2012-02-27 20:09:34 +01:00
|
|
|
# HTTPS
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2017-01-23 04:16:21 +01:00
|
|
|
<!--introduced_in=v0.10.0-->
|
|
|
|
|
2016-07-16 00:35:38 +02:00
|
|
|
> Stability: 2 - Stable
|
2012-03-03 00:14:03 +01:00
|
|
|
|
2015-08-13 18:14:34 +02:00
|
|
|
HTTPS is the HTTP protocol over TLS/SSL. In Node.js this is implemented as a
|
2011-01-21 22:12:35 +01:00
|
|
|
separate module.
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
## Class: `https.Agent`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.4.5
|
2019-03-04 17:28:29 +01:00
|
|
|
changes:
|
|
|
|
- version: v2.5.0
|
|
|
|
pr-url: https://github.com/nodejs/node/pull/2228
|
|
|
|
description: parameter `maxCachedSessions` added to `options` for TLS
|
|
|
|
sessions reuse.
|
|
|
|
- version: v5.3.0
|
|
|
|
pr-url: https://github.com/nodejs/node/pull/4252
|
|
|
|
description: support `0` `maxCachedSessions` to disable TLS session caching.
|
2016-06-23 21:51:12 +02:00
|
|
|
-->
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2018-04-02 07:38:48 +02:00
|
|
|
An [`Agent`][] object for HTTPS similar to [`http.Agent`][]. See
|
2018-02-12 08:31:55 +01:00
|
|
|
[`https.request()`][] for more information.
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `new Agent([options])`
|
2019-06-02 18:11:48 +02:00
|
|
|
<!-- YAML
|
|
|
|
changes:
|
2019-06-17 21:31:37 +02:00
|
|
|
- version: v12.5.0
|
2019-06-02 18:11:48 +02:00
|
|
|
pr-url: https://github.com/nodejs/node/pull/28209
|
|
|
|
description: do not automatically set servername if the target host was
|
|
|
|
specified using an IP address.
|
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2019-03-04 17:28:29 +01:00
|
|
|
* `options` {Object} Set of configurable options to set on the agent.
|
|
|
|
Can have the same fields as for [`http.Agent(options)`][], and
|
|
|
|
* `maxCachedSessions` {number} maximum number of TLS cached sessions.
|
|
|
|
Use `0` to disable TLS session caching. **Default:** `100`.
|
2019-04-19 21:51:24 +02:00
|
|
|
* `servername` {string} the value of
|
|
|
|
[Server Name Indication extension][sni wiki] to be sent to the server. Use
|
|
|
|
empty string `''` to disable sending the extension.
|
2020-01-12 16:28:26 +01:00
|
|
|
**Default:** host name of the target server, unless the target server
|
2019-06-02 18:11:48 +02:00
|
|
|
is specified using an IP address, in which case the default is `''` (no
|
|
|
|
extension).
|
2019-03-04 17:28:29 +01:00
|
|
|
|
2019-08-10 07:48:03 +02:00
|
|
|
See [`Session Resumption`][] for information about TLS session reuse.
|
2019-03-04 17:28:29 +01:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
#### Event: `'keylog'`
|
2019-10-21 23:27:50 +02:00
|
|
|
<!-- YAML
|
2019-11-19 18:41:01 +01:00
|
|
|
added: v13.2.0
|
2019-10-21 23:27:50 +02:00
|
|
|
-->
|
|
|
|
|
|
|
|
* `line` {Buffer} Line of ASCII text, in NSS `SSLKEYLOGFILE` format.
|
|
|
|
* `tlsSocket` {tls.TLSSocket} The `tls.TLSSocket` instance on which it was
|
|
|
|
generated.
|
|
|
|
|
|
|
|
The `keylog` event is emitted when key material is generated or received by a
|
|
|
|
connection managed by this agent (typically before handshake has completed, but
|
|
|
|
not necessarily). This keying material can be stored for debugging, as it
|
|
|
|
allows captured TLS traffic to be decrypted. It may be emitted multiple times
|
|
|
|
for each socket.
|
|
|
|
|
|
|
|
A typical use case is to append received lines to a common text file, which is
|
|
|
|
later used by software (such as Wireshark) to decrypt the traffic:
|
|
|
|
|
|
|
|
```js
|
|
|
|
// ...
|
|
|
|
https.globalAgent.on('keylog', (line, tlsSocket) => {
|
|
|
|
fs.appendFileSync('/tmp/ssl-keys.log', line, { mode: 0o600 });
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
## Class: `https.Server`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.3.4
|
|
|
|
-->
|
2011-04-28 09:36:04 +02:00
|
|
|
|
2019-08-21 22:32:59 +02:00
|
|
|
* Extends: {tls.Server}
|
|
|
|
|
|
|
|
See [`http.Server`][] for more information.
|
2011-04-28 09:36:04 +02:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.close([callback])`
|
2017-10-06 20:50:47 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.1.90
|
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2018-07-12 19:48:11 +02:00
|
|
|
* `callback` {Function}
|
2018-10-31 09:53:38 +01:00
|
|
|
* Returns: {https.Server}
|
2017-10-06 20:50:47 +02:00
|
|
|
|
|
|
|
See [`server.close()`][`http.close()`] from the HTTP module for details.
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.headersTimeout`
|
2018-11-28 15:48:07 +01:00
|
|
|
<!-- YAML
|
|
|
|
added: v11.3.0
|
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2019-10-23 00:17:03 +02:00
|
|
|
* {number} **Default:** `60000`
|
2018-11-28 15:48:07 +01:00
|
|
|
|
|
|
|
See [`http.Server#headersTimeout`][].
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.listen()`
|
2017-10-06 20:50:47 +02:00
|
|
|
|
|
|
|
Starts the HTTPS server listening for encrypted connections.
|
|
|
|
This method is identical to [`server.listen()`][] from [`net.Server`][].
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.maxHeadersCount`
|
2018-04-22 20:48:41 +02:00
|
|
|
|
2019-09-13 06:22:29 +02:00
|
|
|
* {number} **Default:** `2000`
|
2018-04-22 20:48:41 +02:00
|
|
|
|
|
|
|
See [`http.Server#maxHeadersCount`][].
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.setTimeout([msecs][, callback])`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.11.2
|
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2018-07-12 19:48:11 +02:00
|
|
|
* `msecs` {number} **Default:** `120000` (2 minutes)
|
|
|
|
* `callback` {Function}
|
2018-10-31 09:53:38 +01:00
|
|
|
* Returns: {https.Server}
|
2013-04-30 12:43:32 +02:00
|
|
|
|
2015-11-28 00:30:32 +01:00
|
|
|
See [`http.Server#setTimeout()`][].
|
2013-04-30 12:43:32 +02:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.timeout`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.11.2
|
2020-02-08 10:47:37 +01:00
|
|
|
changes:
|
|
|
|
- version: v13.0.0
|
|
|
|
pr-url: https://github.com/nodejs/node/pull/27558
|
|
|
|
description: The default timeout changed from 120s to 0 (no timeout).
|
2016-06-23 21:51:12 +02:00
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2020-02-08 10:47:37 +01:00
|
|
|
* {number} **Default:** 0 (no timeout)
|
2013-04-30 12:43:32 +02:00
|
|
|
|
2015-11-28 00:30:32 +01:00
|
|
|
See [`http.Server#timeout`][].
|
2013-04-30 12:43:32 +02:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
### `server.keepAliveTimeout`
|
2015-10-29 20:53:43 +01:00
|
|
|
<!-- YAML
|
2017-03-16 04:26:14 +01:00
|
|
|
added: v8.0.0
|
2015-10-29 20:53:43 +01:00
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2019-09-13 06:22:29 +02:00
|
|
|
* {number} **Default:** `5000` (5 seconds)
|
2015-10-29 20:53:43 +01:00
|
|
|
|
|
|
|
See [`http.Server#keepAliveTimeout`][].
|
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
## `https.createServer([options][, requestListener])`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.3.4
|
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2018-07-12 19:48:11 +02:00
|
|
|
* `options` {Object} Accepts `options` from [`tls.createServer()`][],
|
2017-10-19 20:16:02 +02:00
|
|
|
[`tls.createSecureContext()`][] and [`http.createServer()`][].
|
2018-07-12 19:48:11 +02:00
|
|
|
* `requestListener` {Function} A listener to be added to the `'request'` event.
|
2018-10-31 09:53:38 +01:00
|
|
|
* Returns: {https.Server}
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
```js
|
|
|
|
// curl -k https://localhost:8000/
|
|
|
|
const https = require('https');
|
|
|
|
const fs = require('fs');
|
|
|
|
|
|
|
|
const options = {
|
|
|
|
key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'),
|
|
|
|
cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem')
|
|
|
|
};
|
|
|
|
|
|
|
|
https.createServer(options, (req, res) => {
|
|
|
|
res.writeHead(200);
|
|
|
|
res.end('hello world\n');
|
|
|
|
}).listen(8000);
|
|
|
|
```
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2012-05-13 21:38:23 +02:00
|
|
|
Or
|
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
```js
|
|
|
|
const https = require('https');
|
|
|
|
const fs = require('fs');
|
2012-05-13 21:38:23 +02:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
const options = {
|
2017-04-03 01:55:01 +02:00
|
|
|
pfx: fs.readFileSync('test/fixtures/test_cert.pfx'),
|
|
|
|
passphrase: 'sample'
|
2016-01-17 18:39:07 +01:00
|
|
|
};
|
2012-05-13 21:38:23 +02:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
https.createServer(options, (req, res) => {
|
|
|
|
res.writeHead(200);
|
|
|
|
res.end('hello world\n');
|
|
|
|
}).listen(8000);
|
|
|
|
```
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
## `https.get(options[, callback])`
|
|
|
|
## `https.get(url[, options][, callback])`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.3.6
|
2017-06-02 17:07:06 +02:00
|
|
|
changes:
|
2018-08-13 11:02:06 +02:00
|
|
|
- version: v10.9.0
|
2018-07-01 17:00:24 +02:00
|
|
|
pr-url: https://github.com/nodejs/node/pull/21616
|
2018-09-19 17:14:37 +02:00
|
|
|
description: The `url` parameter can now be passed along with a separate
|
|
|
|
`options` object.
|
2017-06-02 17:07:06 +02:00
|
|
|
- version: v7.5.0
|
|
|
|
pr-url: https://github.com/nodejs/node/pull/10638
|
|
|
|
description: The `options` parameter can be a WHATWG `URL` object.
|
2016-06-23 21:51:12 +02:00
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2018-07-07 03:46:38 +02:00
|
|
|
* `url` {string | URL}
|
2018-07-12 19:48:11 +02:00
|
|
|
* `options` {Object | string | URL} Accepts the same `options` as
|
2017-03-04 00:23:48 +01:00
|
|
|
[`https.request()`][], with the `method` always set to `GET`.
|
2018-07-12 19:48:11 +02:00
|
|
|
* `callback` {Function}
|
2012-10-08 19:10:29 +02:00
|
|
|
|
2015-11-28 00:30:32 +01:00
|
|
|
Like [`http.get()`][] but for HTTPS.
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2017-06-02 17:07:06 +02:00
|
|
|
`options` can be an object, a string, or a [`URL`][] object. If `options` is a
|
2018-04-25 02:37:43 +02:00
|
|
|
string, it is automatically parsed with [`new URL()`][]. If it is a [`URL`][]
|
2017-06-02 17:07:06 +02:00
|
|
|
object, it will be automatically converted to an ordinary `options` object.
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
```js
|
|
|
|
const https = require('https');
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
https.get('https://encrypted.google.com/', (res) => {
|
2016-07-27 04:25:08 +02:00
|
|
|
console.log('statusCode:', res.statusCode);
|
|
|
|
console.log('headers:', res.headers);
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
res.on('data', (d) => {
|
|
|
|
process.stdout.write(d);
|
|
|
|
});
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
}).on('error', (e) => {
|
|
|
|
console.error(e);
|
|
|
|
});
|
|
|
|
```
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
## `https.globalAgent`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.5.9
|
|
|
|
-->
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2015-11-28 00:30:32 +01:00
|
|
|
Global instance of [`https.Agent`][] for all HTTPS client requests.
|
2015-11-04 23:59:28 +01:00
|
|
|
|
2019-12-24 13:07:33 +01:00
|
|
|
## `https.request(options[, callback])`
|
|
|
|
## `https.request(url[, options][, callback])`
|
2016-06-23 21:51:12 +02:00
|
|
|
<!-- YAML
|
|
|
|
added: v0.3.6
|
2017-06-02 17:07:06 +02:00
|
|
|
changes:
|
2020-04-11 20:07:35 +02:00
|
|
|
- version: REPLACEME
|
|
|
|
pr-url: https://github.com/nodejs/node/pull/32786
|
|
|
|
description: The `highWaterMark` option is accepted now.
|
2018-08-13 11:02:06 +02:00
|
|
|
- version: v10.9.0
|
2018-07-01 17:00:24 +02:00
|
|
|
pr-url: https://github.com/nodejs/node/pull/21616
|
2018-09-19 17:14:37 +02:00
|
|
|
description: The `url` parameter can now be passed along with a separate
|
|
|
|
`options` object.
|
2017-12-12 09:09:37 +01:00
|
|
|
- version: v9.3.0
|
2017-12-12 10:18:02 +01:00
|
|
|
pr-url: https://github.com/nodejs/node/pull/14903
|
2017-08-17 22:54:05 +02:00
|
|
|
description: The `options` parameter can now include `clientCertEngine`.
|
2017-06-02 17:07:06 +02:00
|
|
|
- version: v7.5.0
|
|
|
|
pr-url: https://github.com/nodejs/node/pull/10638
|
|
|
|
description: The `options` parameter can be a WHATWG `URL` object.
|
2016-06-23 21:51:12 +02:00
|
|
|
-->
|
2019-09-06 07:42:22 +02:00
|
|
|
|
2018-07-07 03:46:38 +02:00
|
|
|
* `url` {string | URL}
|
2018-07-12 19:48:11 +02:00
|
|
|
* `options` {Object | string | URL} Accepts all `options` from
|
2018-02-12 08:31:55 +01:00
|
|
|
[`http.request()`][], with some differences in default values:
|
2019-09-13 06:22:29 +02:00
|
|
|
* `protocol` **Default:** `'https:'`
|
|
|
|
* `port` **Default:** `443`
|
|
|
|
* `agent` **Default:** `https.globalAgent`
|
2018-07-12 19:48:11 +02:00
|
|
|
* `callback` {Function}
|
2017-03-04 00:23:48 +01:00
|
|
|
|
2012-08-18 07:18:02 +02:00
|
|
|
Makes a request to a secure web server.
|
|
|
|
|
2017-10-17 06:23:29 +02:00
|
|
|
The following additional `options` from [`tls.connect()`][] are also accepted:
|
|
|
|
`ca`, `cert`, `ciphers`, `clientCertEngine`, `crl`, `dhparam`, `ecdhCurve`,
|
|
|
|
`honorCipherOrder`, `key`, `passphrase`, `pfx`, `rejectUnauthorized`,
|
2020-04-11 20:07:35 +02:00
|
|
|
`secureOptions`, `secureProtocol`, `servername`, `sessionIdContext`,
|
|
|
|
`highWaterMark`.
|
2017-03-04 00:23:48 +01:00
|
|
|
|
2017-06-02 17:07:06 +02:00
|
|
|
`options` can be an object, a string, or a [`URL`][] object. If `options` is a
|
2018-04-25 02:37:43 +02:00
|
|
|
string, it is automatically parsed with [`new URL()`][]. If it is a [`URL`][]
|
2017-06-02 17:07:06 +02:00
|
|
|
object, it will be automatically converted to an ordinary `options` object.
|
2012-08-18 07:18:02 +02:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
```js
|
|
|
|
const https = require('https');
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2017-04-03 01:55:01 +02:00
|
|
|
const options = {
|
2016-01-17 18:39:07 +01:00
|
|
|
hostname: 'encrypted.google.com',
|
|
|
|
port: 443,
|
|
|
|
path: '/',
|
|
|
|
method: 'GET'
|
|
|
|
};
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2017-04-03 01:55:01 +02:00
|
|
|
const req = https.request(options, (res) => {
|
2016-07-27 04:25:08 +02:00
|
|
|
console.log('statusCode:', res.statusCode);
|
|
|
|
console.log('headers:', res.headers);
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
res.on('data', (d) => {
|
|
|
|
process.stdout.write(d);
|
|
|
|
});
|
|
|
|
});
|
2011-01-21 22:12:35 +01:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
req.on('error', (e) => {
|
|
|
|
console.error(e);
|
|
|
|
});
|
2016-11-15 12:47:30 +01:00
|
|
|
req.end();
|
2016-01-17 18:39:07 +01:00
|
|
|
```
|
2019-08-29 15:28:03 +02:00
|
|
|
|
2017-03-04 00:23:48 +01:00
|
|
|
Example using options from [`tls.connect()`][]:
|
2011-09-14 13:17:30 +02:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
```js
|
2017-04-03 01:55:01 +02:00
|
|
|
const options = {
|
2016-01-17 18:39:07 +01:00
|
|
|
hostname: 'encrypted.google.com',
|
|
|
|
port: 443,
|
|
|
|
path: '/',
|
|
|
|
method: 'GET',
|
|
|
|
key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'),
|
|
|
|
cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem')
|
|
|
|
};
|
|
|
|
options.agent = new https.Agent(options);
|
|
|
|
|
2017-04-03 01:55:01 +02:00
|
|
|
const req = https.request(options, (res) => {
|
|
|
|
// ...
|
2016-07-15 07:41:29 +02:00
|
|
|
});
|
2016-01-17 18:39:07 +01:00
|
|
|
```
|
2011-09-14 13:17:30 +02:00
|
|
|
|
2017-10-17 06:23:29 +02:00
|
|
|
Alternatively, opt out of connection pooling by not using an [`Agent`][].
|
2011-09-14 13:17:30 +02:00
|
|
|
|
2016-01-17 18:39:07 +01:00
|
|
|
```js
|
2017-04-03 01:55:01 +02:00
|
|
|
const options = {
|
2016-01-17 18:39:07 +01:00
|
|
|
hostname: 'encrypted.google.com',
|
|
|
|
port: 443,
|
|
|
|
path: '/',
|
|
|
|
method: 'GET',
|
|
|
|
key: fs.readFileSync('test/fixtures/keys/agent2-key.pem'),
|
|
|
|
cert: fs.readFileSync('test/fixtures/keys/agent2-cert.pem'),
|
|
|
|
agent: false
|
|
|
|
};
|
|
|
|
|
2017-04-03 01:55:01 +02:00
|
|
|
const req = https.request(options, (res) => {
|
|
|
|
// ...
|
2016-07-15 07:41:29 +02:00
|
|
|
});
|
2016-01-17 18:39:07 +01:00
|
|
|
```
|
2015-11-14 04:21:49 +01:00
|
|
|
|
2017-06-02 17:07:06 +02:00
|
|
|
Example using a [`URL`][] as `options`:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const options = new URL('https://abc:xyz@example.com');
|
|
|
|
|
|
|
|
const req = https.request(options, (res) => {
|
|
|
|
// ...
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
2018-02-12 08:31:55 +01:00
|
|
|
Example pinning on certificate fingerprint, or the public key (similar to
|
|
|
|
`pin-sha256`):
|
2018-02-14 18:35:10 +01:00
|
|
|
|
|
|
|
```js
|
|
|
|
const tls = require('tls');
|
|
|
|
const https = require('https');
|
|
|
|
const crypto = require('crypto');
|
|
|
|
|
|
|
|
function sha256(s) {
|
|
|
|
return crypto.createHash('sha256').update(s).digest('base64');
|
|
|
|
}
|
|
|
|
const options = {
|
|
|
|
hostname: 'github.com',
|
|
|
|
port: 443,
|
|
|
|
path: '/',
|
|
|
|
method: 'GET',
|
|
|
|
checkServerIdentity: function(host, cert) {
|
|
|
|
// Make sure the certificate is issued to the host we are connected to
|
|
|
|
const err = tls.checkServerIdentity(host, cert);
|
|
|
|
if (err) {
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Pin the public key, similar to HPKP pin-sha25 pinning
|
|
|
|
const pubkey256 = 'pL1+qb9HTMRZJmuC/bB/ZI9d302BYrrqiVuRyW+DGrU=';
|
|
|
|
if (sha256(cert.pubkey) !== pubkey256) {
|
|
|
|
const msg = 'Certificate verification error: ' +
|
|
|
|
`The public key of '${cert.subject.CN}' ` +
|
|
|
|
'does not match our pinned fingerprint';
|
|
|
|
return new Error(msg);
|
|
|
|
}
|
|
|
|
|
2020-02-14 15:36:11 +01:00
|
|
|
// Pin the exact certificate, rather than the pub key
|
2018-02-14 18:35:10 +01:00
|
|
|
const cert256 = '25:FE:39:32:D9:63:8C:8A:FC:A1:9A:29:87:' +
|
|
|
|
'D8:3E:4C:1D:98:DB:71:E4:1A:48:03:98:EA:22:6A:BD:8B:93:16';
|
|
|
|
if (cert.fingerprint256 !== cert256) {
|
|
|
|
const msg = 'Certificate verification error: ' +
|
|
|
|
`The certificate of '${cert.subject.CN}' ` +
|
|
|
|
'does not match our pinned fingerprint';
|
|
|
|
return new Error(msg);
|
|
|
|
}
|
|
|
|
|
|
|
|
// This loop is informational only.
|
|
|
|
// Print the certificate and public key fingerprints of all certs in the
|
|
|
|
// chain. Its common to pin the public key of the issuer on the public
|
|
|
|
// internet, while pinning the public key of the service in sensitive
|
|
|
|
// environments.
|
|
|
|
do {
|
|
|
|
console.log('Subject Common Name:', cert.subject.CN);
|
|
|
|
console.log(' Certificate SHA256 fingerprint:', cert.fingerprint256);
|
|
|
|
|
|
|
|
hash = crypto.createHash('sha256');
|
|
|
|
console.log(' Public key ping-sha256:', sha256(cert.pubkey));
|
|
|
|
|
|
|
|
lastprint256 = cert.fingerprint256;
|
|
|
|
cert = cert.issuerCertificate;
|
|
|
|
} while (cert.fingerprint256 !== lastprint256);
|
|
|
|
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
options.agent = new https.Agent(options);
|
|
|
|
const req = https.request(options, (res) => {
|
|
|
|
console.log('All OK. Server matched our pinned cert or public key');
|
|
|
|
console.log('statusCode:', res.statusCode);
|
|
|
|
// Print the HPKP values
|
|
|
|
console.log('headers:', res.headers['public-key-pins']);
|
|
|
|
|
|
|
|
res.on('data', (d) => {});
|
|
|
|
});
|
|
|
|
|
|
|
|
req.on('error', (e) => {
|
|
|
|
console.error(e.message);
|
|
|
|
});
|
|
|
|
req.end();
|
|
|
|
```
|
2018-04-29 11:49:56 +02:00
|
|
|
|
|
|
|
Outputs for example:
|
|
|
|
|
2018-02-14 18:35:10 +01:00
|
|
|
```text
|
|
|
|
Subject Common Name: github.com
|
|
|
|
Certificate SHA256 fingerprint: 25:FE:39:32:D9:63:8C:8A:FC:A1:9A:29:87:D8:3E:4C:1D:98:DB:71:E4:1A:48:03:98:EA:22:6A:BD:8B:93:16
|
|
|
|
Public key ping-sha256: pL1+qb9HTMRZJmuC/bB/ZI9d302BYrrqiVuRyW+DGrU=
|
|
|
|
Subject Common Name: DigiCert SHA2 Extended Validation Server CA
|
|
|
|
Certificate SHA256 fingerprint: 40:3E:06:2A:26:53:05:91:13:28:5B:AF:80:A0:D4:AE:42:2C:84:8C:9F:78:FA:D0:1F:C9:4B:C5:B8:7F:EF:1A
|
|
|
|
Public key ping-sha256: RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=
|
|
|
|
Subject Common Name: DigiCert High Assurance EV Root CA
|
|
|
|
Certificate SHA256 fingerprint: 74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF
|
|
|
|
Public key ping-sha256: WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=
|
|
|
|
All OK. Server matched our pinned cert or public key
|
|
|
|
statusCode: 200
|
|
|
|
headers: max-age=0; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho="; pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="; pin-sha256="K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q="; pin-sha256="IQBnNBEiFuhj+8x6X8XLgh01V9Ic5/V3IRQLNFFc7v4="; pin-sha256="iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0="; pin-sha256="LvRiGEjRqfzurezaWuj8Wie2gyHMrW5Q06LspMnox7A="; includeSubDomains
|
|
|
|
```
|
|
|
|
|
2015-11-28 00:30:32 +01:00
|
|
|
[`Agent`]: #https_class_https_agent
|
2017-06-02 17:07:06 +02:00
|
|
|
[`URL`]: url.html#url_the_whatwg_url_api
|
2015-11-28 00:30:32 +01:00
|
|
|
[`http.Agent`]: http.html#http_class_http_agent
|
2019-03-04 17:28:29 +01:00
|
|
|
[`http.Agent(options)`]: http.html#http_new_agent_options
|
2018-11-28 15:48:07 +01:00
|
|
|
[`http.Server#headersTimeout`]: http.html#http_server_headerstimeout
|
2015-10-29 20:53:43 +01:00
|
|
|
[`http.Server#keepAliveTimeout`]: http.html#http_server_keepalivetimeout
|
2018-04-22 20:48:41 +02:00
|
|
|
[`http.Server#maxHeadersCount`]: http.html#http_server_maxheaderscount
|
2017-05-08 18:30:13 +02:00
|
|
|
[`http.Server#setTimeout()`]: http.html#http_server_settimeout_msecs_callback
|
|
|
|
[`http.Server#timeout`]: http.html#http_server_timeout
|
|
|
|
[`http.Server`]: http.html#http_class_http_server
|
2015-11-28 00:30:32 +01:00
|
|
|
[`http.close()`]: http.html#http_server_close_callback
|
2018-11-27 20:49:21 +01:00
|
|
|
[`http.createServer()`]: http.html#http_http_createserver_options_requestlistener
|
2015-11-28 00:30:32 +01:00
|
|
|
[`http.get()`]: http.html#http_http_get_options_callback
|
|
|
|
[`http.request()`]: http.html#http_http_request_options_callback
|
|
|
|
[`https.Agent`]: #https_class_https_agent
|
|
|
|
[`https.request()`]: #https_https_request_options_callback
|
2017-10-06 20:50:47 +02:00
|
|
|
[`net.Server`]: net.html#net_class_net_server
|
2018-04-25 02:37:43 +02:00
|
|
|
[`new URL()`]: url.html#url_constructor_new_url_input_base
|
2017-10-06 20:50:47 +02:00
|
|
|
[`server.listen()`]: net.html#net_server_listen
|
2015-11-28 00:30:32 +01:00
|
|
|
[`tls.connect()`]: tls.html#tls_tls_connect_options_callback
|
2017-03-04 00:23:48 +01:00
|
|
|
[`tls.createSecureContext()`]: tls.html#tls_tls_createsecurecontext_options
|
2017-05-08 18:30:13 +02:00
|
|
|
[`tls.createServer()`]: tls.html#tls_tls_createserver_options_secureconnectionlistener
|
2019-03-04 17:28:29 +01:00
|
|
|
[`Session Resumption`]: tls.html#tls_session_resumption
|
2019-04-19 21:51:24 +02:00
|
|
|
[sni wiki]: https://en.wikipedia.org/wiki/Server_Name_Indication
|