UNPKG

starttls

Version:

Upgrade a regular `net.Stream` connection to a secure `tls` connection.

github.com/mattcg/starttls

mattcg/starttls

76 lines (50 loc) 2.87 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Start TLS # [![Build Status](https://travis-ci.org/mattcg/starttls.png?branch=master)](https://travis-ci.org/mattcg/starttls) Upgrade a regular [`net.Stream`](http://nodejs.org/api/net.html#net_class_net_socket) connection to a secure [`tls`](http://nodejs.org/api/tls.html) connection. Based on code by [Andris Reinman](https://github.com/andris9/rai/blob/master/lib/starttls.js), itself based on an older version by [Nathan Rajlich](https://gist.github.com/TooTallNate/848444). ## Usage ## This library has one method and accepts either an options hash or a prepared socket as the first argument. It returns a [`SecurePair`](http://nodejs.org/api/tls.html#tls_class_securepair). ### starttls(options, [onSecure]), starttls(socket, [onSecure]) ### The following options are supported: - `socket` - if not provided, a socket will be created using [`net.createConnection`](http://nodejs.org/api/net.html#net_net_createconnection_options_connectionlistener) - `host` - used to perform automatic certificate identity checking, to guard against MITM attacks - `port` - only used to create a socket (along with the `host` option) if `socket` is not provided - `pair` - if you want to provide your own [`SecurePair`](http://nodejs.org/api/tls.html#tls_class_securepair) object The `onSecure` callback is optional and receives `null` or an error object as the first argument (see below for error cases). Within the callback context, `this` refers to the same [`SecurePair`](http://nodejs.org/api/tls.html#tls_class_securepair) object returned by `starttls`. ```javascript var net = require('net'); var starttls = require('starttls'); var options = { port: 21, host: example.com }; net.createConnection(options, function() { options.socket = this; starttls(options, function(err) { if (err) { // Something bad happened! return; } this.cleartext.write('garbage'); }); }); ``` You should always check for an error before writing to the stream to avoid man-in-the-middle attacks. Errors are produced in the following cases: - the certificate authority authorization check failed or was negative - the server identity check was negative If you only pass a socket object, server identity checking will not be performed automatically. In that case you should perform the check manually. ```javascript starttls(socket, function(err) { if (!tls.checkServerIdentity(host, this.cleartext.getPeerCertificate())) { // Hostname mismatch! // Report error and end connection... } }); ``` ## Example ## See [socks5-https-client](https://github.com/mattcg/socks5-https-client) for use-case. ## Tests ## Run `make test` or `npm test` to run tests. ## License ## Portions of this code copyright (c) 2012, Andris Reinman and copyright (c) 2011, Nathan Rajlich. Modified and redistributed under an [MIT license](http://mattcg.mit-license.org/).