Skip to content

Commit b6dda61

Browse files
wavetory
waveto
authored and
ry
committed
Initial TLS support
1 parent 1cacb50 commit b6dda61

10 files changed

Lines changed: 743 additions & 12 deletions

File tree

doc/api.txt

Lines changed: 49 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -741,6 +741,16 @@ options argument for +tcp.Server+ does.
741741
The +request_listener+ is a function which is automatically
742742
added to the +"request"+ event.
743743

744+
+server.setSecure(format_type, ca_certs, crl_list, private_key, certificate)+ ::
745+
Enable TLS for all incoming connections, with the specified credentials.
746+
+
747+
format_type currently has to be "X509_PEM", and each of the ca, crl, key and
748+
cert parameters are in the format of PEM strings.
749+
+
750+
The ca_certs is a string that holds a number of CA certificates for use in accepting
751+
client connections that authenticate themselves with a client certificate.
752+
The private_key is a PEM string of the unencrypted key for the server.
753+
744754
+server.listen(port, hostname)+ ::
745755
Begin accepting connections on the specified port and hostname.
746756
If the hostname is omitted, the server will accept connections
@@ -927,6 +937,17 @@ the response. (This sounds convoluted but it provides a chance
927937
for the user to stream a body to the server with
928938
+request.sendBody()+.)
929939

940+
+client.setSecure(format_type, ca_certs, crl_list, private_key, certificate)+ ::
941+
Enable TLS for the client connection, with the specified credentials.
942+
+
943+
format_type currently has to be "X509_PEM", and each of the ca, crl, key and
944+
cert parameters are in the format of PEM strings, and optional.
945+
+
946+
The ca_certs is a string that holds a number of CA certificates for use in deciding the
947+
authenticity of the remote server. The private_key is a PEM string of the unencrypted
948+
key for the client, which together with the certificate allows the client to authenticate
949+
itself to the server.
950+
930951

931952
==== +http.ClientRequest+
932953

@@ -1160,6 +1181,15 @@ Creates a new TCP server.
11601181
The +connection_listener+ argument is automatically set as a listener for
11611182
the +"connection"+ event.
11621183

1184+
+server.setSecure(format_type, ca_certs, crl_list, private_key, certificate)+ ::
1185+
Enable TLS for all incoming connections, with the specified credentials.
1186+
+
1187+
format_type currently has to be "X509_PEM", and each of the ca, crl, key and
1188+
cert parameters are in the format of PEM strings.
1189+
+
1190+
The ca_certs is a string that holds a number of CA certificates for use in accepting
1191+
client connections that authenticate themselves with a client certificate.
1192+
The private_key is a PEM string of the unencrypted key for the server.
11631193

11641194
+server.listen(port, host=null, backlog=128)+ ::
11651195
Tells the server to listen for TCP connections to +port+ and +host+.
@@ -1173,7 +1203,6 @@ connections for the server may grow.
11731203
+
11741204
This function is synchronous.
11751205

1176-
11771206
+server.close()+::
11781207
Stops the server from accepting new connections. This function is
11791208
asynchronous, the server is finally closed when the server emits a +"close"+
@@ -1279,6 +1308,25 @@ Disables the Nagle algorithm. By default TCP connections use the Nagle
12791308
algorithm, they buffer data before sending it off. Setting +noDelay+ will
12801309
immediately fire off data each time +connection.send()+ is called.
12811310

1311+
+connection.verifyPeer()+::
1312+
Returns an integer indicating the trusted status of the peer in a TLS
1313+
connection.
1314+
+
1315+
Returns 1 if the peer's certificate is issued by one of the trusted CAs,
1316+
the certificate has not been revoked, is in the issued date range,
1317+
and if the peer is the server, matches the hostname.
1318+
+
1319+
Returns 0 if no certificate was presented by the peer, or negative result
1320+
if the verification fails (with a given reason code). This function is synchronous.
1321+
1322+
+connection.getPeerCertificate(format)+::
1323+
For a TLS connection, returns the peer's certificate information, as defined
1324+
by the given format.
1325+
+
1326+
A format of "DNstring" gives a single string with the combined Distinguished
1327+
Name (DN) from the certificate, as comma delimited name=value pairs as defined
1328+
in RFC2253. This function is synchronous.
1329+
12821330
=== DNS module
12831331

12841332
Use +require("dns")+ to access this module

lib/tcp.js

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,15 @@
1+
var TLS_STATUS_CODES = {
2+
1 : 'JS_GNUTLS_CERT_VALIDATED',
3+
0 : 'JS_GNUTLS_CERT_UNDEFINED',
4+
}
5+
TLS_STATUS_CODES[-100] = 'JS_GNUTLS_CERT_SIGNER_NOT_FOUND';
6+
TLS_STATUS_CODES[-101] = 'JS_GNUTLS_CERT_SIGNER_NOT_CA';
7+
TLS_STATUS_CODES[-102] = 'JS_GNUTLS_CERT_INVALID';
8+
TLS_STATUS_CODES[-103] = 'JS_GNUTLS_CERT_NOT_ACTIVATED';
9+
TLS_STATUS_CODES[-104] = 'JS_GNUTLS_CERT_EXPIRED';
10+
TLS_STATUS_CODES[-105] = 'JS_GNUTLS_CERT_REVOKED';
11+
TLS_STATUS_CODES[-106] = 'JS_GNUTLS_CERT_DOES_NOT_MATCH_HOSTNAME';
12+
113
exports.createServer = function (on_connection, options) {
214
var server = new process.tcp.Server();
315
server.addListener("connection", on_connection);

0 commit comments

Comments
 (0)