TLS(SSL)

? ?

crl : Either a string or list of strings of PEM encoded CRLs (Certificate Revocation List) ciphers: 一个字符串，描述了使用或排除的cipher。

**NOTE**: Previous revisions of this section suggested `AES256-SHA` as an acceptable cipher. Unfortunately, `AES256-SHA` is a CBC cipher and therefore susceptible to BEAST attacks. Do *not* use it. ? handshakeTimeout: Abort the connection if the SSL/TLS handshake does not finish in

this many milliseconds. The default is 120 seconds.

`tls.Server`对象在握手超时时，总会触发`'clientError'`事件。 ? honorCipherOrder : 当选择cipher时，使用服务器设置，而不是客户端设置。

Although, this option is disabled by default, it is *recommended* that you use this option in conjunction with the `ciphers` option to mitigate BEAST attacks. ? requestCert: If true the server will request a certificate from clients that connect and

attempt to verify that certificate. Default: false.

?

rejectUnauthorized: If true the server will reject any connection which is not

authorized with the list of supplied CAs. This option only has an effect if requestCert is true. Default: false.

?

NPNProtocols: 一个数组或 Buffer，包含了可能的 NPN 协议。(协议应根据优先级

排序）

?

SNICallback(servername, cb): A function that will be called if client supports SNI TLS

extension. Two argument will be passed to it: servername, and cb. SNICallback should invoke cb(null, ctx), where ctxis a SecureContext instance. (You can use crypto.createCredentials(...).context to get proper SecureContext). If SNICallback wasn't provided - default callback with high-level API will be used (see below).

? sessionTimeout: An integer specifying the seconds after which TLS session identifiers

and TLS session tickets created by See SSL_CTX_set_timeout for more details.

?

the server are timed out.

sessionIdContext: A string containing a opaque identifier for session resumption.

If requestCert is true, the default is MD5 hash value generated from command-line. Otherwise, the default is not provided.

?

secureProtocol: The SSL method to use, e.g. SSLv3_method to force SSL version 3. The

possible values depend on your installation of OpenSSL and are defined in the constant SSL_METHODS. 这是一个简单的应答服务器例子：

var server = tls.createServer(options, function(socket) { console.log('服务器已连接',

socket.authorized ? '已授权' : '未授权'); socket.write(\欢迎！\\n\); socket.setEncoding('utf8'); socket.pipe(socket);}); server.listen(8000, function() { console.log('server bound');});

或者

}; var server = tls.createServer(options, function(socket) { console.log('服务器已连接', socket.authorized ? '已授权' : '未授权'); socket.write(\欢迎！\\n\); socket.setEncoding('utf8'); socket.pipe(socket);}); server.listen(8000, function() { console.log('服务器已绑定');}); 您可以使用 openssl s_client 连接这个服务器来测试：

openssl s_client -connect 127.0.0.1:8000 tls.connect(options, [callback])#

tls.connect(port, [host], [options], [callback])#

Creates a new client connection to the given port and host (old API)

or options.port and options.host. (If host is omitted, it defaults to localhost.) options should be an object which specifies:

host: 客户端应连接到的主机 port: 客户端应连接到的端口

socket: Establish secure connection on a given socket rather than creating a new

? ? ?

socket. If this option is specified, host and port are ignored.

?

pfx: 字符串或者 Buffer，包含 PFX 或 PKCS12 格式的服务器私钥、证书和CA证

书。

? ? ? ?

key: 字符串或 Buffer，包含 PEM 格式的客户端私钥。 passphrase: 私钥或pfx密码的字符串。

cert: 字符串或 Buffer，包含PEM格式的客户端证书密码。

ca: An array of strings or Buffers of trusted certificates. If this is omitted several well

known \

? rejectUnauthorized: If true, the server certificate is verified against the list of supplied

CAs. An 'error'event is emitted if verification fails. Default: true.

?

An array of string or Buffer containing supported NPN

protocols. Buffer should have following format: 0x05hello0x05world, where first byte is next protocol name's length. (Passing array should usually be much simpler: ['hello', 'world'].)

servername: SNI (Server Name Indication) TLS 扩展的服务器名。

secureProtocol: The SSL method to use, e.g. SSLv3_method to force SSL version 3. The

NPNProtocols:

? ?

possible values depend on your installation of OpenSSL and are defined in the constant SSL_METHODS.

callback参数会被作为监听器添加到'secureConnect'事件。

tls.connect()返回一个tls.TLSSocket对象。

下面是一个上述应答服务器的客户端的例子：

var socket = tls.connect(8000, options, function() { console.log('client connected',

socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume();}); socket.setEncoding('utf8'); socket.on('data', function(data) { console.log(data);}); socket.on('end', function() { server.close();});