diff options
| author | Sam Roberts <vieuxtech@gmail.com> | 2016-12-21 09:33:13 -0800 |
|---|---|---|
| committer | Sam Roberts <vieuxtech@gmail.com> | 2017-01-12 11:10:46 -0800 |
| commit | 84a23c72056dacc1d08659823576344ae2d3a53e (patch) | |
| tree | 074d6aabbf2aefe4263931f1777b9fe0a348bb37 /doc/api/tls.md | |
| parent | 733c4a813b39fc78c1b8e36f461e4b1251362f4a (diff) | |
| download | android-node-v8-84a23c72056dacc1d08659823576344ae2d3a53e.tar.gz android-node-v8-84a23c72056dacc1d08659823576344ae2d3a53e.tar.bz2 android-node-v8-84a23c72056dacc1d08659823576344ae2d3a53e.zip | |
doc,test: tls .ca option supports multi-PEM files
PR-URL: https://github.com/nodejs/node/pull/10389
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Diffstat (limited to 'doc/api/tls.md')
| -rw-r--r-- | doc/api/tls.md | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/doc/api/tls.md b/doc/api/tls.md index 64fd343c04..f6bc19da78 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -909,10 +909,21 @@ added: v0.11.13 the same order as their private keys in `key`. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail. - * `ca`{string|string[]|Buffer|Buffer[]} Optional CA certificates to trust. - Default is the well-known CAs from Mozilla. When connecting to peers that - use certificates issued privately, or self-signed, the private root CA or - self-signed certificate must be provided to verify the peer. + * `ca` {string|string[]|Buffer|Buffer[]} Optionally override the trusted CA + certificates. Default is to trust the well-known CAs curated by Mozilla. + Mozilla's CAs are completely replaced when CAs are explicitly specified + using this option. The value can be a string or Buffer, or an Array of + strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs + concatenated together. The peer's certificate must be chainable to a CA + trusted by the server for the connection to be authenticated. When using + certificates that are not chainable to a well-known CA, the certificate's CA + must be explicitly specified as a trusted or the connection will fail to + authenticate. + If the peer uses a certificate that doesn't match or chain to one of the + default CAs, use the `ca` option to provide a CA certificate that the peer's + certificate can match or chain to. + For self-signed certificates, the certificate is its own CA, and must be + provided. * `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted CRLs (Certificate Revocation Lists). * `ciphers` {string} Optional cipher suite specification, replacing the |