SslOptions¶

Optionally override the trusted CA certificates. When not provided, uses OpenSSL defaults (which in most cases means system trusted certificates). Setting this option replaces the default CA certificates, rather than adding to them.

Corresponds to SSL_CTX_set_cert_store

Warning: Behavior when this option is unset differs from Node.js defaults.

Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.

Only a single cert chain is currently supported by the driver.

Corresponds to SSL_CTX_use_certificate for the first certificate in the chain and SSL_CTX_add_extra_chain_cert for the subsequent certificates in the chain.

Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.

Corresponds to SSL_set_ciphersuites for ciphers with TLS_ prefix SSL_CTX_set_cipher_list for remaining ciphers.

A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.

corresponds to SSL_CTX_set1_curves

Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions.

Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase.

Only a single cert chain, and as a result a single private key is currently supported by the driver.

Corresponds to SSL_CTX_use_PrivateKey

Optionally set the maximum TLS version to allow. One of 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'.

Default: 'TLSv1.3'

Warning: In Node.js it was possible to modify default values using CLI options. This is not possible here.

Optionally set the minimum TLS version to allow. One of 'TLSv1.3', 'TLSv1.2', 'TLSv1.1', or 'TLSv1'. It is not recommended to use less than TLSv1.2, but it may be required for interoperability.

Default: 'TLSv1.2'

Warning: In Node.js it was possible to modify default values using CLI options.

Shared passphrase used for a single private key and/or a PFX.

PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it.

Only a single cert chain is currently supported by the driver.

This is equivalent to setting both cert and key fields

If true the server will reject any connection which is not authorized with the list of supplied CAs. This option only has an effect if requestCert is true.

Corresponds to SSL_CTX_set_verify

Optionally affect the OpenSSL protocol behavior, which is not usually necessary.

This should be used carefully if at all!

Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options.

Corresponds to the options parameter in SSL_CTX_set_options

Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).

Corresponds to SSL_CTX_set1_sigalgs