An array of strings or a Buffer
naming possible NPN protocols. (Protocols should be ordered by their priority.)
A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername
and cb
. SNICallback
should invoke cb(null, ctx)
, where ctx
is a SecureContext instance. (tls.createSecureContext(...)
can be used to get a proper SecureContext.) If SNICallback
wasn't provided the default callback with high-level API will be used (see below).
A string, Buffer
, array of strings, or array of Buffer
s of trusted certificates in PEM format. If omitted, several well known "root" CAs (like VeriSign) will be used. These are used to authorize connections.
A string containing the PEM encoded certificate.
A string describing the ciphers to use or exclude, separated by :
.
Either a string or array of strings of PEM encoded CRLs (Certificate Revocation List).
A string or Buffer
containing Diffie Hellman parameters, required for Perfect Forward Secrecy. Use openssl dhparam
to create the parameters. The key length must be greater than or equal to 1024 bits, otherwise an error will be thrown. It is strongly recommended to use 2048 bits or larger for stronger security. If omitted or invalid, the parameters are silently discarded and DHE ciphers will not be available.
A string describing a named curve to use for ECDH key agreement or false to disable ECDH. Defaults to prime256v1
(NIST P-256). Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves
will also display the name and description of each available elliptic curve.
Abort the connection if the SSL/TLS handshake does not finish in the specified number of milliseconds. Defaults to 120
seconds. A 'clientError'
is emitted on the tls.Server
object whenever a handshake times out.
When choosing a cipher, use the server's preferences instead of the client preferences. Defaults to true
.
The private key of the server in PEM format. To support multiple keys using different algorithms an array can be provided either as a plain array of key strings or an array of objects in the format {pem: key, passphrase: passphrase}
. This option is required for ciphers that make use of private keys.
A string containing the passphrase for the private key or pfx.
A string
or Buffer
containing the private key, certificate and CA certs of the server in PFX or PKCS12 format. (Mutually exclusive with the key
, cert
, and ca
options.)
If true
the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert
is true
. Defaults to false
.
If true
the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false
.
The SSL method to use, e.g., SSLv3_method
to force SSL version 3. The possible values depend on the version of OpenSSL installed in the environment and are defined in the constant SSL_METHODS.
A string containing an opaque identifier for session resumption. If requestCert
is true, the default is a 128 bit truncated SHA1 hash value generated from the command-line. Otherwise, a default is not provided.
An integer specifying the number of seconds after which the TLS session identifiers and TLS session tickets created by the server will time out. See SSL_CTX_set_timeout for more details.
A 48-byte Buffer
instance consisting of a 16-byte prefix, a 16-byte HMAC key, and a 16-byte AES key. This can be used to accept TLS session tickets on multiple instances of the TLS server. Note that this is automatically shared between cluster
module workers.
Generated using TypeDoc
An array of strings or a
Buffer
naming possible ALPN protocols. (Protocols should be ordered by their priority.) When the server receives both NPN and ALPN extensions from the client, ALPN takes precedence over NPN and the server does not send an NPN extension to the client.