module ssl
The ssl module is a built-in encryption module of fibjs, which can be used to establish the SSL hypertext transfer protocol of a network connection. This module provides cryptographic verification so that clients and servers can ensure the connection is secure
The ssl module contains multiple objects and constants that can be used for a complete SSL client/server communication process. Commonly used categories are:
- SslSocket: Based on the underlyingSocketThe encapsulated SSL socket object can be used to perform two-way authentication and other communication operations with the remote server.
- SslHandler: SSL protocol conversion processor, used to convert data streams into SSL stream protocols, suitable for building server-side services.
- SslServer: SSL server object, convenient for building standard multi-fiber SSL server.
The following isssl.ServerAs an example, we introduce the use of ssl module.
ssl.ServerIt is a basic SSL server that provides an SSL-based network service. usessl.ServerThe class can quickly create a server based on SSL/TLS and is compatible with basically all features of TCP/HTTP services. It has the following characteristics:
- It comes with an X.509 certificate manager that supports multiple domain name certificates, wildcards, SAN certificates and other functions.
- It has the same interface and usage as the TCP server, and the upper-layer code does not need to care about the difference between SSL connection and TCP connection.
- All SSL/TLS security protocols are implemented using the built-in OpenSSL library.
- Supports protocol extension functions such as SNI and ALPN.
Here's a simple example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19const ssl = require('ssl');
const http = require('http');
const crypto = require('crypto');
// read cert and key
let key = crypto.loadPKey('mycert.key');
let cert = crypto.loadCert('mycert.pem');
// create ssl server
const svr = new ssl.Server(cert, key, 8080, s => {
var data;
while (data = s.read()) {
console.log(`received data: ${data.toString()}`);
s.write(data.toString().toUpperCase());
}
});
// start server
svr.start();
In the above code, we first read the SSL certificate and private key files, and then created an SSL server instance. In the server's callback function, after receiving the client data, convert the data to uppercase and return the data to the client through the write function.
object
Socket
CreateSslSocketobject, seeSslSocket
1SslSocket ssl.Socket;
Handler
CreateSslHandlerobject, seeSslHandler
1SslHandler ssl.Handler;
Server
CreateSslServerobject, seeSslServer
1SslServer ssl.Server;
static function
connect
CreateSslSocketobject and establish connection
1
2static Stream ssl.connect(String url,
Integer timeout = 0) async;
Call parameters:
- url: String, specifies the connection protocol, which can be: ssl://host:port
- timeout: Integer, specifies the timeout, the unit is milliseconds, the default is 0
Return results:
CreateSslSocketobject and establish connection
1
2
3
4static Stream ssl.connect(String url,
X509Cert crt,
PKey key,
Integer timeout = 0) async;
Call parameters:
- url: String, specifies the connection protocol, which can be: ssl://host:port
- crt:X509Cert, certificate, used to send to the server to verify the client
- key:PKey, private key, used to talk to the client
- timeout: Integer, specifies the timeout, the unit is milliseconds, the default is 0
Return results:
CreateSslSocketobject and establish connection
1
2
3
4
5static Stream ssl.connect(String url,
Integer verification,
X509Cert crt,
PKey key,
Integer timeout = 0) async;
Call parameters:
- url: String, specifies the connection protocol, which can be: ssl://host:port
- verification: Integer, certificate verification mode
- crt:X509Cert, certificate, used to send to the server to verify the client
- key:PKey, private key, used to talk to the client
- timeout: Integer, specifies the timeout, the unit is milliseconds, the default is 0
Return results:
setClientCert
Set default client certificate
1
2static ssl.setClientCert(X509Cert crt,
PKey key);
Call parameters:
- crt:X509Cert, certificate, used to send to the server to verify the client
- key:PKey, private key, used to talk to the client
loadRootCerts
Load the default root certificate that comes with it, which is equivalent tossl.ca.loadRootCerts
1static ssl.loadRootCerts();
The content of this certificate comes from: http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
static properties
ca
X509Cert, global certificate, used for ssl client mode verification server certificate
1static readonly X509Cert ssl.ca;
verification
Integer, set the certificate verification mode, the default is VERIFY_REQUIRED
1static Integer ssl.verification;
constant
VERIFY_NONE
Certificate verification mode, no verification
1const ssl.VERIFY_NONE = 0;
VERIFY_OPTIONAL
Certificate verification mode, optional verification, allowing verification to fail
1const ssl.VERIFY_OPTIONAL = 1;
VERIFY_REQUIRED
Certificate verification mode, which requires verification and will be interrupted if the verification fails.
1const ssl.VERIFY_REQUIRED = 2;
BADCERT_EXPIRED
Certificate verification results, certificate timeout
1const ssl.BADCERT_EXPIRED = 1;
BADCERT_REVOKED
Certificate verification result, certificate was revoked
1const ssl.BADCERT_REVOKED = 2;
BADCERT_CN_MISMATCH
Certificate verification result, wrong certificate name
1const ssl.BADCERT_CN_MISMATCH = 4;
BADCERT_NOT_TRUSTED
Certificate verification result, the certificate is not trustworthy
1const ssl.BADCERT_NOT_TRUSTED = 8;