Skip to content

Openssl clientcertengine support2 #14903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Trott wants to merge 5 commits into from
Closed

Openssl clientcertengine support2 #14903

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f2852fe
tls: implement clientCertEngine option
joelostrowski Apr 15, 2016
be53cbe
doc: add `clientCertEngine` to docs
Trott Aug 17, 2017
7511bc3
test: add tls clientcertengine tests
Trott Sep 23, 2017
1501e2c
squash: nits
Trott Nov 8, 2017
085a847
squash: typo
Trott Nov 8, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
doc: add clientCertEngine to docs 
Added `clientCertEngine` option to `https` and `tls` docs.
  • Loading branch information
@Trott
Trott committed Nov 8, 2017
commit be53cbef727d5811bed7a19af07abd44925f1000
9 changes: 6 additions & 3 deletions doc/api/https.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,9 @@ Global instance of [`https.Agent`][] for all HTTPS client requests.
<!-- YAML
added: v0.3.6
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/6569
description: The `options` parameter can now include `clientCertEngine`.
- version: v7.5.0
pr-url: https://github.com/nodejs/node/pull/10638
description: The `options` parameter can be a WHATWG `URL` object.
Expand All @@ -164,9 +167,9 @@ changes:

Makes a request to a secure web server.

The following additional `options` from [`tls.connect()`][] are also accepted when using a
custom [`Agent`][]:
`pfx`, `key`, `passphrase`, `cert`, `ca`, `ciphers`, `rejectUnauthorized`, `secureProtocol`, `servername`
The following additional `options` from [`tls.connect()`][] are also accepted
when using a custom [`Agent`][]: `ca`, `cert`, `ciphers`, `clientCertEngine`,
`key`, `passphrase`, `pfx`, `rejectUnauthorized`, `secureProtocol`, `servername`

`options` can be an object, a string, or a [`URL`][] object. If `options` is a
string, it is automatically parsed with [`url.parse()`][]. If it is a [`URL`][]
Expand Down
22 changes: 16 additions & 6 deletions doc/api/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -905,6 +905,9 @@ port or host argument.
<!-- YAML
added: v0.11.13
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/6569
description: The `options` parameter can now include `clientCertEngine`.
- version: v7.3.0
pr-url: https://github.com/nodejs/node/pull/10294
description: If the `key` option is an array, individual entries do not
Expand Down Expand Up @@ -959,8 +962,6 @@ changes:
certificate can match or chain to.
For self-signed certificates, the certificate is its own CA, and must be
provided.
* `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted
CRLs (Certificate Revocation Lists).
* `ciphers` {string} Optional cipher suite specification, replacing the
default. For more information, see [modifying the default cipher suite][].
* `honorCipherOrder` {boolean} Attempt to use the server's cipher suite
Expand All @@ -974,20 +975,24 @@ changes:
[`crypto.getCurves()`][] to obtain a list of available curve names. On
recent releases, `openssl ecparam -list_curves` will also display the name
and description of each available elliptic curve.
* `clientCertEngine` {string} Optional name of an OpenSSL engine which can
provide the client certificate.
* `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted
CRLs (Certificate Revocation Lists).
* `dhparam` {string|Buffer} Diffie Hellman parameters, required for
[Perfect Forward Secrecy][]. Use `openssl dhparam` to create the parameters.
The key length must be greater than or equal to 1024 bits, otherwise an
error will be thrown. It is strongly recommended to use 2048 bits or larger
for stronger security. If omitted or invalid, the parameters are silently
discarded and DHE ciphers will not be available.
* `secureProtocol` {string} Optional SSL method to use, default is
`"SSLv23_method"`. The possible values are listed as [SSL_METHODS][], use
the function names as strings. For example, `"SSLv3_method"` to force SSL
version 3.
* `secureOptions` {number} Optionally affect the OpenSSL protocol behavior,
which is not usually necessary. This should be used carefully if at all!
Value is a numeric bitmask of the `SSL_OP_*` options from
[OpenSSL Options][].
* `secureProtocol` {string} Optional SSL method to use, default is
`"SSLv23_method"`. The possible values are listed as [SSL_METHODS][], use
the function names as strings. For example, `"SSLv3_method"` to force SSL
version 3.
* `sessionIdContext` {string} Optional opaque identifier used by servers to
ensure session state is not shared between applications. Unused by clients.

Expand Down Expand Up @@ -1015,6 +1020,9 @@ publicly trusted list of CAs as given in
<!-- YAML
added: v0.3.2
changes:
- version: REPLACEME
pr-url: https://github.com/nodejs/node/pull/6569
description: The `options` parameter can now include `clientCertEngine`.
- version: v8.0.0
pr-url: https://github.com/nodejs/node/pull/11984
description: The `ALPNProtocols` and `NPNProtocols` options can
Expand All @@ -1025,6 +1033,8 @@ changes:
-->

* `options` {Object}
* `clientCertEngine` {string} Optional name of an OpenSSL engine which can
provide the client certificate.
* `handshakeTimeout` {number} Abort the connection if the SSL/TLS handshake
does not finish in the specified number of milliseconds. Defaults to `120`
seconds. A `'tlsClientError'` is emitted on the `tls.Server` object whenever
Expand Down