-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an easy way to start a TLS communication on top of a plain *server side* Socket #13368
Comments
I agree, I tried to document the APIs, but couldn't get progress on it: #10846 At the moment there is no documented way to use |
@alexfernandez I think #17599 documents how to get this working current the situation? I think @pepagos assessed everything correctly – on the server side, |
@addaleax The problem is that on the server side, I am attaching a proof of concept that creates a clear server and wraps every connection using |
Note: for easier code interchange I have created a repo with the example. This is the line that is being called with the |
A test can be easily added to |
Put into https://github.com/nodejs/node/projects/13 backlog |
The recommended way to upgrade a plain socket to a TLS socket is to wrap
it with
new TLSSocket(...)
.But this wrapping doesn't check certificates
and doesn't emit
secureConnect
event.There seem to be no public API to do that checking
(at least I couldn't find it).
Method
tls.connect
can be used to wrap socket to TLSSockets,with certificate checking and with
secureConnect
emision.But it can be used only for client side sockets (
isServer == false
)and not for server side sockets got at a net.Socket
connection
event.Reading the source code, I found that checking certificates is done with
socket._handle.verifyError(), both for TLSSocket produced by tls.Server and
created with tls.connect.
This is not a documented API, and although the verifyError method has been
there for a long time, I am not sure if I should use it in user space code.
I think it would be nice to have a way to fully wrap
a plain server side socket,
with certificate checking and
secureConnect
emission.Or a public and documented API to do certificate checking.
Also, it would be nice if the documentation clearly explained
when certificates are checked and
secureConnect
is emitted.The text was updated successfully, but these errors were encountered: