Skip to content

(v6.x backport) Doc and test cert apis #12468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sam-github wants to merge 6 commits into from
Closed

(v6.x backport) Doc and test cert apis #12468

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cc1d02d
test: getgroups() may contain duplicate GIDs
sam-github Dec 21, 2016
05039c3
doc,test: tls .ca option supports multi-PEM files
sam-github Dec 21, 2016
d59c9f5
test: tls cert chain completion scenarios
sam-github Dec 20, 2016
7c6aec6
doc: use correct tls certificate property name
sam-github Dec 20, 2016
fd97d25
test: check tls server verification with addCACert
sam-github Dec 20, 2016
8db0443
test: move common tls connect setup into fixtures
sam-github Dec 17, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
doc,test: tls .ca option supports multi-PEM files 
PR-URL: #10389
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
@sam-github
sam-github committed Apr 17, 2017
commit 05039c331f93ba33796516aa92b5dc4e412a0479
19 changes: 15 additions & 4 deletions doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -906,10 +906,21 @@ added: v0.11.13
the same order as their private keys in `key`. If the intermediate
certificates are not provided, the peer will not be able to validate the
certificate, and the handshake will fail.
* `ca`{string|string[]|Buffer|Buffer[]} Optional CA certificates to trust.
Default is the well-known CAs from Mozilla. When connecting to peers that
use certificates issued privately, or self-signed, the private root CA or
self-signed certificate must be provided to verify the peer.
* `ca` {string|string[]|Buffer|Buffer[]} Optionally override the trusted CA
certificates. Default is to trust the well-known CAs curated by Mozilla.
Mozilla's CAs are completely replaced when CAs are explicitly specified
using this option. The value can be a string or Buffer, or an Array of
strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs
concatenated together. The peer's certificate must be chainable to a CA
trusted by the server for the connection to be authenticated. When using
certificates that are not chainable to a well-known CA, the certificate's CA
must be explicitly specified as a trusted or the connection will fail to
authenticate.
If the peer uses a certificate that doesn't match or chain to one of the
default CAs, use the `ca` option to provide a CA certificate that the peer's
certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be
provided.
* `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted
CRLs (Certificate Revocation Lists).
* `ciphers` {string} Optional cipher suite specification, replacing the
Expand Down
24 changes: 24 additions & 0 deletions test/parallel/test-tls-ca-concat.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
'use strict';
const common = require('../common');

// Check ca option can contain concatenated certs by prepending an unrelated
// non-CA cert and showing that agent6's CA root is still found.

const join = require('path').join;
const {
assert, connect, keys
} = require(join(common.fixturesDir, 'tls-connect'))();

connect({
client: {
checkServerIdentity: (servername, cert) => { },
ca: keys.agent1.cert + '\n' + keys.agent6.ca,
},
server: {
cert: keys.agent6.cert,
key: keys.agent6.key,
},
}, function(err, pair, cleanup) {
assert.ifError(err);
return cleanup();
});