided, or options.passphrase if it is not.
675 */
676 pfx?: string | Buffer | Array<string | Buffer | PxfObject>;
677 /**
678 * Optionally affect the OpenSSL protocol behavior, which is not
679 * usually necessary. This should be used carefully if at all! Value is
680 * a numeric bitmask of the SSL_OP_* options from OpenSSL Options
681 */
682 secureOptions?: number; // Value is a numeric bitmask of the `SSL_OP_*` options
683 /**
684 * Legacy mechanism to select the TLS protocol version to use, it does
685 * not support independent control of the minimum and maximum version,
686 * and does not support limiting the protocol to TLSv1.3. Use
687 * minVersion and maxVersion instead. The possible values are listed as
688 * SSL_METHODS, use the function names as strings. For example, use
689 * 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow
690 * any TLS protocol version up to TLSv1.3. It is not recommended to use
691 * TLS versions less than 1.2, but it may be required for
692 * interoperability. Default: none, see minVersion.
693 */
694 secureProtocol?: string;
695 /**
696 * Opaque identifier used by servers to ensure session state is not
697 * shared between applications. Unused by clients.
698 */
699 sessionIdContext?: string;
700 }
701
702 interface SecureContext {
703 context: any;
704 }
705
706 /*
707 * Verifies the certificate `cert` is issued to host `host`.
708 * @host The hostname to verify the certificate against
709 * @cert PeerCertificate representing the peer's certificate
710 *
711 * Returns Error object, populating it with the reason, host and cert on failure. On success, returns undefined.
712 */
713 function checkServerIdentity(host: string, cert: PeerCertificate): Error | undefined;
714 function createServer(secureConnectionListener?: (socket: TLSSocket) => void): Server;
715 function createServer(options: TlsOptions, secureConnectionListener?: (socket: TLSSocket) => void): Server;
716 function connect(options: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
717 function connect(port: number, host?: string, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
718 function connect(port: number, options?: ConnectionOptions, secureConnectListener?: () => void): TLSSocket;
719 /**
720 * @deprecated
721 */
722 function createSecurePair(credentials?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
723 function createSecureContext(details: SecureContextOptions): SecureContext;
724 function getCiphers(): string[];
725
726 /**
727 * The default curve name to use for ECDH key agreement in a tls server.
728 * The default value is 'auto'. See tls.createSecureContext() for further
729 * information.
730 */
731 let DEFAULT_ECDH_CURVE: string;
732 /**
733 * The default value of the maxVersion option of
734 * tls.createSecureContext(). It can be assigned any of the supported TLS
735 * protocol versions, 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'. Default:
736 * 'TLSv1.3', unless changed using CLI options. Using --tls-max-v1.2 sets
737 * the default to 'TLSv1.2'. Using --tls-max-v1.3 sets the default to
738 * 'TLSv1.3'. If multiple of the options are provided, the highest maximum
739 * is used.
740 */
741 let DEFAULT_MAX_VERSION: SecureVersion;
742 /**
743 * The default value of the minVersion option of tls.createSecureContext().
744 * It can be assigned any of the supported TLS protocol versions,
745 * 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'. Default: 'TLSv1.2', unless
746 * changed using CLI options. Using --tls-min-v1.0 sets the default to
747 * 'TLSv1'. Using --tls-min-v1.1 sets the default to 'TLSv1.1'. Using
748 * --tls-min-v1.3 sets the default to 'TLSv1.3'. If multiple of the options
749 * are provided, the lowest minimum is used.
750 */
751 let DEFAULT_MIN_VERSION: SecureVersion;
752
753 /**
754 * An immutable array of strings representing the root certificates (in PEM
755 * format) used for verifying peer certificates. This is the default value
756 * of the ca option to tls.createSecureContext().
757 */
758 const rootCertificates: ReadonlyArray<string>;
759}