Base structure for options object used in tls methods.

Fields

@:optionaloptionalticketKeys:Null<Buffer>

A 48-byte Buffer instance consisting of 16-byte prefix, 16-byte hmac key, 16-byte AES key. You could use it to accept tls session tickets on multiple instances of tls server.

NOTE: Automatically shared between cluster module workers.

@:optionaloptionalsessionTimeout:Null<Int>

An integer specifying the seconds after which TLS session identifiers and TLS session tickets created by the server are timed out. See SSL_CTX_set_timeout for more details.

@:optionaloptionalsessionIdContext:Null<String>

opaque identifier for session resumption. If requestCert is true, the default is MD5 hash value generated from command-line. Otherwise, the default is not provided.

@:optionaloptionalsecureProtocol:Null<String>

The SSL method to use, e.g. SSLv3_method to force SSL version 3. The possible values depend on your installation of OpenSSL and are defined in the constant SSL_METHODS.

@:optionaloptionalrequestCert:Null<Bool>

If true the server will request a certificate from clients that connect and attempt to verify that certificate. Default: false.

@:optionaloptionalrejectUnauthorized:Null<Bool>

If true the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert is true. Default: false.

@:optionaloptionalpfx:Null<EitherType<String, Buffer>>

private key, certificate and CA certs of the server in PFX or PKCS12 format.

@:optionaloptionalpassphrase:Null<String>

passphrase for the private key or pfx.

@:optionaloptionalkey:Null<EitherType<String, Buffer>>

private key of the server in PEM format.

@:optionaloptionalhonorCipherOrder:Null<Bool>

When choosing a cipher, use the server's preferences instead of the client preferences. Default: true.

@:optionaloptionalhandshakeTimeout:Null<Int>

Abort the connection if the SSL/TLS handshake does not finish in this many milliseconds. The default is 120 seconds. A 'clientError' is emitted on the tls.Server object whenever a handshake times out.

@:optionaloptionalecdhCurve:Null<String>

named curve to use for ECDH key agreement or false to disable ECDH.

Defaults to prime256v1 (NIST P-256). Use Crypto.getCurves to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve.

@:optionaloptionaldhparam:Null<EitherType<String, Buffer>>

Diffie Hellman parameters, required for Perfect Forward Secrecy.

Use openssl dhparam to create it. Its key length should be greater than or equal to 1024 bits, otherwise it throws an error. It is strongly recommended to use 2048 bits or more for stronger security. If omitted or invalid, it is silently discarded and DHE ciphers won't be available.

@:optionaloptionalcrl:Null<EitherType<String, Array<String>>>

PEM encoded CRLs (Certificate Revocation List)

@:optionaloptionalciphers:Null<String>

ciphers to use or exclude.

To mitigate BEAST attacks it is recommended that you use this option in conjunction with the honorCipherOrder option described below to prioritize the non-CBC cipher.

Defaults to AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH.

Consult the OpenSSL cipher list format documentation for details on the format. ECDH (Elliptic Curve Diffie-Hellman) ciphers are not yet supported.

@:optionaloptionalcert:Null<EitherType<String, Buffer>>

certificate key of the server in PEM format.

@:optionaloptionalca:Null<Array<EitherType<String, Buffer>>>

trusted certificates in PEM format. If this is omitted several well known "root" CAs will be used, like VeriSign. These are used to authorize connections.

@:optionaloptionalSNICallback:Null<(servername:String, cb:Error ‑> SecureContext) ‑> Void>

A function that will be called if client supports SNI TLS extension. Two argument will be passed to it: servername, and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (You can use tls.createSecureContext(...) to get proper SecureContext). If SNICallback wasn't provided - default callback with high-level API will be used.

@:optionaloptionalNPNProtocols:Null<EitherType<Array<String>, Buffer>>

possible NPN protocols. (Protocols should be ordered by their priority).