Accepts encrypted connections using TLS or SSL.
Node.js module
tls
The 'node:tls' module provides an API for implementing TLS and SSL secure network communication. It wraps OpenSSL to create secure TCP connections via tls.createServer and tls.connect.
Features include certificate parsing, client authorization, secure context management, and TLS session resumption.
Works in Bun
Core TLS/SSL functionality works. The deprecated `tls.createSecurePair` method is missing.
class Server
- maxConnections: number
Set this property to reject connections when the server's connection count gets high.
It is not recommended to use this option once a socket has been sent to a child with
child_process.fork(). - static captureRejections: boolean
Value: boolean
Change the default
captureRejectionsoption on all newEventEmitterobjects. - readonly static captureRejectionSymbol: typeof captureRejectionSymbol
Value:
Symbol.for('nodejs.rejection')See how to write a custom
rejection handler. - static defaultMaxListeners: number
By default, a maximum of
10listeners can be registered for any single event. This limit can be changed for individualEventEmitterinstances using theemitter.setMaxListeners(n)method. To change the default for allEventEmitterinstances, theevents.defaultMaxListenersproperty can be used. If this value is not a positive number, aRangeErroris thrown.Take caution when setting the
events.defaultMaxListenersbecause the change affects allEventEmitterinstances, including those created before the change is made. However, callingemitter.setMaxListeners(n)still has precedence overevents.defaultMaxListeners.This is not a hard limit. The
EventEmitterinstance will allow more listeners to be added but will output a trace warning to stderr indicating that a "possible EventEmitter memory leak" has been detected. For any singleEventEmitter, theemitter.getMaxListeners()andemitter.setMaxListeners()methods can be used to temporarily avoid this warning:import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.setMaxListeners(emitter.getMaxListeners() + 1); emitter.once('event', () => { // do stuff emitter.setMaxListeners(Math.max(emitter.getMaxListeners() - 1, 0)); });The
--trace-warningscommand-line flag can be used to display the stack trace for such warnings.The emitted warning can be inspected with
process.on('warning')and will have the additionalemitter,type, andcountproperties, referring to the event emitter instance, the event's name and the number of attached listeners, respectively. Itsnameproperty is set to'MaxListenersExceededWarning'. - readonly static errorMonitor: typeof errorMonitor
This symbol shall be used to install a listener for only monitoring
'error'events. Listeners installed using this symbol are called before the regular'error'listeners are called.Installing a listener using this symbol does not change the behavior once an
'error'event is emitted. Therefore, the process will still crash if no regular'error'listener is installed. Calls () and returns a promise that fulfills when the server has closed.
- hostname: string,): void;
The
server.addContext()method adds a secure context that will be used if the client request's SNI name matches the suppliedhostname(or wildcard).When there are multiple matching contexts, the most recently added one is used.
@param hostnameA SNI host name or wildcard (e.g.
'*')@param contextAn object containing any of the possible properties from the createSecureContext
optionsarguments (e.g.key,cert,ca, etc), or a TLS context object created with createSecureContext itself. - event: string,listener: (...args: any[]) => void): this;
events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'tlsClientError',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'newSession',listener: (sessionId: NonSharedBuffer, sessionData: NonSharedBuffer, callback: () => void) => void): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'secureConnection',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'keylog',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
Returns the bound
address, the addressfamilyname, andportof the server as reported by the operating system if listening on an IP socket (useful to find which port was assigned when getting an OS-assigned address):{ port: 12346, family: 'IPv4', address: '127.0.0.1' }.For a server listening on a pipe or Unix domain socket, the name is returned as a string.
const server = net.createServer((socket) => { socket.end('goodbye\n'); }).on('error', (err) => { // Handle errors here. throw err; }); // Grab an arbitrary unused port. server.listen(() => { console.log('opened server on', server.address()); });server.address()returnsnullbefore the'listening'event has been emitted or after callingserver.close().- ): this;
Stops the server from accepting new connections and keeps existing connections. This function is asynchronous, the server is finally closed when all connections are ended and the server emits a
'close'event. The optionalcallbackwill be called once the'close'event occurs. Unlike that event, it will be called with anErroras its only argument if the server was not open when it was closed.@param callbackCalled when the server is closed.
- emit(event: string | symbol,...args: any[]): boolean;
Synchronously calls each of the listeners registered for the event named
eventName, in the order they were registered, passing the supplied arguments to each.Returns
trueif the event had listeners,falseotherwise.import { EventEmitter } from 'node:events'; const myEmitter = new EventEmitter(); // First listener myEmitter.on('event', function firstListener() { console.log('Helloooo! first listener'); }); // Second listener myEmitter.on('event', function secondListener(arg1, arg2) { console.log(`event with parameters ${arg1}, ${arg2} in second listener`); }); // Third listener myEmitter.on('event', function thirdListener(...args) { const parameters = args.join(', '); console.log(`event with parameters ${parameters} in third listener`); }); console.log(myEmitter.listeners('event')); myEmitter.emit('event', 1, 2, 3, 4, 5); // Prints: // [ // [Function: firstListener], // [Function: secondListener], // [Function: thirdListener] // ] // Helloooo! first listener // event with parameters 1, 2 in second listener // event with parameters 1, 2, 3, 4, 5 in third listeneremit(event: 'newSession',sessionId: NonSharedBuffer,sessionData: NonSharedBuffer,callback: () => void): boolean; Returns an array listing the events for which the emitter has registered listeners. The values in the array are strings or
Symbols.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => {}); myEE.on('bar', () => {}); const sym = Symbol('symbol'); myEE.on(sym, () => {}); console.log(myEE.eventNames()); // Prints: [ 'foo', 'bar', Symbol(symbol) ]- ): this;
Asynchronously get the number of concurrent connections on the server. Works when sockets were sent to forks.
Callback should take two arguments
errandcount. Returns the current max listener value for the
EventEmitterwhich is either set byemitter.setMaxListeners(n)or defaults to EventEmitter.defaultMaxListeners.Returns the session ticket keys.
See
Session Resumptionfor more information.@returnsA 48-byte buffer containing the session ticket keys.
- port?: number,hostname?: string,backlog?: number,listeningListener?: () => void): this;
Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });port?: number,hostname?: string,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });port?: number,backlog?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });port?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });path: string,backlog?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });path: string,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });handle: any,backlog?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });handle: any,listeningListener?: () => void): this;Start a server listening for connections. A
net.Servercan be a TCP or anIPCserver depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])server.listen(options[, callback])server.listen(path[, backlog][, callback])forIPCserversserver.listen([port[, host[, backlog]]][, callback])for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'event will be emitted. The last parametercallbackwill be added as a listener for the'listening'event.All
listen()methods can take abacklogparameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlogandsomaxconnon Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR(seesocket(7)for details).The
server.listen()method can be called again if and only if there was an error during the firstserver.listen()call orserver.close()has been called. Otherwise, anERR_SERVER_ALREADY_LISTENerror will be thrown.One of the most common errors raised when listening is
EADDRINUSE. This happens when another server is already listening on the requestedport/path/handle. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } }); - eventName: string | symbol,listener?: Function): number;
Returns the number of listeners listening for the event named
eventName. Iflisteneris provided, it will return how many times the listener is found in the list of the listeners of the event.@param eventNameThe name of the event being listened for
@param listenerThe event handler function
- eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName.server.on('connection', (stream) => { console.log('someone connected!'); }); console.log(util.inspect(server.listeners('connection'))); // Prints: [ [Function] ] - eventName: string | symbol,listener: (...args: any[]) => void): this;
Alias for
emitter.removeListener(). - on(event: string,listener: (...args: any[]) => void): this;
Adds the
listenerfunction to the end of the listeners array for the event namedeventName. No checks are made to see if thelistenerhas already been added. Multiple calls passing the same combination ofeventNameandlistenerwill result in thelistenerbeing added, and called, multiple times.server.on('connection', (stream) => { console.log('someone connected!'); });Returns a reference to the
EventEmitter, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependListener()method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => console.log('a')); myEE.prependListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a@param listenerThe callback function
on(event: 'newSession',listener: (sessionId: NonSharedBuffer, sessionData: NonSharedBuffer, callback: () => void) => void): this; - once(event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listenerfunction for the event namedeventName. The next timeeventNameis triggered, this listener is removed and then invoked.server.once('connection', (stream) => { console.log('Ah, we have our first user!'); });Returns a reference to the
EventEmitter, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependOnceListener()method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.once('foo', () => console.log('a')); myEE.prependOnceListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a@param listenerThe callback function
once(event: 'newSession',listener: (sessionId: NonSharedBuffer, sessionData: NonSharedBuffer, callback: () => void) => void): this; - event: string,listener: (...args: any[]) => void): this;
Adds the
listenerfunction to the beginning of the listeners array for the event namedeventName. No checks are made to see if thelistenerhas already been added. Multiple calls passing the same combination ofeventNameandlistenerwill result in thelistenerbeing added, and called, multiple times.server.prependListener('connection', (stream) => { console.log('someone connected!'); });Returns a reference to the
EventEmitter, so that calls can be chained.@param listenerThe callback function
event: 'tlsClientError',): this;event: 'newSession',listener: (sessionId: NonSharedBuffer, sessionData: NonSharedBuffer, callback: () => void) => void): this;event: 'keylog',): this; - event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listenerfunction for the event namedeventNameto the beginning of the listeners array. The next timeeventNameis triggered, this listener is removed, and then invoked.server.prependOnceListener('connection', (stream) => { console.log('Ah, we have our first user!'); });Returns a reference to the
EventEmitter, so that calls can be chained.@param listenerThe callback function
event: 'tlsClientError',): this;event: 'newSession',listener: (sessionId: NonSharedBuffer, sessionData: NonSharedBuffer, callback: () => void) => void): this;event: 'keylog',): this; - eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName, including any wrappers (such as those created by.once()).import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.once('log', () => console.log('log once')); // Returns a new Array with a function `onceWrapper` which has a property // `listener` which contains the original listener bound above const listeners = emitter.rawListeners('log'); const logFnWrapper = listeners[0]; // Logs "log once" to the console and does not unbind the `once` event logFnWrapper.listener(); // Logs "log once" to the console and removes the listener logFnWrapper(); emitter.on('log', () => console.log('log persistently')); // Will return a new Array with a single function bound by `.on()` above const newListeners = emitter.rawListeners('log'); // Logs "log persistently" twice newListeners[0](); emitter.emit('log'); Opposite of
unref(), callingref()on a previouslyunrefed server will not let the program exit if it's the only server left (the default behavior). If the server isrefed callingref()again will have no effect.- eventName?: string | symbol): this;
Removes all listeners, or those of the specified
eventName.It is bad practice to remove listeners added elsewhere in the code, particularly when the
EventEmitterinstance was created by some other component or module (e.g. sockets or file streams).Returns a reference to the
EventEmitter, so that calls can be chained. - eventName: string | symbol,listener: (...args: any[]) => void): this;
Removes the specified
listenerfrom the listener array for the event namedeventName.const callback = (stream) => { console.log('someone connected!'); }; server.on('connection', callback); // ... server.removeListener('connection', callback);removeListener()will remove, at most, one instance of a listener from the listener array. If any single listener has been added multiple times to the listener array for the specifiedeventName, thenremoveListener()must be called multiple times to remove each instance.Once an event is emitted, all listeners attached to it at the time of emitting are called in order. This implies that any
removeListener()orremoveAllListeners()calls after emitting and before the last listener finishes execution will not remove them fromemit()in progress. Subsequent events behave as expected.import { EventEmitter } from 'node:events'; class MyEmitter extends EventEmitter {} const myEmitter = new MyEmitter(); const callbackA = () => { console.log('A'); myEmitter.removeListener('event', callbackB); }; const callbackB = () => { console.log('B'); }; myEmitter.on('event', callbackA); myEmitter.on('event', callbackB); // callbackA removes listener callbackB but it will still be called. // Internal listener array at time of emit [callbackA, callbackB] myEmitter.emit('event'); // Prints: // A // B // callbackB is now removed. // Internal listener array [callbackA] myEmitter.emit('event'); // Prints: // ABecause listeners are managed using an internal array, calling this will change the position indices of any listener registered after the listener being removed. This will not impact the order in which listeners are called, but it means that any copies of the listener array as returned by the
emitter.listeners()method will need to be recreated.When a single function has been added as a handler multiple times for a single event (as in the example below),
removeListener()will remove the most recently added instance. In the example theonce('ping')listener is removed:import { EventEmitter } from 'node:events'; const ee = new EventEmitter(); function pong() { console.log('pong'); } ee.on('ping', pong); ee.once('ping', pong); ee.removeListener('ping', pong); ee.emit('ping'); ee.emit('ping');Returns a reference to the
EventEmitter, so that calls can be chained. - n: number): this;
By default
EventEmitters will print a warning if more than10listeners are added for a particular event. This is a useful default that helps finding memory leaks. Theemitter.setMaxListeners()method allows the limit to be modified for this specificEventEmitterinstance. The value can be set toInfinity(or0) to indicate an unlimited number of listeners.Returns a reference to the
EventEmitter, so that calls can be chained. - ): void;
The
server.setSecureContext()method replaces the secure context of an existing server. Existing connections to the server are not interrupted.@param optionsAn object containing any of the possible properties from the createSecureContext
optionsarguments (e.g.key,cert,ca, etc). - ): void;
Sets the session ticket keys.
Changes to the ticket keys are effective only for future server connections. Existing or currently pending server connections will use the previous keys.
See
Session Resumptionfor more information.@param keysA 48-byte buffer containing the session ticket keys.
Calling
unref()on a server will allow the program to exit if this is the only active server in the event system. If the server is alreadyunrefed callingunref()again will have no effect.- ): Disposable;
Listens once to the
abortevent on the providedsignal.Listening to the
abortevent on abort signals is unsafe and may lead to resource leaks since another third party with the signal can calle.stopImmediatePropagation(). Unfortunately Node.js cannot change this since it would violate the web standard. Additionally, the original API makes it easy to forget to remove listeners.This API allows safely using
AbortSignals in Node.js APIs by solving these two issues by listening to the event such thatstopImmediatePropagationdoes not prevent the listener from running.Returns a disposable so that it may be unsubscribed from more easily.
import { addAbortListener } from 'node:events'; function example(signal) { let disposable; try { signal.addEventListener('abort', (e) => e.stopImmediatePropagation()); disposable = addAbortListener(signal, (e) => { // Do something when signal is aborted. }); } finally { disposable?.[Symbol.dispose](); } }@returnsDisposable that removes the
abortlistener. - name: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName.For
EventEmitters this behaves exactly the same as calling.listenerson the emitter.For
EventTargets this is the only way to get the event listeners for the event target. This is useful for debugging and diagnostic purposes.import { getEventListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); const listener = () => console.log('Events are fun'); ee.on('foo', listener); console.log(getEventListeners(ee, 'foo')); // [ [Function: listener] ] } { const et = new EventTarget(); const listener = () => console.log('Events are fun'); et.addEventListener('foo', listener); console.log(getEventListeners(et, 'foo')); // [ [Function: listener] ] } - ): number;
Returns the currently set max amount of listeners.
For
EventEmitters this behaves exactly the same as calling.getMaxListenerson the emitter.For
EventTargets this is the only way to get the max event listeners for the event target. If the number of event handlers on a single EventTarget exceeds the max set, the EventTarget will print a warning.import { getMaxListeners, setMaxListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); console.log(getMaxListeners(ee)); // 10 setMaxListeners(11, ee); console.log(getMaxListeners(ee)); // 11 } { const et = new EventTarget(); console.log(getMaxListeners(et)); // 10 setMaxListeners(11, et); console.log(getMaxListeners(et)); // 11 } - emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;
import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable hereReturns an
AsyncIteratorthat iterateseventNameevents. It will throw if theEventEmitteremits'error'. It removes all listeners when exiting the loop. Thevaluereturned by each iteration is an array composed of the emitted event arguments.An
AbortSignalcan be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());Use the
closeoption to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'@returnsAn
AsyncIteratorthat iterateseventNameevents emitted by theemittereventName: string,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable hereReturns an
AsyncIteratorthat iterateseventNameevents. It will throw if theEventEmitteremits'error'. It removes all listeners when exiting the loop. Thevaluereturned by each iteration is an array composed of the emitted event arguments.An
AbortSignalcan be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());Use the
closeoption to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'@returnsAn
AsyncIteratorthat iterateseventNameevents emitted by theemitter - emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterOptions): Promise<any[]>;
Creates a
Promisethat is fulfilled when theEventEmitteremits the given event or that is rejected if theEventEmitteremits'error'while waiting. ThePromisewill resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'event semantics and does not listen to the'error'event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }The special handling of the
'error'event is only used whenevents.once()is used to wait for another event. Ifevents.once()is used to wait for the 'error'event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boomAn
AbortSignalcan be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled!eventName: string,options?: StaticEventEmitterOptions): Promise<any[]>;Creates a
Promisethat is fulfilled when theEventEmitteremits the given event or that is rejected if theEventEmitteremits'error'while waiting. ThePromisewill resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'event semantics and does not listen to the'error'event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }The special handling of the
'error'event is only used whenevents.once()is used to wait for another event. Ifevents.once()is used to wait for the 'error'event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boomAn
AbortSignalcan be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled! - n?: number,): void;
import { setMaxListeners, EventEmitter } from 'node:events'; const target = new EventTarget(); const emitter = new EventEmitter(); setMaxListeners(5, target, emitter);@param nA non-negative number. The maximum number of listeners per
EventTargetevent.@param eventTargetsZero or more {EventTarget} or {EventEmitter} instances. If none are specified,
nis set as the default max for all newly created {EventTarget} and {EventEmitter} objects.
class TLSSocket
Performs transparent encryption of written data and all required TLS negotiation.
Instances of
tls.TLSSocketimplement the duplexStreaminterface.Methods that return TLS connection metadata (e.g.TLSSocket.getPeerCertificate) will only return data while the connection is open.
- allowHalfOpen: boolean
If
falsethen the stream will automatically end the writable side when the readable side ends. Set initially by theallowHalfOpenconstructor option, which defaults totrue.This can be changed manually to change the half-open behavior of an existing
Duplexstream instance, but must be changed before the'end'event is emitted. - alpnProtocol: null | string | false
String containing the selected ALPN protocol. Before a handshake has completed, this value is always null. When a handshake is completed but not ALPN protocol was selected, tlsSocket.alpnProtocol equals false.
- readonly autoSelectFamilyAttemptedAddresses: string[]
This property is only present if the family autoselection algorithm is enabled in
socket.connect(options)and it is an array of the addresses that have been attempted.Each address is a string in the form of
$IP:$PORT. If the connection was successful, then the last address is the one that the socket is currently connected to. - readonly connecting: boolean
If
true,socket.connect(options[, connectListener])was called and has not yet finished. It will staytrueuntil the socket becomes connected, then it is set tofalseand the'connect'event is emitted. Note that thesocket.connect(options[, connectListener])callback is a listener for the'connect'event. - encrypted: true
Always returns
true. This may be used to distinguish TLS sockets from regularnet.Socketinstances. - readonly localAddress?: string
The string representation of the local IP address the remote client is connecting on. For example, in a server listening on
'0.0.0.0', if a client connects on'192.168.1.1', the value ofsocket.localAddresswould be'192.168.1.1'. - readonly pending: boolean
This is
trueif the socket is not connected yet, either because.connect()has not yet been called or because it is still in the process of connecting (seesocket.connecting). - readable: boolean
Is
trueif it is safe to call read, which means the stream has not been destroyed or emitted'error'or'end'. - readonly readableAborted: boolean
Returns whether the stream was destroyed or errored before emitting
'end'. - readonly readableEncoding: null | BufferEncoding
Getter for the property
encodingof a givenReadablestream. Theencodingproperty can be set using the setEncoding method. - readonly readableFlowing: null | boolean
This property reflects the current state of a
Readablestream as described in the Three states section. - readonly readableHighWaterMark: number
Returns the value of
highWaterMarkpassed when creating thisReadable. - readonly readableLength: number
This property contains the number of bytes (or objects) in the queue ready to be read. The value provides introspection data regarding the status of the
highWaterMark. - readonly readyState: SocketReadyState
This property represents the state of the connection as a string.
- If the stream is connecting
socket.readyStateisopening. - If the stream is readable and writable, it is
open. - If the stream is readable and not writable, it is
readOnly. - If the stream is not readable and writable, it is
writeOnly.
- If the stream is connecting
- readonly remoteAddress: undefined | string
The string representation of the remote IP address. For example,
'74.125.127.100'or'2001:4860:a005::68'. Value may beundefinedif the socket is destroyed (for example, if the client disconnected). - readonly remoteFamily: undefined | string
The string representation of the remote IP family.
'IPv4'or'IPv6'. Value may beundefinedif the socket is destroyed (for example, if the client disconnected). - readonly remotePort: undefined | number
The numeric representation of the remote port. For example,
80or21. Value may beundefinedif the socket is destroyed (for example, if the client disconnected). - readonly timeout?: number
The socket timeout in milliseconds as set by
socket.setTimeout(). It isundefinedif a timeout has not been set. - readonly writable: boolean
Is
trueif it is safe to callwritable.write(), which means the stream has not been destroyed, errored, or ended. - readonly writableAborted: boolean
Returns whether the stream was destroyed or errored before emitting
'finish'. - readonly writableCorked: number
Number of times
writable.uncork()needs to be called in order to fully uncork the stream. - readonly writableEnded: boolean
Is
trueafterwritable.end()has been called. This property does not indicate whether the data has been flushed, for this usewritable.writableFinishedinstead. - readonly writableHighWaterMark: number
Return the value of
highWaterMarkpassed when creating thisWritable. - readonly writableLength: number
This property contains the number of bytes (or objects) in the queue ready to be written. The value provides introspection data regarding the status of the
highWaterMark. - readonly writableNeedDrain: boolean
Is
trueif the stream's buffer has been full and stream will emit'drain'. - static captureRejections: boolean
Value: boolean
Change the default
captureRejectionsoption on all newEventEmitterobjects. - readonly static captureRejectionSymbol: typeof captureRejectionSymbol
Value:
Symbol.for('nodejs.rejection')See how to write a custom
rejection handler. - static defaultMaxListeners: number
By default, a maximum of
10listeners can be registered for any single event. This limit can be changed for individualEventEmitterinstances using theemitter.setMaxListeners(n)method. To change the default for allEventEmitterinstances, theevents.defaultMaxListenersproperty can be used. If this value is not a positive number, aRangeErroris thrown.Take caution when setting the
events.defaultMaxListenersbecause the change affects allEventEmitterinstances, including those created before the change is made. However, callingemitter.setMaxListeners(n)still has precedence overevents.defaultMaxListeners.This is not a hard limit. The
EventEmitterinstance will allow more listeners to be added but will output a trace warning to stderr indicating that a "possible EventEmitter memory leak" has been detected. For any singleEventEmitter, theemitter.getMaxListeners()andemitter.setMaxListeners()methods can be used to temporarily avoid this warning:import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.setMaxListeners(emitter.getMaxListeners() + 1); emitter.once('event', () => { // do stuff emitter.setMaxListeners(Math.max(emitter.getMaxListeners() - 1, 0)); });The
--trace-warningscommand-line flag can be used to display the stack trace for such warnings.The emitted warning can be inspected with
process.on('warning')and will have the additionalemitter,type, andcountproperties, referring to the event emitter instance, the event's name and the number of attached listeners, respectively. Itsnameproperty is set to'MaxListenersExceededWarning'. - readonly static errorMonitor: typeof errorMonitor
This symbol shall be used to install a listener for only monitoring
'error'events. Listeners installed using this symbol are called before the regular'error'listeners are called.Installing a listener using this symbol does not change the behavior once an
'error'event is emitted. Therefore, the process will still crash if no regular'error'listener is installed. Calls
readable.destroy()with anAbortErrorand returns a promise that fulfills when the stream is finished.- @returns
AsyncIteratorto fully consume the stream. - event: string,listener: (...args: any[]) => void): this;
events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'OCSPResponse',listener: (response: NonSharedBuffer) => void): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'secureConnect',listener: () => void): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'session',listener: (session: NonSharedBuffer) => void): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'keylog',listener: (line: NonSharedBuffer) => void): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
Returns the bound
address, the addressfamilyname andportof the socket as reported by the operating system:{ port: 12346, family: 'IPv4', address: '127.0.0.1' }This method returns a new stream with chunks of the underlying stream paired with a counter in the form
[index, chunk]. The first index value is0and it increases by 1 for each chunk produced.@returnsa stream of indexed pairs.
- stream: ComposeFnParam | T | Iterable<T, any, any> | AsyncIterable<T, any, any>,): T;
- connectionListener?: () => void): this;
Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])socket.connect(path[, connectListener])forIPCconnections.socket.connect(port[, host][, connectListener])for TCP connections.- Returns:
net.SocketThe socket itself.
This function is asynchronous. When the connection is established, the
'connect'event will be emitted. If there is a problem connecting, instead of a'connect'event, an'error'event will be emitted with the error passed to the'error'listener. The last parameterconnectListener, if supplied, will be added as a listener for the'connect'event once.This function should only be used for reconnecting a socket after
'close'has been emitted or otherwise it may lead to undefined behavior.port: number,host: string,connectionListener?: () => void): this;Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])socket.connect(path[, connectListener])forIPCconnections.socket.connect(port[, host][, connectListener])for TCP connections.- Returns:
net.SocketThe socket itself.
This function is asynchronous. When the connection is established, the
'connect'event will be emitted. If there is a problem connecting, instead of a'connect'event, an'error'event will be emitted with the error passed to the'error'listener. The last parameterconnectListener, if supplied, will be added as a listener for the'connect'event once.This function should only be used for reconnecting a socket after
'close'has been emitted or otherwise it may lead to undefined behavior.port: number,connectionListener?: () => void): this;Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])socket.connect(path[, connectListener])forIPCconnections.socket.connect(port[, host][, connectListener])for TCP connections.- Returns:
net.SocketThe socket itself.
This function is asynchronous. When the connection is established, the
'connect'event will be emitted. If there is a problem connecting, instead of a'connect'event, an'error'event will be emitted with the error passed to the'error'listener. The last parameterconnectListener, if supplied, will be added as a listener for the'connect'event once.This function should only be used for reconnecting a socket after
'close'has been emitted or otherwise it may lead to undefined behavior.path: string,connectionListener?: () => void): this;Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])socket.connect(path[, connectListener])forIPCconnections.socket.connect(port[, host][, connectListener])for TCP connections.- Returns:
net.SocketThe socket itself.
This function is asynchronous. When the connection is established, the
'connect'event will be emitted. If there is a problem connecting, instead of a'connect'event, an'error'event will be emitted with the error passed to the'error'listener. The last parameterconnectListener, if supplied, will be added as a listener for the'connect'event once.This function should only be used for reconnecting a socket after
'close'has been emitted or otherwise it may lead to undefined behavior. The
writable.cork()method forces all written data to be buffered in memory. The buffered data will be flushed when either the uncork or end methods are called.The primary intent of
writable.cork()is to accommodate a situation in which several small chunks are written to the stream in rapid succession. Instead of immediately forwarding them to the underlying destination,writable.cork()buffers all the chunks untilwritable.uncork()is called, which will pass them all towritable._writev(), if present. This prevents a head-of-line blocking situation where data is being buffered while waiting for the first small chunk to be processed. However, use ofwritable.cork()without implementingwritable._writev()may have an adverse effect on throughput.See also:
writable.uncork(),writable._writev().- ): this;
Destroy the stream. Optionally emit an
'error'event, and emit a'close'event (unlessemitCloseis set tofalse). After this call, the readable stream will release any internal resources and subsequent calls topush()will be ignored.Once
destroy()has been called any further calls will be a no-op and no further errors except from_destroy()may be emitted as'error'.Implementors should not override this method, but instead implement
readable._destroy().@param errorError which will be passed as payload in
'error'event Destroys the socket after all data is written. If the
finishevent was already emitted the socket is destroyed immediately. If the socket is still writable it implicitly callssocket.end().Disables TLS renegotiation for this
TLSSocketinstance. Once called, attempts to renegotiate will trigger an'error'event on theTLSSocket.- drop(limit: number,
This method returns a new stream with the first limit chunks dropped from the start.
@param limitthe number of chunks to drop from the readable.
@returnsa stream with limit chunks dropped from the start.
- emit(event: string | symbol,...args: any[]): boolean;
Synchronously calls each of the listeners registered for the event named
eventName, in the order they were registered, passing the supplied arguments to each.Returns
trueif the event had listeners,falseotherwise.import { EventEmitter } from 'node:events'; const myEmitter = new EventEmitter(); // First listener myEmitter.on('event', function firstListener() { console.log('Helloooo! first listener'); }); // Second listener myEmitter.on('event', function secondListener(arg1, arg2) { console.log(`event with parameters ${arg1}, ${arg2} in second listener`); }); // Third listener myEmitter.on('event', function thirdListener(...args) { const parameters = args.join(', '); console.log(`event with parameters ${parameters} in third listener`); }); console.log(myEmitter.listeners('event')); myEmitter.emit('event', 1, 2, 3, 4, 5); // Prints: // [ // [Function: firstListener], // [Function: secondListener], // [Function: thirdListener] // ] // Helloooo! first listener // event with parameters 1, 2 in second listener // event with parameters 1, 2, 3, 4, 5 in third listener When enabled, TLS packet trace information is written to
stderr. This can be used to debug TLS connection problems.The format of the output is identical to the output of
openssl s_client -traceoropenssl s_server -trace. While it is produced by OpenSSL'sSSL_trace()function, the format is undocumented, can change without notice, and should not be relied on.- end(callback?: () => void): this;
Half-closes the socket. i.e., it sends a FIN packet. It is possible the server will still send some data.
See
writable.end()for further details.@param callbackOptional callback for when the socket is finished.
@returnsThe socket itself.
end(callback?: () => void): this;Half-closes the socket. i.e., it sends a FIN packet. It is possible the server will still send some data.
See
writable.end()for further details.@param callbackOptional callback for when the socket is finished.
@returnsThe socket itself.
end(encoding?: BufferEncoding,callback?: () => void): this;Half-closes the socket. i.e., it sends a FIN packet. It is possible the server will still send some data.
See
writable.end()for further details.@param encodingOnly used when data is
string.@param callbackOptional callback for when the socket is finished.
@returnsThe socket itself.
Returns an array listing the events for which the emitter has registered listeners. The values in the array are strings or
Symbols.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => {}); myEE.on('bar', () => {}); const sym = Symbol('symbol'); myEE.on(sym, () => {}); console.log(myEE.eventNames()); // Prints: [ 'foo', 'bar', Symbol(symbol) ]- ): Promise<boolean>;
This method is similar to
Array.prototype.everyand calls fn on each chunk in the stream to check if all awaited return values are truthy value for fn. Once an fn call on a chunkawaited return value is falsy, the stream is destroyed and the promise is fulfilled withfalse. If all of the fn calls on the chunks return a truthy value, the promise is fulfilled withtrue.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to
trueif fn returned a truthy value for every one of the chunks. - length: number,label: string,): NonSharedBuffer;
Keying material is used for validations to prevent different kind of attacks in network protocols, for example in the specifications of IEEE 802.1X.
Example
const keyingMaterial = tlsSocket.exportKeyingMaterial( 128, 'client finished'); /* Example return value of keyingMaterial: <Buffer 76 26 af 99 c5 56 8e 42 09 91 ef 9f 93 cb ad 6c 7b 65 f8 53 f1 d8 d9 12 5a 33 b8 b5 25 df 7b 37 9f e0 e2 4f b8 67 83 a3 2f cd 5d 41 42 4c 91 74 ef 2c ... 78 more bytes>See the OpenSSL
SSL_export_keying_materialdocumentation for more information.@param lengthnumber of bytes to retrieve from keying material
@param labelan application specific label, typically this will be a value from the IANA Exporter Label Registry.
@param contextOptionally provide a context.
@returnsrequested bytes of the keying material
This method allows filtering the stream. For each chunk in the stream the fn function will be called and if it returns a truthy value, the chunk will be passed to the result stream. If the fn function returns a promise - that promise will be
awaited.@param fna function to filter chunks from the stream. Async or not.
@returnsa stream filtered with the predicate fn.
- ): Promise<undefined | T>;
This method is similar to
Array.prototype.findand calls fn on each chunk in the stream to find a chunk with a truthy value for fn. Once an fn call's awaited return value is truthy, the stream is destroyed and the promise is fulfilled with value for which fn returned a truthy value. If all of the fn calls on the chunks return a falsy value, the promise is fulfilled withundefined.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to the first chunk for which fn evaluated with a truthy value, or
undefinedif no element was found.find(): Promise<any>;This method is similar to
Array.prototype.findand calls fn on each chunk in the stream to find a chunk with a truthy value for fn. Once an fn call's awaited return value is truthy, the stream is destroyed and the promise is fulfilled with value for which fn returned a truthy value. If all of the fn calls on the chunks return a falsy value, the promise is fulfilled withundefined.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to the first chunk for which fn evaluated with a truthy value, or
undefinedif no element was found. This method returns a new stream by applying the given callback to each chunk of the stream and then flattening the result.
It is possible to return a stream or another iterable or async iterable from fn and the result streams will be merged (flattened) into the returned stream.
@param fna function to map over every chunk in the stream. May be async. May be a stream or generator.
@returnsa stream flat-mapped with the function fn.
- ): Promise<void>;
This method allows iterating a stream. For each chunk in the stream the fn function will be called. If the fn function returns a promise - that promise will be
awaited.This method is different from
for await...ofloops in that it can optionally process chunks concurrently. In addition, aforEachiteration can only be stopped by having passed asignaloption and aborting the related AbortController whilefor await...ofcan be stopped withbreakorreturn. In either case the stream will be destroyed.This method is different from listening to the
'data'event in that it uses thereadableevent in the underlying machinary and can limit the number of concurrent fn calls.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise for when the stream has finished.
Returns an object representing the local certificate. The returned object has some properties corresponding to the fields of the certificate.
See TLSSocket.getPeerCertificate for an example of the certificate structure.
If there is no local certificate, an empty object will be returned. If the socket has been destroyed,
nullwill be returned.Returns an object containing information on the negotiated cipher suite.
For example, a TLSv1.2 protocol with AES256-SHA cipher:
{ "name": "AES256-SHA", "standardName": "TLS_RSA_WITH_AES_256_CBC_SHA", "version": "SSLv3" }See SSL_CIPHER_get_name for more information.
Returns an object representing the type, name, and size of parameter of an ephemeral key exchange in
perfect forward secrecyon a client connection. It returns an empty object when the key exchange is not ephemeral. As this is only supported on a client socket;nullis returned if called on a server socket. The supported types are'DH'and'ECDH'. Thenameproperty is available only when type is'ECDH'.For example:
{ type: 'ECDH', name: 'prime256v1', size: 256 }.As the
Finishedmessages are message digests of the complete handshake (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can be used for external authentication procedures when the authentication provided by SSL/TLS is not desired or is not enough.Corresponds to the
SSL_get_finishedroutine in OpenSSL and may be used to implement thetls-uniquechannel binding from RFC 5929.@returnsThe latest
Finishedmessage that has been sent to the socket as part of a SSL/TLS handshake, orundefinedif noFinishedmessage has been sent yet.Returns the current max listener value for the
EventEmitterwhich is either set byemitter.setMaxListeners(n)or defaults to EventEmitter.defaultMaxListeners.- detailed: true
Returns an object representing the peer's certificate. If the peer does not provide a certificate, an empty object will be returned. If the socket has been destroyed,
nullwill be returned.If the full certificate chain was requested, each certificate will include an
issuerCertificateproperty containing an object representing its issuer's certificate.@param detailedInclude the full certificate chain if
true, otherwise include just the peer's certificate.@returnsA certificate object.
detailed?: falseReturns an object representing the peer's certificate. If the peer does not provide a certificate, an empty object will be returned. If the socket has been destroyed,
nullwill be returned.If the full certificate chain was requested, each certificate will include an
issuerCertificateproperty containing an object representing its issuer's certificate.@param detailedInclude the full certificate chain if
true, otherwise include just the peer's certificate.@returnsA certificate object.
detailed?: booleanReturns an object representing the peer's certificate. If the peer does not provide a certificate, an empty object will be returned. If the socket has been destroyed,
nullwill be returned.If the full certificate chain was requested, each certificate will include an
issuerCertificateproperty containing an object representing its issuer's certificate.@param detailedInclude the full certificate chain if
true, otherwise include just the peer's certificate.@returnsA certificate object.
As the
Finishedmessages are message digests of the complete handshake (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can be used for external authentication procedures when the authentication provided by SSL/TLS is not desired or is not enough.Corresponds to the
SSL_get_peer_finishedroutine in OpenSSL and may be used to implement thetls-uniquechannel binding from RFC 5929.@returnsThe latest
Finishedmessage that is expected or has actually been received from the socket as part of a SSL/TLS handshake, orundefinedif there is noFinishedmessage so far.Returns the peer certificate as an
X509Certificateobject.If there is no peer certificate, or the socket has been destroyed,
undefinedwill be returned.Returns a string containing the negotiated SSL/TLS protocol version of the current connection. The value
'unknown'will be returned for connected sockets that have not completed the handshaking process. The valuenullwill be returned for server sockets or disconnected client sockets.Protocol versions are:
'SSLv3''TLSv1''TLSv1.1''TLSv1.2''TLSv1.3'
See the OpenSSL
SSL_get_versiondocumentation for more information.Returns the TLS session data or
undefinedif no session was negotiated. On the client, the data can be provided to thesessionoption of connect to resume the connection. On the server, it may be useful for debugging.See
Session Resumptionfor more information.Note:
getSession()works only for TLSv1.2 and below. For TLSv1.3, applications must use the'session'event (it also works for TLSv1.2 and below).For a client, returns the TLS session ticket if one is available, or
undefined. For a server, always returnsundefined.It may be useful for debugging.
See
Session Resumptionfor more information.Returns the local certificate as an
X509Certificateobject.If there is no local certificate, or the socket has been destroyed,
undefinedwill be returned.The
readable.isPaused()method returns the current operating state of theReadable. This is used primarily by the mechanism that underlies thereadable.pipe()method. In most typical cases, there will be no reason to use this method directly.const readable = new stream.Readable(); readable.isPaused(); // === false readable.pause(); readable.isPaused(); // === true readable.resume(); readable.isPaused(); // === falseSee
Session Resumptionfor more information.@returnstrueif the session was reused,falseotherwise.- options?: { destroyOnReturn: boolean }): AsyncIterator<any>;
The iterator created by this method gives users the option to cancel the destruction of the stream if the
for await...ofloop is exited byreturn,break, orthrow, or if the iterator should destroy the stream if the stream emitted an error during iteration. - eventName: string | symbol,listener?: Function): number;
Returns the number of listeners listening for the event named
eventName. Iflisteneris provided, it will return how many times the listener is found in the list of the listeners of the event.@param eventNameThe name of the event being listened for
@param listenerThe event handler function
- eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName.server.on('connection', (stream) => { console.log('someone connected!'); }); console.log(util.inspect(server.listeners('connection'))); // Prints: [ [Function] ] - map(
This method allows mapping over the stream. The fn function will be called for every chunk in the stream. If the fn function returns a promise - that promise will be
awaited before being passed to the result stream.@param fna function to map over every chunk in the stream. Async or not.
@returnsa stream mapped with the function fn.
- eventName: string | symbol,listener: (...args: any[]) => void): this;
Alias for
emitter.removeListener(). - on(event: string,listener: (...args: any[]) => void): this;
Adds the
listenerfunction to the end of the listeners array for the event namedeventName. No checks are made to see if thelistenerhas already been added. Multiple calls passing the same combination ofeventNameandlistenerwill result in thelistenerbeing added, and called, multiple times.server.on('connection', (stream) => { console.log('someone connected!'); });Returns a reference to the
EventEmitter, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependListener()method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => console.log('a')); myEE.prependListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a@param listenerThe callback function
- once(event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listenerfunction for the event namedeventName. The next timeeventNameis triggered, this listener is removed and then invoked.server.once('connection', (stream) => { console.log('Ah, we have our first user!'); });Returns a reference to the
EventEmitter, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependOnceListener()method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.once('foo', () => console.log('a')); myEE.prependOnceListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a@param listenerThe callback function
Pauses the reading of data. That is,
'data'events will not be emitted. Useful to throttle back an upload.@returnsThe socket itself.
- event: string,listener: (...args: any[]) => void): this;
Adds the
listenerfunction to the beginning of the listeners array for the event namedeventName. No checks are made to see if thelistenerhas already been added. Multiple calls passing the same combination ofeventNameandlistenerwill result in thelistenerbeing added, and called, multiple times.server.prependListener('connection', (stream) => { console.log('someone connected!'); });Returns a reference to the
EventEmitter, so that calls can be chained.@param listenerThe callback function
- event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listenerfunction for the event namedeventNameto the beginning of the listeners array. The next timeeventNameis triggered, this listener is removed, and then invoked.server.prependOnceListener('connection', (stream) => { console.log('Ah, we have our first user!'); });Returns a reference to the
EventEmitter, so that calls can be chained.@param listenerThe callback function
- eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName, including any wrappers (such as those created by.once()).import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.once('log', () => console.log('log once')); // Returns a new Array with a function `onceWrapper` which has a property // `listener` which contains the original listener bound above const listeners = emitter.rawListeners('log'); const logFnWrapper = listeners[0]; // Logs "log once" to the console and does not unbind the `once` event logFnWrapper.listener(); // Logs "log once" to the console and removes the listener logFnWrapper(); emitter.on('log', () => console.log('log persistently')); // Will return a new Array with a single function bound by `.on()` above const newListeners = emitter.rawListeners('log'); // Logs "log persistently" twice newListeners[0](); emitter.emit('log'); - read(size?: number): any;
The
readable.read()method reads data out of the internal buffer and returns it. If no data is available to be read,nullis returned. By default, the data is returned as aBufferobject unless an encoding has been specified using thereadable.setEncoding()method or the stream is operating in object mode.The optional
sizeargument specifies a specific number of bytes to read. Ifsizebytes are not available to be read,nullwill be returned unless the stream has ended, in which case all of the data remaining in the internal buffer will be returned.If the
sizeargument is not specified, all of the data contained in the internal buffer will be returned.The
sizeargument must be less than or equal to 1 GiB.The
readable.read()method should only be called onReadablestreams operating in paused mode. In flowing mode,readable.read()is called automatically until the internal buffer is fully drained.const readable = getReadableStreamSomehow(); // 'readable' may be triggered multiple times as data is buffered in readable.on('readable', () => { let chunk; console.log('Stream is readable (new data received in buffer)'); // Use a loop to make sure we read all currently available data while (null !== (chunk = readable.read())) { console.log(`Read ${chunk.length} bytes of data...`); } }); // 'end' will be triggered once when there is no more data available readable.on('end', () => { console.log('Reached end of stream.'); });Each call to
readable.read()returns a chunk of data, ornull. The chunks are not concatenated. Awhileloop is necessary to consume all data currently in the buffer. When reading a large file.read()may returnnull, having consumed all buffered content so far, but there is still more data to come not yet buffered. In this case a new'readable'event will be emitted when there is more data in the buffer. Finally the'end'event will be emitted when there is no more data to come.Therefore to read a file's whole contents from a
readable, it is necessary to collect chunks across multiple'readable'events:const chunks = []; readable.on('readable', () => { let chunk; while (null !== (chunk = readable.read())) { chunks.push(chunk); } }); readable.on('end', () => { const content = chunks.join(''); });A
Readablestream in object mode will always return a single item from a call toreadable.read(size), regardless of the value of thesizeargument.If the
readable.read()method returns a chunk of data, a'data'event will also be emitted.Calling read after the
'end'event has been emitted will returnnull. No runtime error will be raised.@param sizeOptional argument to specify how much data to read.
- initial?: undefined,): Promise<T>;
This method calls fn on each chunk of the stream in order, passing it the result from the calculation on the previous element. It returns a promise for the final value of the reduction.
If no initial value is supplied the first chunk of the stream is used as the initial value. If the stream is empty, the promise is rejected with a
TypeErrorwith theERR_INVALID_ARGScode property.The reducer function iterates the stream element-by-element which means that there is no concurrency parameter or parallelism. To perform a reduce concurrently, you can extract the async function to
readable.mapmethod.@param fna reducer function to call over every chunk in the stream. Async or not.
@param initialthe initial value to use in the reduction.
@returnsa promise for the final value of the reduction.
initial: T,): Promise<T>;This method calls fn on each chunk of the stream in order, passing it the result from the calculation on the previous element. It returns a promise for the final value of the reduction.
If no initial value is supplied the first chunk of the stream is used as the initial value. If the stream is empty, the promise is rejected with a
TypeErrorwith theERR_INVALID_ARGScode property.The reducer function iterates the stream element-by-element which means that there is no concurrency parameter or parallelism. To perform a reduce concurrently, you can extract the async function to
readable.mapmethod.@param fna reducer function to call over every chunk in the stream. Async or not.
@param initialthe initial value to use in the reduction.
@returnsa promise for the final value of the reduction.
Opposite of
unref(), callingref()on a previouslyunrefed socket will not let the program exit if it's the only socket left (the default behavior). If the socket isrefed callingrefagain will have no effect.@returnsThe socket itself.
- eventName?: string | symbol): this;
Removes all listeners, or those of the specified
eventName.It is bad practice to remove listeners added elsewhere in the code, particularly when the
EventEmitterinstance was created by some other component or module (e.g. sockets or file streams).Returns a reference to the
EventEmitter, so that calls can be chained. - event: 'close',listener: () => void): this;
Removes the specified
listenerfrom the listener array for the event namedeventName.const callback = (stream) => { console.log('someone connected!'); }; server.on('connection', callback); // ... server.removeListener('connection', callback);removeListener()will remove, at most, one instance of a listener from the listener array. If any single listener has been added multiple times to the listener array for the specifiedeventName, thenremoveListener()must be called multiple times to remove each instance.Once an event is emitted, all listeners attached to it at the time of emitting are called in order. This implies that any
removeListener()orremoveAllListeners()calls after emitting and before the last listener finishes execution will not remove them fromemit()in progress. Subsequent events behave as expected.import { EventEmitter } from 'node:events'; class MyEmitter extends EventEmitter {} const myEmitter = new MyEmitter(); const callbackA = () => { console.log('A'); myEmitter.removeListener('event', callbackB); }; const callbackB = () => { console.log('B'); }; myEmitter.on('event', callbackA); myEmitter.on('event', callbackB); // callbackA removes listener callbackB but it will still be called. // Internal listener array at time of emit [callbackA, callbackB] myEmitter.emit('event'); // Prints: // A // B // callbackB is now removed. // Internal listener array [callbackA] myEmitter.emit('event'); // Prints: // ABecause listeners are managed using an internal array, calling this will change the position indices of any listener registered after the listener being removed. This will not impact the order in which listeners are called, but it means that any copies of the listener array as returned by the
emitter.listeners()method will need to be recreated.When a single function has been added as a handler multiple times for a single event (as in the example below),
removeListener()will remove the most recently added instance. In the example theonce('ping')listener is removed:import { EventEmitter } from 'node:events'; const ee = new EventEmitter(); function pong() { console.log('pong'); } ee.on('ping', pong); ee.once('ping', pong); ee.removeListener('ping', pong); ee.emit('ping'); ee.emit('ping');Returns a reference to the
EventEmitter, so that calls can be chained. - options: { rejectUnauthorized: boolean; requestCert: boolean },): undefined | boolean;
The
tlsSocket.renegotiate()method initiates a TLS renegotiation process. Upon completion, thecallbackfunction will be passed a single argument that is either anError(if the request failed) ornull.This method can be used to request a peer's certificate after the secure connection has been established.
When running as the server, the socket will be destroyed with an error after
handshakeTimeouttimeout.For TLSv1.3, renegotiation cannot be initiated, it is not supported by the protocol.
@param callbackIf
renegotiate()returnedtrue, callback is attached once to the'secure'event. Ifrenegotiate()returnedfalse,callbackwill be called in the next tick with an error, unless thetlsSockethas been destroyed, in which casecallbackwill not be called at all.@returnstrueif renegotiation was initiated,falseotherwise. Close the TCP connection by sending an RST packet and destroy the stream. If this TCP socket is in connecting status, it will send an RST packet and destroy this TCP socket once it is connected. Otherwise, it will call
socket.destroywith anERR_SOCKET_CLOSEDError. If this is not a TCP socket (for example, a pipe), calling this method will immediately throw anERR_INVALID_HANDLE_TYPEError.Resumes reading after a call to
socket.pause().@returnsThe socket itself.
- encoding: BufferEncoding): this;
The
writable.setDefaultEncoding()method sets the defaultencodingfor aWritablestream.@param encodingThe new default encoding
- encoding?: BufferEncoding): this;
Set the encoding for the socket as a
Readable Stream. Seereadable.setEncoding()for more information.@returnsThe socket itself.
- enable?: boolean,initialDelay?: number): this;
Enable/disable keep-alive functionality, and optionally set the initial delay before the first keepalive probe is sent on an idle socket.
Set
initialDelay(in milliseconds) to set the delay between the last data packet received and the first keepalive probe. Setting0forinitialDelaywill leave the value unchanged from the default (or previous) setting.Enabling the keep-alive functionality will set the following socket options:
SO_KEEPALIVE=1TCP_KEEPIDLE=initialDelayTCP_KEEPCNT=10TCP_KEEPINTVL=1
@returnsThe socket itself.
- ): void;
The
tlsSocket.setKeyCert()method sets the private key and certificate to use for the socket. This is mainly useful if you wish to select a server certificate from a TLS server'sALPNCallback.@param contextAn object containing at least
keyandcertproperties from the ()options, or a TLS context object created with () itself. - n: number): this;
By default
EventEmitters will print a warning if more than10listeners are added for a particular event. This is a useful default that helps finding memory leaks. Theemitter.setMaxListeners()method allows the limit to be modified for this specificEventEmitterinstance. The value can be set toInfinity(or0) to indicate an unlimited number of listeners.Returns a reference to the
EventEmitter, so that calls can be chained. - size?: number): boolean;
The
tlsSocket.setMaxSendFragment()method sets the maximum TLS fragment size. Returnstrueif setting the limit succeeded;falseotherwise.Smaller fragment sizes decrease the buffering latency on the client: larger fragments are buffered by the TLS layer until the entire fragment is received and its integrity is verified; large fragments can span multiple roundtrips and their processing can be delayed due to packet loss or reordering. However, smaller fragments add extra TLS framing bytes and CPU overhead, which may decrease overall server throughput.
@param sizeThe maximum TLS fragment size. The maximum value is
16384. - noDelay?: boolean): this;
Enable/disable the use of Nagle's algorithm.
When a TCP connection is created, it will have Nagle's algorithm enabled.
Nagle's algorithm delays data before it is sent via the network. It attempts to optimize throughput at the expense of latency.
Passing
truefornoDelayor not passing an argument will disable Nagle's algorithm for the socket. PassingfalsefornoDelaywill enable Nagle's algorithm.@returnsThe socket itself.
- timeout: number,callback?: () => void): this;
Sets the socket to timeout after
timeoutmilliseconds of inactivity on the socket. By defaultnet.Socketdo not have a timeout.When an idle timeout is triggered the socket will receive a
'timeout'event but the connection will not be severed. The user must manually callsocket.end()orsocket.destroy()to end the connection.socket.setTimeout(3000); socket.on('timeout', () => { console.log('socket timeout'); socket.end(); });If
timeoutis 0, then the existing idle timeout is disabled.The optional
callbackparameter will be added as a one-time listener for the'timeout'event.@returnsThe socket itself.
- some(): Promise<boolean>;
This method is similar to
Array.prototype.someand calls fn on each chunk in the stream until the awaited return value istrue(or any truthy value). Once an fn call on a chunkawaited return value is truthy, the stream is destroyed and the promise is fulfilled withtrue. If none of the fn calls on the chunks return a truthy value, the promise is fulfilled withfalse.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to
trueif fn returned a truthy value for at least one of the chunks. - @param limit
the number of chunks to take from the readable.
@returnsa stream with limit chunks taken.
- ): Promise<any[]>;
This method allows easily obtaining the contents of a stream.
As this method reads the entire stream into memory, it negates the benefits of streams. It's intended for interoperability and convenience, not as the primary way to consume streams.
@returnsa promise containing an array with the contents of the stream.
The
writable.uncork()method flushes all data buffered since cork was called.When using
writable.cork()andwritable.uncork()to manage the buffering of writes to a stream, defer calls towritable.uncork()usingprocess.nextTick(). Doing so allows batching of allwritable.write()calls that occur within a given Node.js event loop phase.stream.cork(); stream.write('some '); stream.write('data '); process.nextTick(() => stream.uncork());If the
writable.cork()method is called multiple times on a stream, the same number of calls towritable.uncork()must be called to flush the buffered data.stream.cork(); stream.write('some '); stream.cork(); stream.write('data '); process.nextTick(() => { stream.uncork(); // The data will not be flushed until uncork() is called a second time. stream.uncork(); });See also:
writable.cork().- destination?: WritableStream): this;
The
readable.unpipe()method detaches aWritablestream previously attached using the pipe method.If the
destinationis not specified, then all pipes are detached.If the
destinationis specified, but no pipe is set up for it, then the method does nothing.import fs from 'node:fs'; const readable = getReadableStreamSomehow(); const writable = fs.createWriteStream('file.txt'); // All the data from readable goes into 'file.txt', // but only for the first second. readable.pipe(writable); setTimeout(() => { console.log('Stop writing to file.txt.'); readable.unpipe(writable); console.log('Manually close the file stream.'); writable.end(); }, 1000);@param destinationOptional specific stream to unpipe
Calling
unref()on a socket will allow the program to exit if this is the only active socket in the event system. If the socket is alreadyunrefed callingunref()again will have no effect.@returnsThe socket itself.
- chunk: any,encoding?: BufferEncoding): void;
Passing
chunkasnullsignals the end of the stream (EOF) and behaves the same asreadable.push(null), after which no more data can be written. The EOF signal is put at the end of the buffer and any buffered data will still be flushed.The
readable.unshift()method pushes a chunk of data back into the internal buffer. This is useful in certain situations where a stream is being consumed by code that needs to "un-consume" some amount of data that it has optimistically pulled out of the source, so that the data can be passed on to some other party.The
stream.unshift(chunk)method cannot be called after the'end'event has been emitted or a runtime error will be thrown.Developers using
stream.unshift()often should consider switching to use of aTransformstream instead. See theAPI for stream implementerssection for more information.// Pull off a header delimited by \n\n. // Use unshift() if we get too much. // Call the callback with (error, header, stream). import { StringDecoder } from 'node:string_decoder'; function parseHeader(stream, callback) { stream.on('error', callback); stream.on('readable', onReadable); const decoder = new StringDecoder('utf8'); let header = ''; function onReadable() { let chunk; while (null !== (chunk = stream.read())) { const str = decoder.write(chunk); if (str.includes('\n\n')) { // Found the header boundary. const split = str.split(/\n\n/); header += split.shift(); const remaining = split.join('\n\n'); const buf = Buffer.from(remaining, 'utf8'); stream.removeListener('error', callback); // Remove the 'readable' listener before unshifting. stream.removeListener('readable', onReadable); if (buf.length) stream.unshift(buf); // Now the body of the message can be read from the stream. callback(null, header, stream); return; } // Still reading the header. header += str; } } }Unlike push,
stream.unshift(chunk)will not end the reading process by resetting the internal reading state of the stream. This can cause unexpected results ifreadable.unshift()is called during a read (i.e. from within a _read implementation on a custom stream). Following the call toreadable.unshift()with an immediate push will reset the reading state appropriately, however it is best to simply avoid callingreadable.unshift()while in the process of performing a read.@param chunkChunk of data to unshift onto the read queue. For streams not operating in object mode,
chunkmust be a {string}, {Buffer}, {TypedArray}, {DataView} ornull. For object mode streams,chunkmay be any JavaScript value.@param encodingEncoding of string chunks. Must be a valid
Bufferencoding, such as'utf8'or'ascii'. - wrap(stream: ReadableStream): this;
Prior to Node.js 0.10, streams did not implement the entire
node:streammodule API as it is currently defined. (SeeCompatibilityfor more information.)When using an older Node.js library that emits
'data'events and has a pause method that is advisory only, thereadable.wrap()method can be used to create aReadablestream that uses the old stream as its data source.It will rarely be necessary to use
readable.wrap()but the method has been provided as a convenience for interacting with older Node.js applications and libraries.import { OldReader } from './old-api-module.js'; import { Readable } from 'node:stream'; const oreader = new OldReader(); const myReader = new Readable().wrap(oreader); myReader.on('readable', () => { myReader.read(); // etc. });@param streamAn "old style" readable stream
- ): boolean;
Sends data on the socket. The second parameter specifies the encoding in the case of a string. It defaults to UTF8 encoding.
Returns
trueif the entire data was flushed successfully to the kernel buffer. Returnsfalseif all or part of the data was queued in user memory.'drain'will be emitted when the buffer is again free.The optional
callbackparameter will be executed when the data is finally written out, which may not be immediately.See
Writablestreamwrite()method for more information.encoding?: BufferEncoding,): boolean;Sends data on the socket. The second parameter specifies the encoding in the case of a string. It defaults to UTF8 encoding.
Returns
trueif the entire data was flushed successfully to the kernel buffer. Returnsfalseif all or part of the data was queued in user memory.'drain'will be emitted when the buffer is again free.The optional
callbackparameter will be executed when the data is finally written out, which may not be immediately.See
Writablestreamwrite()method for more information.@param encodingOnly used when data is
string. - ): Disposable;
Listens once to the
abortevent on the providedsignal.Listening to the
abortevent on abort signals is unsafe and may lead to resource leaks since another third party with the signal can calle.stopImmediatePropagation(). Unfortunately Node.js cannot change this since it would violate the web standard. Additionally, the original API makes it easy to forget to remove listeners.This API allows safely using
AbortSignals in Node.js APIs by solving these two issues by listening to the event such thatstopImmediatePropagationdoes not prevent the listener from running.Returns a disposable so that it may be unsubscribed from more easily.
import { addAbortListener } from 'node:events'; function example(signal) { let disposable; try { signal.addEventListener('abort', (e) => e.stopImmediatePropagation()); disposable = addAbortListener(signal, (e) => { // Do something when signal is aborted. }); } finally { disposable?.[Symbol.dispose](); } }@returnsDisposable that removes the
abortlistener. - src: string | Object | Stream | ArrayBuffer | Blob | Promise<any> | Iterable<any, any, any> | AsyncIterable<any, any, any> | AsyncGeneratorFunction
A utility method for creating duplex streams.
Streamconverts writable stream into writableDuplexand readable stream toDuplex.Blobconverts into readableDuplex.stringconverts into readableDuplex.ArrayBufferconverts into readableDuplex.AsyncIterableconverts into a readableDuplex. Cannot yieldnull.AsyncGeneratorFunctionconverts into a readable/writable transformDuplex. Must take a sourceAsyncIterableas first parameter. Cannot yieldnull.AsyncFunctionconverts into a writableDuplex. Must return eithernullorundefinedObject ({ writable, readable })convertsreadableandwritableintoStreamand then combines them intoDuplexwhere theDuplexwill write to thewritableand read from thereadable.Promiseconverts into readableDuplex. Valuenullis ignored.
- options?: Pick<DuplexOptions<Duplex>, 'signal' | 'allowHalfOpen' | 'decodeStrings' | 'encoding' | 'highWaterMark' | 'objectMode'>
A utility method for creating a
Duplexfrom a webReadableStreamandWritableStream. - name: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName.For
EventEmitters this behaves exactly the same as calling.listenerson the emitter.For
EventTargets this is the only way to get the event listeners for the event target. This is useful for debugging and diagnostic purposes.import { getEventListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); const listener = () => console.log('Events are fun'); ee.on('foo', listener); console.log(getEventListeners(ee, 'foo')); // [ [Function: listener] ] } { const et = new EventTarget(); const listener = () => console.log('Events are fun'); et.addEventListener('foo', listener); console.log(getEventListeners(et, 'foo')); // [ [Function: listener] ] } - ): number;
Returns the currently set max amount of listeners.
For
EventEmitters this behaves exactly the same as calling.getMaxListenerson the emitter.For
EventTargets this is the only way to get the max event listeners for the event target. If the number of event handlers on a single EventTarget exceeds the max set, the EventTarget will print a warning.import { getMaxListeners, setMaxListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); console.log(getMaxListeners(ee)); // 10 setMaxListeners(11, ee); console.log(getMaxListeners(ee)); // 11 } { const et = new EventTarget(); console.log(getMaxListeners(et)); // 10 setMaxListeners(11, et); console.log(getMaxListeners(et)); // 11 } - emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;
import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable hereReturns an
AsyncIteratorthat iterateseventNameevents. It will throw if theEventEmitteremits'error'. It removes all listeners when exiting the loop. Thevaluereturned by each iteration is an array composed of the emitted event arguments.An
AbortSignalcan be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());Use the
closeoption to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'@returnsAn
AsyncIteratorthat iterateseventNameevents emitted by theemittereventName: string,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable hereReturns an
AsyncIteratorthat iterateseventNameevents. It will throw if theEventEmitteremits'error'. It removes all listeners when exiting the loop. Thevaluereturned by each iteration is an array composed of the emitted event arguments.An
AbortSignalcan be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());Use the
closeoption to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'@returnsAn
AsyncIteratorthat iterateseventNameevents emitted by theemitter - emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterOptions): Promise<any[]>;
Creates a
Promisethat is fulfilled when theEventEmitteremits the given event or that is rejected if theEventEmitteremits'error'while waiting. ThePromisewill resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'event semantics and does not listen to the'error'event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }The special handling of the
'error'event is only used whenevents.once()is used to wait for another event. Ifevents.once()is used to wait for the 'error'event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boomAn
AbortSignalcan be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled!eventName: string,options?: StaticEventEmitterOptions): Promise<any[]>;Creates a
Promisethat is fulfilled when theEventEmitteremits the given event or that is rejected if theEventEmitteremits'error'while waiting. ThePromisewill resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'event semantics and does not listen to the'error'event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }The special handling of the
'error'event is only used whenevents.once()is used to wait for another event. Ifevents.once()is used to wait for the 'error'event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boomAn
AbortSignalcan be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled! - n?: number,): void;
import { setMaxListeners, EventEmitter } from 'node:events'; const target = new EventTarget(); const emitter = new EventEmitter(); setMaxListeners(5, target, emitter);@param nA non-negative number. The maximum number of listeners per
EventTargetevent.@param eventTargetsZero or more {EventTarget} or {EventEmitter} instances. If none are specified,
nis set as the default max for all newly created {EventTarget} and {EventEmitter} objects. A utility method for creating a web
ReadableStreamandWritableStreamfrom aDuplex.
The default value of the
ciphersoption of{@link createSecureContext()}. It can be assigned any of the supported OpenSSL ciphers. Defaults to the content ofcrypto.constants.defaultCoreCipherList, unless changed using CLI options using--tls-default-ciphers.The default curve name to use for ECDH key agreement in a tls server. The default value is
'auto'. See{@link createSecureContext()}for further information.The default value of the
maxVersionoption of{@link createSecureContext()}. It can be assigned any of the supported TLS protocol versions,'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Default:'TLSv1.3', unless changed using CLI options. Using--tls-max-v1.2sets the default to'TLSv1.2'. Using--tls-max-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the highest maximum is used.The default value of the
minVersionoption of{@link createSecureContext()}. It can be assigned any of the supported TLS protocol versions,'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Default:'TLSv1.2', unless changed using CLI options. Using--tls-min-v1.0sets the default to'TLSv1'. Using--tls-min-v1.1sets the default to'TLSv1.1'. Using--tls-min-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used.An immutable array of strings representing the root certificates (in PEM format) from the bundled Mozilla CA store as supplied by the current Node.js version.
The bundled CA store, as supplied by Node.js, is a snapshot of Mozilla CA store that is fixed at release time. It is identical on all supported platforms.
- hostname: string,
Verifies the certificate
certis issued tohostname.Returns Error object, populating it with
reason,host, andcerton failure. On success, returns undefined.This function is intended to be used in combination with the
checkServerIdentityoption that can be passed to connect and as such operates on acertificate object. For other purposes, consider usingx509.checkHost()instead.This function can be overwritten by providing an alternative function as the
options.checkServerIdentityoption that is passed totls.connect(). The overwriting function can calltls.checkServerIdentity()of course, to augment the checks done with additional verification.This function is only called if the certificate passed all other checks, such as being issued by trusted CA (
options.ca).Earlier versions of Node.js incorrectly accepted certificates for a given
hostnameif a matchinguniformResourceIdentifiersubject alternative name was present (see CVE-2021-44531). Applications that wish to acceptuniformResourceIdentifiersubject alternative names can use a customoptions.checkServerIdentityfunction that implements the desired behavior.@param hostnameThe host name or IP address to verify the certificate against.
@param certA
certificate objectrepresenting the peer's certificate. - secureConnectListener?: () => void
The
callbackfunction, if specified, will be added as a listener for the'secureConnect'event.tls.connect()returns a TLSSocket object.Unlike the
httpsAPI,tls.connect()does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservernameoption in addition tohost.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });port: number,host?: string,secureConnectListener?: () => voidThe
callbackfunction, if specified, will be added as a listener for the'secureConnect'event.tls.connect()returns a TLSSocket object.Unlike the
httpsAPI,tls.connect()does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservernameoption in addition tohost.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });port: number,secureConnectListener?: () => voidThe
callbackfunction, if specified, will be added as a listener for the'secureConnect'event.tls.connect()returns a TLSSocket object.Unlike the
httpsAPI,tls.connect()does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservernameoption in addition tohost.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });secureConnectListener?: () => voidThe
callbackfunction, if specified, will be added as a listener for the'secureConnect'event.tls.connect()returns a TLSSocket object.Unlike the
httpsAPI,tls.connect()does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservernameoption in addition tohost.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); }); {@link createServer}sets the default value of thehonorCipherOrderoption totrue, other APIs that create secure contexts leave it unset.{@link createServer}uses a 128 bit truncated SHA1 hash value generated fromprocess.argvas the default value of thesessionIdContextoption, other APIs that create secure contexts have no default value.The
tls.createSecureContext()method creates aSecureContextobject. It is usable as an argument to severaltlsAPIs, such asserver.addContext(), but has no public methods. The Server constructor and the createServer method do not support thesecureContextoption.A key is required for ciphers that use certificates. Either
keyorpfxcan be used to provide it.If the
caoption is not given, then Node.js will default to using Mozilla's publicly trusted list of CAs.Custom DHE parameters are discouraged in favor of the new
dhparam: 'auto'option. When set to'auto', well-known DHE parameters of sufficient strength will be selected automatically. Otherwise, if necessary,openssl dhparamcan be used to create custom parameters. The key length must be greater than or equal to 1024 bits or else an error will be thrown. Although 1024 bits is permissible, use 2048 bits or larger for stronger security.Creates a new Server. The
secureConnectionListener, if provided, is automatically set as a listener for the'secureConnection'event.The
ticketKeysoptions is automatically shared betweennode:clustermodule workers.The following illustrates a simple echo server:
import tls from 'node:tls'; import fs from 'node:fs'; const options = { key: fs.readFileSync('server-key.pem'), cert: fs.readFileSync('server-cert.pem'), // This is necessary only if using client certificate authentication. requestCert: true, // This is necessary only if the client uses a self-signed certificate. ca: [ fs.readFileSync('client-cert.pem') ], }; const server = tls.createServer(options, (socket) => { console.log('server connected', socket.authorized ? 'authorized' : 'unauthorized'); socket.write('welcome!\n'); socket.setEncoding('utf8'); socket.pipe(socket); }); server.listen(8000, () => { console.log('server bound'); });The server can be tested by connecting to it using the example client from connect.
Creates a new Server. The
secureConnectionListener, if provided, is automatically set as a listener for the'secureConnection'event.The
ticketKeysoptions is automatically shared betweennode:clustermodule workers.The following illustrates a simple echo server:
import tls from 'node:tls'; import fs from 'node:fs'; const options = { key: fs.readFileSync('server-key.pem'), cert: fs.readFileSync('server-cert.pem'), // This is necessary only if using client certificate authentication. requestCert: true, // This is necessary only if the client uses a self-signed certificate. ca: [ fs.readFileSync('client-cert.pem') ], }; const server = tls.createServer(options, (socket) => { console.log('server connected', socket.authorized ? 'authorized' : 'unauthorized'); socket.write('welcome!\n'); socket.setEncoding('utf8'); socket.pipe(socket); }); server.listen(8000, () => { console.log('server bound'); });The server can be tested by connecting to it using the example client from connect.
- type?: 'default' | 'system' | 'bundled' | 'extra'): string[];
Returns an array containing the CA certificates from various sources, depending on
type:"default": return the CA certificates that will be used by the Node.js TLS clients by default.- When
--use-bundled-cais enabled (default), or--use-openssl-cais not enabled, this would include CA certificates from the bundled Mozilla CA store. - When
--use-system-cais enabled, this would also include certificates from the system's trusted store. - When
NODE_EXTRA_CA_CERTSis used, this would also include certificates loaded from the specified file.
- When
"system": return the CA certificates that are loaded from the system's trusted store, according to rules set by--use-system-ca. This can be used to get the certificates from the system when--use-system-cais not enabled."bundled": return the CA certificates from the bundled Mozilla CA store. This would be the same astls.rootCertificates."extra": return the CA certificates loaded fromNODE_EXTRA_CA_CERTS. It's an empty array ifNODE_EXTRA_CA_CERTSis not set.
@param typeThe type of CA certificates that will be returned. Valid values are
"default","system","bundled"and"extra". Default:"default".@returnsAn array of PEM-encoded certificates. The array may contain duplicates if the same certificate is repeatedly stored in multiple sources.
Returns an array with the names of the supported TLS ciphers. The names are lower-case for historical reasons, but must be uppercased to be used in the
ciphersoption of{@link createSecureContext}.Not all supported ciphers are enabled by default. See Modifying the default TLS cipher suite.
Cipher names that start with
'tls_'are for TLSv1.3, all the others are for TLSv1.2 and below.console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...]- certs: readonly string | ArrayBufferView<ArrayBufferLike>[]): void;
Sets the default CA certificates used by Node.js TLS clients. If the provided certificates are parsed successfully, they will become the default CA certificate list returned by getCACertificates and used by subsequent TLS connections that don't specify their own CA certificates. The certificates will be deduplicated before being set as the default.
This function only affects the current Node.js thread. Previous sessions cached by the HTTPS agent won't be affected by this change, so this method should be called before any unwanted cachable TLS connections are made.
To use system CA certificates as the default:
import tls from 'node:tls'; tls.setDefaultCACertificates(tls.getCACertificates('system'));This function completely replaces the default CA certificate list. To add additional certificates to the existing defaults, get the current certificates and append to them:
import tls from 'node:tls'; const currentCerts = tls.getCACertificates('default'); const additionalCerts = ['-----BEGIN CERTIFICATE-----\n...']; tls.setDefaultCACertificates([...currentCerts, ...additionalCerts]);@param certsAn array of CA certificates in PEM format.
Type definitions
interface BunConnectionOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servernameandprotocolsfields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols, which will be returned to the client as the selected ALPN protocol, orundefined, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocolsoption, and setting both options will throw an error. - ALPNProtocols?: ArrayBufferView<ArrayBufferLike> | readonly string[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- ca?: string | Buffer<ArrayBufferLike> | TypedArray<ArrayBufferLike> | BunFile | string | Buffer<ArrayBufferLike> | BunFile[]
Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are explicitly specified using this option.
- cert?: string | Buffer<ArrayBufferLike> | TypedArray<ArrayBufferLike> | BunFile | unknown[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr. This can be used to debug TLS connection problems. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | TypedArray<ArrayBufferLike> | BunFile | unknown[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. Default:'TLSv1.3', unless changed using CLI options. Using--tls-max-v1.2sets the default to'TLSv1.2'. Using--tls-max-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2', unless changed using CLI options. Using--tls-v1.0sets the default to'TLSv1'. Using--tls-v1.1sets the default to'TLSv1.1'. Using--tls-min-v1.3sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- pskCallback?: (hint: null | string) => null | PSKCallbackNegotation
When negotiating TLS-PSK (pre-shared keys), this function is called with optional identity
hintprovided by the server ornullin case of TLS 1.3 wherehintwas removed. It will be necessary to provide a customtls.checkServerIdentity()for the connection as the default one will try to check hostname/IP of the server against the certificate but that's not applicable for PSK because there won't be a certificate present. More information can be found in the RFC 4279. - requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
interface CipherNameAndProtocol
interface CommonConnectionOptions
- ALPNProtocols?: ArrayBufferView<ArrayBufferLike> | readonly string[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr. This can be used to debug TLS connection problems. - requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
interface ConnectionOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servernameandprotocolsfields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols, which will be returned to the client as the selected ALPN protocol, orundefined, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocolsoption, and setting both options will throw an error. - ALPNProtocols?: ArrayBufferView<ArrayBufferLike> | readonly string[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr. This can be used to debug TLS connection problems. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. Default:'TLSv1.3', unless changed using CLI options. Using--tls-max-v1.2sets the default to'TLSv1.2'. Using--tls-max-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2', unless changed using CLI options. Using--tls-v1.0sets the default to'TLSv1'. Using--tls-v1.1sets the default to'TLSv1.1'. Using--tls-min-v1.3sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- pskCallback?: (hint: null | string) => null | PSKCallbackNegotation
When negotiating TLS-PSK (pre-shared keys), this function is called with optional identity
hintprovided by the server ornullin case of TLS 1.3 wherehintwas removed. It will be necessary to provide a customtls.checkServerIdentity()for the connection as the default one will try to check hostname/IP of the server against the certificate but that's not applicable for PSK because there won't be a certificate present. More information can be found in the RFC 4279. - requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
interface DetailedPeerCertificate
- asn1Curve?: string
The ASN.1 name of the OID of the elliptic curve. Well-known curves are identified by an OID. While it is unusual, it is possible that the curve is identified by its mathematical properties, in which case it will not have an OID.
- fingerprint: string
The SHA-1 digest of the DER encoded certificate. It is returned as a
:separated hexadecimal string. - fingerprint256: string
The SHA-256 digest of the DER encoded certificate. It is returned as a
:separated hexadecimal string. - fingerprint512: string
The SHA-512 digest of the DER encoded certificate. It is returned as a
:separated hexadecimal string. - issuerCertificate: DetailedPeerCertificate
The issuer certificate object. For self-signed certificates, this may be a circular reference.
- nistCurve?: string
The NIST name for the elliptic curve, if it has one (not all well-known curves have been assigned names by NIST).
- subjectaltname?: string
A string containing concatenated names for the subject, an alternative to the
subjectnames.
interface EphemeralKeyInfo
interface KeyObject
interface PeerCertificate
- asn1Curve?: string
The ASN.1 name of the OID of the elliptic curve. Well-known curves are identified by an OID. While it is unusual, it is possible that the curve is identified by its mathematical properties, in which case it will not have an OID.
- fingerprint: string
The SHA-1 digest of the DER encoded certificate. It is returned as a
:separated hexadecimal string. - fingerprint256: string
The SHA-256 digest of the DER encoded certificate. It is returned as a
:separated hexadecimal string. - fingerprint512: string
The SHA-512 digest of the DER encoded certificate. It is returned as a
:separated hexadecimal string. - nistCurve?: string
The NIST name for the elliptic curve, if it has one (not all well-known curves have been assigned names by NIST).
- subjectaltname?: string
A string containing concatenated names for the subject, an alternative to the
subjectnames.
interface PSKCallbackNegotation
interface PxfObject
interface SecureContext
interface SecureContextOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servernameandprotocolsfields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols, which will be returned to the client as the selected ALPN protocol, orundefined, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocolsoption, and setting both options will throw an error. - cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. Default:'TLSv1.3', unless changed using CLI options. Using--tls-max-v1.2sets the default to'TLSv1.2'. Using--tls-max-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2', unless changed using CLI options. Using--tls-v1.0sets the default to'TLSv1'. Using--tls-v1.1sets the default to'TLSv1.1'. Using--tls-min-v1.3sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
interface TlsOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servernameandprotocolsfields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols, which will be returned to the client as the selected ALPN protocol, orundefined, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocolsoption, and setting both options will throw an error. - ALPNProtocols?: ArrayBufferView<ArrayBufferLike> | readonly string[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- blockList?: BlockList
blockListcan be used for disabling inbound access to specific IP addresses, IP ranges, or IP subnets. This does not work if the server is behind a reverse proxy, NAT, etc. because the address checked against the block list is the address of the proxy, or the one specified by the NAT. - cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr. This can be used to debug TLS connection problems. - handshakeTimeout?: number
Abort the connection if the SSL/TLS handshake does not finish in the specified number of milliseconds. A 'tlsClientError' is emitted on the tls.Server object whenever a handshake times out. Default: 120000 (120 seconds).
- highWaterMark?: number
Optionally overrides all
net.Sockets'readableHighWaterMarkandwritableHighWaterMark. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- keepAlive?: boolean
If set to
true, it enables keep-alive functionality on the socket immediately after a new incoming connection is received, similarly on what is done insocket.setKeepAlive([enable][, initialDelay]). - keepAliveInitialDelay?: number
If set to a positive number, it sets the initial delay before the first keepalive probe is sent on an idle socket.
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. Default:'TLSv1.3', unless changed using CLI options. Using--tls-max-v1.2sets the default to'TLSv1.2'. Using--tls-max-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2', unless changed using CLI options. Using--tls-v1.0sets the default to'TLSv1'. Using--tls-v1.1sets the default to'TLSv1.1'. Using--tls-min-v1.3sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - noDelay?: boolean
If set to
true, it disables the use of Nagle's algorithm immediately after a new incoming connection is received. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- pskIdentityHint?: string
hint to send to a client to help with selecting the identity during TLS-PSK negotiation. Will be ignored in TLS 1.3. Upon failing to set pskIdentityHint
tlsClientErrorwill be emitted withERR_TLS_PSK_SET_IDENTIY_HINT_FAILEDcode. - requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
interface TLSSocketOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servernameandprotocolsfields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols, which will be returned to the client as the selected ALPN protocol, orundefined, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocolsoption, and setting both options will throw an error. - ALPNProtocols?: ArrayBufferView<ArrayBufferLike> | readonly string[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr. This can be used to debug TLS connection problems. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. Default:'TLSv1.3', unless changed using CLI options. Using--tls-max-v1.2sets the default to'TLSv1.2'. Using--tls-max-v1.3sets the default to'TLSv1.3'. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3','TLSv1.2','TLSv1.1', or'TLSv1'. Cannot be specified along with thesecureProtocoloption, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2', unless changed using CLI options. Using--tls-v1.0sets the default to'TLSv1'. Using--tls-v1.1sets the default to'TLSv1.1'. Using--tls-min-v1.3sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- requestOCSP?: boolean
If true, specifies that the OCSP status request extension will be added to the client hello and an 'OCSPResponse' event will be emitted on the socket before establishing a secure communication
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
- type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1'