diff options
| author | Sam Roberts <vieuxtech@gmail.com> | 2016-12-21 09:33:13 -0800 |
|---|---|---|
| committer | Myles Borins <mylesborins@google.com> | 2017-04-18 20:01:53 -0400 |
| commit | f1c2f2675c90b02265071eb90f6942fa2f913316 (patch) | |
| tree | 5f727c78bf46e7bd7e9d8d46b8c2bf1547ebe022 /doc | |
| parent | a1cb6992d9dd933fb92f451d21fa712e9ffedb3f (diff) | |
| download | node-new-f1c2f2675c90b02265071eb90f6942fa2f913316.tar.gz | |
doc,test: tls .ca option supports multi-PEM files
Backport-PR-URL: https://github.com/nodejs/node/pull/12468
PR-URL: https://github.com/nodejs/node/pull/10389
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/api/tls.md | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/doc/api/tls.md b/doc/api/tls.md index 5b0cef22f0..ee3d37d6a4 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -906,10 +906,21 @@ added: v0.11.13 the same order as their private keys in `key`. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail. - * `ca`{string|string[]|Buffer|Buffer[]} Optional CA certificates to trust. - Default is the well-known CAs from Mozilla. When connecting to peers that - use certificates issued privately, or self-signed, the private root CA or - self-signed certificate must be provided to verify the peer. + * `ca` {string|string[]|Buffer|Buffer[]} Optionally override the trusted CA + certificates. Default is to trust the well-known CAs curated by Mozilla. + Mozilla's CAs are completely replaced when CAs are explicitly specified + using this option. The value can be a string or Buffer, or an Array of + strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs + concatenated together. The peer's certificate must be chainable to a CA + trusted by the server for the connection to be authenticated. When using + certificates that are not chainable to a well-known CA, the certificate's CA + must be explicitly specified as a trusted or the connection will fail to + authenticate. + If the peer uses a certificate that doesn't match or chain to one of the + default CAs, use the `ca` option to provide a CA certificate that the peer's + certificate can match or chain to. + For self-signed certificates, the certificate is its own CA, and must be + provided. * `crl` {string|string[]|Buffer|Buffer[]} Optional PEM formatted CRLs (Certificate Revocation Lists). * `ciphers` {string} Optional cipher suite specification, replacing the |