diff options
author | Fedor Indutny <fedor@indutny.com> | 2014-04-14 21:15:57 +0400 |
---|---|---|
committer | Fedor Indutny <fedor@indutny.com> | 2014-04-18 02:21:16 +0400 |
commit | b3ef289ffb7db476d284866658213f04415ea92d (patch) | |
tree | ece3f973d16849e46ea7736880055482df0616e7 /doc | |
parent | 77d1f4a91f2885fd3f39298754ae5b7ee75ad3d1 (diff) | |
download | android-node-v8-b3ef289ffb7db476d284866658213f04415ea92d.tar.gz android-node-v8-b3ef289ffb7db476d284866658213f04415ea92d.tar.bz2 android-node-v8-b3ef289ffb7db476d284866658213f04415ea92d.zip |
tls: support OCSP on client and server
Diffstat (limited to 'doc')
-rw-r--r-- | doc/api/tls.markdown | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 43f819d81e..3abbe64e47 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -408,6 +408,10 @@ Construct a new TLSSocket object from existing TCP socket. - `session`: Optional, a `Buffer` instance, containing TLS session + - `requestOCSP`: Optional, if `true` - OCSP status request extension would + be added to client hello, and `OCSPResponse` event will be emitted on socket + before establishing secure communication + ## tls.createSecurePair([context], [isServer], [requestCert], [rejectUnauthorized]) Stability: 0 - Deprecated. Use tls.TLSSocket instead. @@ -508,6 +512,44 @@ NOTE: adding this event listener will have an effect only on connections established after addition of event listener. +### Event: 'OCSPRequest' + +`function (certificate, issuer, callback) { }` + +Emitted when the client sends a certificate status request. You could parse +server's current certificate to obtain OCSP url and certificate id, and after +obtaining OCSP response invoke `callback(null, resp)`, where `resp` is a +`Buffer` instance. Both `certificate` and `issuer` are a `Buffer` +DER-representations of the primary and issuer's certificates. They could be used +to obtain OCSP certificate id and OCSP endpoint url. + +Alternatively, `callback(null, null)` could be called, meaning that there is no +OCSP response. + +Calling `callback(err)` will result in a `socket.destroy(err)` call. + +Typical flow: + +1. Client connects to server and sends `OCSPRequest` to it (via status info + extension in ClientHello.) +2. Server receives request and invokes `OCSPRequest` event listener if present +3. Server grabs OCSP url from either `certificate` or `issuer` and performs an + [OCSP request] to the CA +4. Server receives `OCSPResponse` from CA and sends it back to client via + `callback` argument +5. Client validates the response and either destroys socket or performs a + handshake. + +NOTE: `issuer` could be null, if certficiate is self-signed or if issuer is not +in the root certificates list. (You could provide an issuer via `ca` option.) + +NOTE: adding this event listener will have an effect only on connections +established after addition of event listener. + +NOTE: you may want to use some npm module like [asn1.js] to parse the +certificates. + + ### server.listen(port, [host], [callback]) Begin accepting connections on the specified `port` and `host`. If the @@ -577,6 +619,16 @@ If `tlsSocket.authorized === false` then the error can be found in `tlsSocket.authorizationError`. Also if NPN was used - you can check `tlsSocket.npnProtocol` for negotiated protocol. +### Event: 'OCSPResponse' + +`function (response) { }` + +This event will be emitted if `requestOCSP` option was set. `response` is a +buffer object, containing server's OCSP response. + +Traditionally, the `response` is a signed object from the server's CA that +contains information about server's certificate revocation status. + ### tlsSocket.encrypted Static boolean value, always `true`. May be used to distinguish TLS sockets @@ -711,3 +763,5 @@ The numeric representation of the local port. [Forward secrecy]: http://en.wikipedia.org/wiki/Perfect_forward_secrecy [DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange [ECDHE]: https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman +[asn1.js]: http://npmjs.org/package/asn1.js +[OCSP request]: http://en.wikipedia.org/wiki/OCSP_stapling |