options
{Object}enableTrace
: See [tls.createServer()
][]host
{string} Host the client should connect to. Default:'localhost'
.port
{number} Port the client should connect to.path
{string} Creates Unix socket connection to path. If this option is specified,host
andport
are ignored.socket
{stream.Duplex} Establish secure connection on a given socket rather than creating a new socket. Typically, this is an instance of [net.Socket
][], but anyDuplex
stream is allowed. If this option is specified,path
,host
andport
are ignored, except for certificate validation. Usually, a socket is already connected when passed totls.connect()
, but it can be connected later. Connection/disconnection/destruction ofsocket
is the user’s responsibility; callingtls.connect()
will not causenet.connect()
to be called.allowHalfOpen
{boolean} If thesocket
option is missing, indicates whether or not to allow the internally created socket to be half-open, otherwise the option is ignored. See theallowHalfOpen
option of [net.Socket
][] for details. Default:false
.rejectUnauthorized
{boolean} If notfalse
, the server certificate is verified against the list of supplied CAs. An'error'
event is emitted if verification fails;err.code
contains the OpenSSL error code. Default:true
.pskCallback
{Function}- hint: {string} optional message sent from the server to help client
decide which identity to use during negotiation.
Always
null
if TLS 1.3 is used. - Returns: {Object} in the form
{ psk: <Buffer|TypedArray|DataView>, identity: <string> }
ornull
to stop the negotiation process.psk
must be compatible with the selected cipher’s digest.identity
must use UTF-8 encoding. When negotiating TLS-PSK (pre-shared keys), this function is called with optional identityhint
provided by the server ornull
in case of TLS 1.3 wherehint
was removed. It will be necessary to provide a customtls.checkServerIdentity()
for the connection as the default one will try to check host name/IP of the server against the certificate but that’s not applicable for PSK because there won’t be a certificate present. More information can be found in the [RFC 4279][].
- hint: {string} optional message sent from the server to help client
decide which identity to use during negotiation.
Always
ALPNProtocols
: {string[]|Buffer[]|TypedArray[]|DataView[]|Buffer| TypedArray|DataView} An array of strings,Buffer
s orTypedArray
s orDataView
s, or a singleBuffer
orTypedArray
orDataView
containing the supported ALPN protocols.Buffer
s should have the format[len][name][len][name]...
e.g.'\x08http/1.1\x08http/1.0'
, where thelen
byte is the length of the next protocol name. Passing an array is usually much simpler, e.g.['http/1.1', 'http/1.0']
. Protocols earlier in the list have higher preference than those later.servername
: {string} Server name for the SNI (Server Name Indication) TLS extension. It is the name of the host being connected to, and must be a host name, and not an IP address. It can be used by a multi-homed server to choose the correct certificate to present to the client, see theSNICallback
option to [tls.createServer()
][].checkServerIdentity(servername, cert)
{Function} A callback function to be used (instead of the builtintls.checkServerIdentity()
function) when checking the server’s host name (or the providedservername
when explicitly set) against the certificate. This should return an {Error} if verification fails. The method should returnundefined
if theservername
andcert
are verified.session
{Buffer} ABuffer
instance, containing TLS session.minDHSize
{number} Minimum size of the DH parameter in bits to accept a TLS connection. When a server offers a DH parameter with a size less thanminDHSize
, the TLS connection is destroyed and an error is thrown. Default:1024
.highWaterMark
: {number} Consistent with the readable streamhighWaterMark
parameter. Default:16 * 1024
.secureContext
: TLS context object created with [tls.createSecureContext()
][]. If asecureContext
is not provided, one will be created by passing the entireoptions
object totls.createSecureContext()
.- …: [
tls.createSecureContext()
][] options that are used if thesecureContext
option is missing, otherwise they are ignored. - …: Any [
socket.connect()
][] option not already listed.
callback
{Function}- Returns: {tls.TLSSocket}
The callback
function, if specified, will be added as a listener for the
['secureConnect'
][] event.
tls.connect()
returns a [tls.TLSSocket
][] object.
Unlike the https
API, tls.connect()
does not enable the
SNI (Server Name Indication) extension by default, which may cause some
servers to return an incorrect certificate or reject the connection
altogether. To enable SNI, set the servername
option in addition
to host
.
The following illustrates a client for the echo server example from
[tls.createServer()
][]:
// Assumes an echo server that is listening on port 8000.
const tls = require('tls');
const fs = require('fs');
const options = {
// Necessary only if the server requires client certificate authentication.
key: fs.readFileSync('client-key.pem'),
cert: fs.readFileSync('client-cert.pem'),
// Necessary only if the server uses a self-signed certificate.
ca: [ fs.readFileSync('server-cert.pem') ],
// Necessary only if the server's cert isn't for "localhost".
checkServerIdentity: () => { return null; },
};
const socket = tls.connect(8000, options, () => {
console.log('client connected',
socket.authorized ? 'authorized' : 'unauthorized');
process.stdin.pipe(socket);
process.stdin.resume();
});
socket.setEncoding('utf8');
socket.on('data', (data) => {
console.log(data);
});
socket.on('end', () => {
console.log('server ends connection');
});