summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFedor Indutny <fedor@indutny.com>2014-09-01 18:44:57 +0400
committerFedor Indutny <fedor@indutny.com>2014-09-03 17:36:54 +0400
commit73631bbcc83888ec61a0aebf4eff3904e9384a2e (patch)
tree7077275225c1e0c1d0d8977faf6e46a5954cad1e
parent7343c77cdba04e3b7ea6041285fe9b1e9f4fdaeb (diff)
downloadnodejs-73631bbcc83888ec61a0aebf4eff3904e9384a2e.tar.gz
nodejs-73631bbcc83888ec61a0aebf4eff3904e9384a2e.tar.bz2
nodejs-73631bbcc83888ec61a0aebf4eff3904e9384a2e.zip
tls: support multiple keys/certs
Required to serve website with both ECDSA/RSA certificates.
-rw-r--r--doc/api/tls.markdown8
-rw-r--r--lib/_tls_common.js26
-rw-r--r--test/simple/test-tls-multi-key.js74
3 files changed, 100 insertions, 8 deletions
diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown
index 57d1db9a1..36d88a7f5 100644
--- a/doc/api/tls.markdown
+++ b/doc/api/tls.markdown
@@ -122,12 +122,12 @@ automatically set as a listener for the [secureConnection][] event. The
the `key`, `cert` and `ca` options.)
- `key`: A string or `Buffer` containing the private key of the server in
- PEM format. (Required)
+ PEM format. (Could be an array of keys). (Required)
- `passphrase`: A string of passphrase for the private key or pfx.
- `cert`: A string or `Buffer` containing the certificate key of the server in
- PEM format. (Required)
+ PEM format. (Could be an array of certs). (Required)
- `ca`: An array of strings or `Buffer`s of trusted certificates in PEM
format. If this is omitted several well known "root" CAs will be used,
@@ -303,12 +303,12 @@ Creates a new client connection to the given `port` and `host` (old API) or
CA certs of the client in PFX or PKCS12 format.
- `key`: A string or `Buffer` containing the private key of the client in
- PEM format.
+ PEM format. (Could be an array of keys).
- `passphrase`: A string of passphrase for the private key or pfx.
- `cert`: A string or `Buffer` containing the certificate key of the client in
- PEM format.
+ PEM format. (Could be an array of certs).
- `ca`: An array of strings or `Buffer`s of trusted certificates in PEM
format. If this is omitted several well known "root" CAs will be used,
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
index f7f2ad86e..01efcebc1 100644
--- a/lib/_tls_common.js
+++ b/lib/_tls_common.js
@@ -64,10 +64,21 @@ exports.createSecureContext = function createSecureContext(options, context) {
if (context) return c;
if (options.key) {
- if (options.passphrase) {
- c.context.setKey(options.key, options.passphrase);
+ if (Array.isArray(options.key)) {
+ for (var i = 0; i < options.key.length; i++) {
+ var key = options.key[i];
+
+ if (key.passphrase)
+ c.context.setKey(key.pem, key.passphrase);
+ else
+ c.context.setKey(key);
+ }
} else {
- c.context.setKey(options.key);
+ if (options.passphrase) {
+ c.context.setKey(options.key, options.passphrase);
+ } else {
+ c.context.setKey(options.key);
+ }
}
}
@@ -85,7 +96,14 @@ exports.createSecureContext = function createSecureContext(options, context) {
c.context.addRootCerts();
}
- if (options.cert) c.context.setCert(options.cert);
+ if (options.cert) {
+ if (Array.isArray(options.cert)) {
+ for (var i = 0; i < options.cert.length; i++)
+ c.context.setCert(options.cert[i]);
+ } else {
+ c.context.setCert(options.cert);
+ }
+ }
if (options.ciphers)
c.context.setCiphers(options.ciphers);
diff --git a/test/simple/test-tls-multi-key.js b/test/simple/test-tls-multi-key.js
new file mode 100644
index 000000000..e00c40409
--- /dev/null
+++ b/test/simple/test-tls-multi-key.js
@@ -0,0 +1,74 @@
+// Copyright Joyent, Inc. and other Node contributors.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a
+// copy of this software and associated documentation files (the
+// "Software"), to deal in the Software without restriction, including
+// without limitation the rights to use, copy, modify, merge, publish,
+// distribute, sublicense, and/or sell copies of the Software, and to permit
+// persons to whom the Software is furnished to do so, subject to the
+// following conditions:
+//
+// The above copyright notice and this permission notice shall be included
+// in all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+// USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+if (!process.versions.openssl) {
+ console.error('Skipping because node compiled without OpenSSL.');
+ process.exit(0);
+}
+
+var common = require('../common');
+var assert = require('assert');
+var tls = require('tls');
+var fs = require('fs');
+
+var options = {
+ key: [
+ fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'),
+ fs.readFileSync(common.fixturesDir + '/keys/ec-key.pem')
+ ],
+ cert: [
+ fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem'),
+ fs.readFileSync(common.fixturesDir + '/keys/ec-cert.pem')
+ ]
+};
+
+var ciphers = [];
+
+var server = tls.createServer(options, function(conn) {
+ conn.end('ok');
+}).listen(common.PORT, function() {
+ var ecdsa = tls.connect(common.PORT, {
+ ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ rejectUnauthorized: false
+ }, function() {
+ var rsa = tls.connect(common.PORT, {
+ ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
+ rejectUnauthorized: false
+ }, function() {
+ ecdsa.destroy();
+ rsa.destroy();
+
+ ciphers.push(ecdsa.getCipher());
+ ciphers.push(rsa.getCipher());
+ server.close();
+ });
+ });
+});
+
+process.on('exit', function() {
+ assert.deepEqual(ciphers, [{
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ version: 'TLSv1/SSLv3'
+ }, {
+ name: 'ECDHE-RSA-AES256-GCM-SHA384',
+ version: 'TLSv1/SSLv3'
+ }]);
+});