Accepts encrypted connections using TLS or SSL.
Node.js module
tls
The 'node:tls'
module provides an API for implementing TLS and SSL secure network communication. It wraps OpenSSL to create secure TCP connections via tls.createServer
and tls.connect
.
Features include certificate parsing, client authorization, secure context management, and TLS session resumption.
Works in Bun
Core TLS/SSL functionality works. The deprecated `tls.createSecurePair` method is missing.
class Server
- maxConnections: number
Set this property to reject connections when the server's connection count gets high.
It is not recommended to use this option once a socket has been sent to a child with
child_process.fork()
. - static captureRejections: boolean
Value: boolean
Change the default
captureRejections
option on all newEventEmitter
objects. - readonly static captureRejectionSymbol: typeof captureRejectionSymbol
Value:
Symbol.for('nodejs.rejection')
See how to write a custom
rejection handler
. - static defaultMaxListeners: number
By default, a maximum of
10
listeners can be registered for any single event. This limit can be changed for individualEventEmitter
instances using theemitter.setMaxListeners(n)
method. To change the default for allEventEmitter
instances, theevents.defaultMaxListeners
property can be used. If this value is not a positive number, aRangeError
is thrown.Take caution when setting the
events.defaultMaxListeners
because the change affects allEventEmitter
instances, including those created before the change is made. However, callingemitter.setMaxListeners(n)
still has precedence overevents.defaultMaxListeners
.This is not a hard limit. The
EventEmitter
instance will allow more listeners to be added but will output a trace warning to stderr indicating that a "possible EventEmitter memory leak" has been detected. For any singleEventEmitter
, theemitter.getMaxListeners()
andemitter.setMaxListeners()
methods can be used to temporarily avoid this warning:import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.setMaxListeners(emitter.getMaxListeners() + 1); emitter.once('event', () => { // do stuff emitter.setMaxListeners(Math.max(emitter.getMaxListeners() - 1, 0)); });
The
--trace-warnings
command-line flag can be used to display the stack trace for such warnings.The emitted warning can be inspected with
process.on('warning')
and will have the additionalemitter
,type
, andcount
properties, referring to the event emitter instance, the event's name and the number of attached listeners, respectively. Itsname
property is set to'MaxListenersExceededWarning'
. - readonly static errorMonitor: typeof errorMonitor
This symbol shall be used to install a listener for only monitoring
'error'
events. Listeners installed using this symbol are called before the regular'error'
listeners are called.Installing a listener using this symbol does not change the behavior once an
'error'
event is emitted. Therefore, the process will still crash if no regular'error'
listener is installed. Calls () and returns a promise that fulfills when the server has closed.
- hostname: string,): void;
The
server.addContext()
method adds a secure context that will be used if the client request's SNI name matches the suppliedhostname
(or wildcard).When there are multiple matching contexts, the most recently added one is used.
@param hostnameA SNI host name or wildcard (e.g.
'*'
)@param contextAn object containing any of the possible properties from the createSecureContext
options
arguments (e.g.key
,cert
,ca
, etc), or a TLS context object created with createSecureContext itself. - event: string,listener: (...args: any[]) => void): this;
events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'tlsClientError',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'newSession',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'secureConnection',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
event: 'keylog',): this;events.EventEmitter
- tlsClientError
- newSession
- OCSPRequest
- resumeSession
- secureConnection
- keylog
Returns the bound
address
, the addressfamily
name, andport
of the server as reported by the operating system if listening on an IP socket (useful to find which port was assigned when getting an OS-assigned address):{ port: 12346, family: 'IPv4', address: '127.0.0.1' }
.For a server listening on a pipe or Unix domain socket, the name is returned as a string.
const server = net.createServer((socket) => { socket.end('goodbye\n'); }).on('error', (err) => { // Handle errors here. throw err; }); // Grab an arbitrary unused port. server.listen(() => { console.log('opened server on', server.address()); });
server.address()
returnsnull
before the'listening'
event has been emitted or after callingserver.close()
.- ): this;
Stops the server from accepting new connections and keeps existing connections. This function is asynchronous, the server is finally closed when all connections are ended and the server emits a
'close'
event. The optionalcallback
will be called once the'close'
event occurs. Unlike that event, it will be called with anError
as its only argument if the server was not open when it was closed.@param callbackCalled when the server is closed.
- emit(event: string | symbol,...args: any[]): boolean;
Synchronously calls each of the listeners registered for the event named
eventName
, in the order they were registered, passing the supplied arguments to each.Returns
true
if the event had listeners,false
otherwise.import { EventEmitter } from 'node:events'; const myEmitter = new EventEmitter(); // First listener myEmitter.on('event', function firstListener() { console.log('Helloooo! first listener'); }); // Second listener myEmitter.on('event', function secondListener(arg1, arg2) { console.log(`event with parameters ${arg1}, ${arg2} in second listener`); }); // Third listener myEmitter.on('event', function thirdListener(...args) { const parameters = args.join(', '); console.log(`event with parameters ${parameters} in third listener`); }); console.log(myEmitter.listeners('event')); myEmitter.emit('event', 1, 2, 3, 4, 5); // Prints: // [ // [Function: firstListener], // [Function: secondListener], // [Function: thirdListener] // ] // Helloooo! first listener // event with parameters 1, 2 in second listener // event with parameters 1, 2, 3, 4, 5 in third listener
Returns an array listing the events for which the emitter has registered listeners. The values in the array are strings or
Symbol
s.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => {}); myEE.on('bar', () => {}); const sym = Symbol('symbol'); myEE.on(sym, () => {}); console.log(myEE.eventNames()); // Prints: [ 'foo', 'bar', Symbol(symbol) ]
- ): void;
Asynchronously get the number of concurrent connections on the server. Works when sockets were sent to forks.
Callback should take two arguments
err
andcount
. Returns the current max listener value for the
EventEmitter
which is either set byemitter.setMaxListeners(n)
or defaults to EventEmitter.defaultMaxListeners.Returns the session ticket keys.
See
Session Resumption
for more information.@returnsA 48-byte buffer containing the session ticket keys.
- port?: number,hostname?: string,backlog?: number,listeningListener?: () => void): this;
Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
port?: number,hostname?: string,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
port?: number,backlog?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
port?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
path: string,backlog?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
path: string,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
handle: any,backlog?: number,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
handle: any,listeningListener?: () => void): this;Start a server listening for connections. A
net.Server
can be a TCP or anIPC
server depending on what it listens to.Possible signatures:
server.listen(handle[, backlog][, callback])
server.listen(options[, callback])
server.listen(path[, backlog][, callback])
forIPC
serversserver.listen([port[, host[, backlog]]][, callback])
for TCP servers
This function is asynchronous. When the server starts listening, the
'listening'
event will be emitted. The last parametercallback
will be added as a listener for the'listening'
event.All
listen()
methods can take abacklog
parameter to specify the maximum length of the queue of pending connections. The actual length will be determined by the OS through sysctl settings such astcp_max_syn_backlog
andsomaxconn
on Linux. The default value of this parameter is 511 (not 512).All Socket are set to
SO_REUSEADDR
(seesocket(7)
for details).The
server.listen()
method can be called again if and only if there was an error during the firstserver.listen()
call orserver.close()
has been called. Otherwise, anERR_SERVER_ALREADY_LISTEN
error will be thrown.One of the most common errors raised when listening is
EADDRINUSE
. This happens when another server is already listening on the requestedport
/path
/handle
. One way to handle this would be to retry after a certain amount of time:server.on('error', (e) => { if (e.code === 'EADDRINUSE') { console.error('Address in use, retrying...'); setTimeout(() => { server.close(); server.listen(PORT, HOST); }, 1000); } });
- eventName: string | symbol,listener?: Function): number;
Returns the number of listeners listening for the event named
eventName
. Iflistener
is provided, it will return how many times the listener is found in the list of the listeners of the event.@param eventNameThe name of the event being listened for
@param listenerThe event handler function
- eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName
.server.on('connection', (stream) => { console.log('someone connected!'); }); console.log(util.inspect(server.listeners('connection'))); // Prints: [ [Function] ]
- eventName: string | symbol,listener: (...args: any[]) => void): this;
Alias for
emitter.removeListener()
. - on(event: string,listener: (...args: any[]) => void): this;
Adds the
listener
function to the end of the listeners array for the event namedeventName
. No checks are made to see if thelistener
has already been added. Multiple calls passing the same combination ofeventName
andlistener
will result in thelistener
being added, and called, multiple times.server.on('connection', (stream) => { console.log('someone connected!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependListener()
method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => console.log('a')); myEE.prependListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a
@param listenerThe callback function
- once(event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listener
function for the event namedeventName
. The next timeeventName
is triggered, this listener is removed and then invoked.server.once('connection', (stream) => { console.log('Ah, we have our first user!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependOnceListener()
method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.once('foo', () => console.log('a')); myEE.prependOnceListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a
@param listenerThe callback function
- event: string,listener: (...args: any[]) => void): this;
Adds the
listener
function to the beginning of the listeners array for the event namedeventName
. No checks are made to see if thelistener
has already been added. Multiple calls passing the same combination ofeventName
andlistener
will result in thelistener
being added, and called, multiple times.server.prependListener('connection', (stream) => { console.log('someone connected!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.@param listenerThe callback function
event: 'tlsClientError',): this;event: 'newSession',): this; - event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listener
function for the event namedeventName
to the beginning of the listeners array. The next timeeventName
is triggered, this listener is removed, and then invoked.server.prependOnceListener('connection', (stream) => { console.log('Ah, we have our first user!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.@param listenerThe callback function
event: 'tlsClientError',): this;event: 'newSession',): this; - eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName
, including any wrappers (such as those created by.once()
).import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.once('log', () => console.log('log once')); // Returns a new Array with a function `onceWrapper` which has a property // `listener` which contains the original listener bound above const listeners = emitter.rawListeners('log'); const logFnWrapper = listeners[0]; // Logs "log once" to the console and does not unbind the `once` event logFnWrapper.listener(); // Logs "log once" to the console and removes the listener logFnWrapper(); emitter.on('log', () => console.log('log persistently')); // Will return a new Array with a single function bound by `.on()` above const newListeners = emitter.rawListeners('log'); // Logs "log persistently" twice newListeners[0](); emitter.emit('log');
Opposite of
unref()
, callingref()
on a previouslyunref
ed server will not let the program exit if it's the only server left (the default behavior). If the server isref
ed callingref()
again will have no effect.- eventName?: string | symbol): this;
Removes all listeners, or those of the specified
eventName
.It is bad practice to remove listeners added elsewhere in the code, particularly when the
EventEmitter
instance was created by some other component or module (e.g. sockets or file streams).Returns a reference to the
EventEmitter
, so that calls can be chained. - eventName: string | symbol,listener: (...args: any[]) => void): this;
Removes the specified
listener
from the listener array for the event namedeventName
.const callback = (stream) => { console.log('someone connected!'); }; server.on('connection', callback); // ... server.removeListener('connection', callback);
removeListener()
will remove, at most, one instance of a listener from the listener array. If any single listener has been added multiple times to the listener array for the specifiedeventName
, thenremoveListener()
must be called multiple times to remove each instance.Once an event is emitted, all listeners attached to it at the time of emitting are called in order. This implies that any
removeListener()
orremoveAllListeners()
calls after emitting and before the last listener finishes execution will not remove them fromemit()
in progress. Subsequent events behave as expected.import { EventEmitter } from 'node:events'; class MyEmitter extends EventEmitter {} const myEmitter = new MyEmitter(); const callbackA = () => { console.log('A'); myEmitter.removeListener('event', callbackB); }; const callbackB = () => { console.log('B'); }; myEmitter.on('event', callbackA); myEmitter.on('event', callbackB); // callbackA removes listener callbackB but it will still be called. // Internal listener array at time of emit [callbackA, callbackB] myEmitter.emit('event'); // Prints: // A // B // callbackB is now removed. // Internal listener array [callbackA] myEmitter.emit('event'); // Prints: // A
Because listeners are managed using an internal array, calling this will change the position indices of any listener registered after the listener being removed. This will not impact the order in which listeners are called, but it means that any copies of the listener array as returned by the
emitter.listeners()
method will need to be recreated.When a single function has been added as a handler multiple times for a single event (as in the example below),
removeListener()
will remove the most recently added instance. In the example theonce('ping')
listener is removed:import { EventEmitter } from 'node:events'; const ee = new EventEmitter(); function pong() { console.log('pong'); } ee.on('ping', pong); ee.once('ping', pong); ee.removeListener('ping', pong); ee.emit('ping'); ee.emit('ping');
Returns a reference to the
EventEmitter
, so that calls can be chained. - n: number): this;
By default
EventEmitter
s will print a warning if more than10
listeners are added for a particular event. This is a useful default that helps finding memory leaks. Theemitter.setMaxListeners()
method allows the limit to be modified for this specificEventEmitter
instance. The value can be set toInfinity
(or0
) to indicate an unlimited number of listeners.Returns a reference to the
EventEmitter
, so that calls can be chained. - ): void;
The
server.setSecureContext()
method replaces the secure context of an existing server. Existing connections to the server are not interrupted.@param optionsAn object containing any of the possible properties from the createSecureContext
options
arguments (e.g.key
,cert
,ca
, etc). - ): void;
Sets the session ticket keys.
Changes to the ticket keys are effective only for future server connections. Existing or currently pending server connections will use the previous keys.
See
Session Resumption
for more information.@param keysA 48-byte buffer containing the session ticket keys.
Calling
unref()
on a server will allow the program to exit if this is the only active server in the event system. If the server is alreadyunref
ed callingunref()
again will have no effect.- ): Disposable;
Listens once to the
abort
event on the providedsignal
.Listening to the
abort
event on abort signals is unsafe and may lead to resource leaks since another third party with the signal can calle.stopImmediatePropagation()
. Unfortunately Node.js cannot change this since it would violate the web standard. Additionally, the original API makes it easy to forget to remove listeners.This API allows safely using
AbortSignal
s in Node.js APIs by solving these two issues by listening to the event such thatstopImmediatePropagation
does not prevent the listener from running.Returns a disposable so that it may be unsubscribed from more easily.
import { addAbortListener } from 'node:events'; function example(signal) { let disposable; try { signal.addEventListener('abort', (e) => e.stopImmediatePropagation()); disposable = addAbortListener(signal, (e) => { // Do something when signal is aborted. }); } finally { disposable?.[Symbol.dispose](); } }
@returnsDisposable that removes the
abort
listener. - name: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName
.For
EventEmitter
s this behaves exactly the same as calling.listeners
on the emitter.For
EventTarget
s this is the only way to get the event listeners for the event target. This is useful for debugging and diagnostic purposes.import { getEventListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); const listener = () => console.log('Events are fun'); ee.on('foo', listener); console.log(getEventListeners(ee, 'foo')); // [ [Function: listener] ] } { const et = new EventTarget(); const listener = () => console.log('Events are fun'); et.addEventListener('foo', listener); console.log(getEventListeners(et, 'foo')); // [ [Function: listener] ] }
- ): number;
Returns the currently set max amount of listeners.
For
EventEmitter
s this behaves exactly the same as calling.getMaxListeners
on the emitter.For
EventTarget
s this is the only way to get the max event listeners for the event target. If the number of event handlers on a single EventTarget exceeds the max set, the EventTarget will print a warning.import { getMaxListeners, setMaxListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); console.log(getMaxListeners(ee)); // 10 setMaxListeners(11, ee); console.log(getMaxListeners(ee)); // 11 } { const et = new EventTarget(); console.log(getMaxListeners(et)); // 10 setMaxListeners(11, et); console.log(getMaxListeners(et)); // 11 }
- emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;
import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here
Returns an
AsyncIterator
that iterateseventName
events. It will throw if theEventEmitter
emits'error'
. It removes all listeners when exiting the loop. Thevalue
returned by each iteration is an array composed of the emitted event arguments.An
AbortSignal
can be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());
Use the
close
option to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'
@returnsAn
AsyncIterator
that iterateseventName
events emitted by theemitter
eventName: string,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here
Returns an
AsyncIterator
that iterateseventName
events. It will throw if theEventEmitter
emits'error'
. It removes all listeners when exiting the loop. Thevalue
returned by each iteration is an array composed of the emitted event arguments.An
AbortSignal
can be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());
Use the
close
option to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'
@returnsAn
AsyncIterator
that iterateseventName
events emitted by theemitter
- emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterOptions): Promise<any[]>;
Creates a
Promise
that is fulfilled when theEventEmitter
emits the given event or that is rejected if theEventEmitter
emits'error'
while waiting. ThePromise
will resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'
event semantics and does not listen to the'error'
event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }
The special handling of the
'error'
event is only used whenevents.once()
is used to wait for another event. Ifevents.once()
is used to wait for the 'error'
event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boom
An
AbortSignal
can be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled!
eventName: string,options?: StaticEventEmitterOptions): Promise<any[]>;Creates a
Promise
that is fulfilled when theEventEmitter
emits the given event or that is rejected if theEventEmitter
emits'error'
while waiting. ThePromise
will resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'
event semantics and does not listen to the'error'
event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }
The special handling of the
'error'
event is only used whenevents.once()
is used to wait for another event. Ifevents.once()
is used to wait for the 'error'
event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boom
An
AbortSignal
can be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled!
- n?: number,): void;
import { setMaxListeners, EventEmitter } from 'node:events'; const target = new EventTarget(); const emitter = new EventEmitter(); setMaxListeners(5, target, emitter);
@param nA non-negative number. The maximum number of listeners per
EventTarget
event.@param eventTargetsZero or more {EventTarget} or {EventEmitter} instances. If none are specified,
n
is set as the default max for all newly created {EventTarget} and {EventEmitter} objects.
class TLSSocket
Performs transparent encryption of written data and all required TLS negotiation.
Instances of
tls.TLSSocket
implement the duplexStream
interface.Methods that return TLS connection metadata (e.g.TLSSocket.getPeerCertificate) will only return data while the connection is open.
- allowHalfOpen: boolean
If
false
then the stream will automatically end the writable side when the readable side ends. Set initially by theallowHalfOpen
constructor option, which defaults totrue
.This can be changed manually to change the half-open behavior of an existing
Duplex
stream instance, but must be changed before the'end'
event is emitted. - alpnProtocol: null | string | false
String containing the selected ALPN protocol. Before a handshake has completed, this value is always null. When a handshake is completed but not ALPN protocol was selected, tlsSocket.alpnProtocol equals false.
- readonly autoSelectFamilyAttemptedAddresses: string[]
This property is only present if the family autoselection algorithm is enabled in
socket.connect(options)
and it is an array of the addresses that have been attempted.Each address is a string in the form of
$IP:$PORT
. If the connection was successful, then the last address is the one that the socket is currently connected to. - readonly connecting: boolean
If
true
,socket.connect(options[, connectListener])
was called and has not yet finished. It will staytrue
until the socket becomes connected, then it is set tofalse
and the'connect'
event is emitted. Note that thesocket.connect(options[, connectListener])
callback is a listener for the'connect'
event. - encrypted: true
Always returns
true
. This may be used to distinguish TLS sockets from regularnet.Socket
instances. - readonly localAddress?: string
The string representation of the local IP address the remote client is connecting on. For example, in a server listening on
'0.0.0.0'
, if a client connects on'192.168.1.1'
, the value ofsocket.localAddress
would be'192.168.1.1'
. - readonly pending: boolean
This is
true
if the socket is not connected yet, either because.connect()
has not yet been called or because it is still in the process of connecting (seesocket.connecting
). - readable: boolean
Is
true
if it is safe to call read, which means the stream has not been destroyed or emitted'error'
or'end'
. - readonly readableAborted: boolean
Returns whether the stream was destroyed or errored before emitting
'end'
. - readonly readableEncoding: null | BufferEncoding
Getter for the property
encoding
of a givenReadable
stream. Theencoding
property can be set using the setEncoding method. - readonly readableFlowing: null | boolean
This property reflects the current state of a
Readable
stream as described in the Three states section. - readonly readableHighWaterMark: number
Returns the value of
highWaterMark
passed when creating thisReadable
. - readonly readableLength: number
This property contains the number of bytes (or objects) in the queue ready to be read. The value provides introspection data regarding the status of the
highWaterMark
. - readonly readyState: SocketReadyState
This property represents the state of the connection as a string.
- If the stream is connecting
socket.readyState
isopening
. - If the stream is readable and writable, it is
open
. - If the stream is readable and not writable, it is
readOnly
. - If the stream is not readable and writable, it is
writeOnly
.
- If the stream is connecting
- readonly remoteAddress?: string
The string representation of the remote IP address. For example,
'74.125.127.100'
or'2001:4860:a005::68'
. Value may beundefined
if the socket is destroyed (for example, if the client disconnected). - readonly remoteFamily?: string
The string representation of the remote IP family.
'IPv4'
or'IPv6'
. Value may beundefined
if the socket is destroyed (for example, if the client disconnected). - readonly remotePort?: number
The numeric representation of the remote port. For example,
80
or21
. Value may beundefined
if the socket is destroyed (for example, if the client disconnected). - readonly timeout?: number
The socket timeout in milliseconds as set by
socket.setTimeout()
. It isundefined
if a timeout has not been set. - readonly writable: boolean
Is
true
if it is safe to callwritable.write()
, which means the stream has not been destroyed, errored, or ended. - readonly writableCorked: number
Number of times
writable.uncork()
needs to be called in order to fully uncork the stream. - readonly writableEnded: boolean
Is
true
afterwritable.end()
has been called. This property does not indicate whether the data has been flushed, for this usewritable.writableFinished
instead. - readonly writableHighWaterMark: number
Return the value of
highWaterMark
passed when creating thisWritable
. - readonly writableLength: number
This property contains the number of bytes (or objects) in the queue ready to be written. The value provides introspection data regarding the status of the
highWaterMark
. - readonly writableNeedDrain: boolean
Is
true
if the stream's buffer has been full and stream will emit'drain'
. - static captureRejections: boolean
Value: boolean
Change the default
captureRejections
option on all newEventEmitter
objects. - readonly static captureRejectionSymbol: typeof captureRejectionSymbol
Value:
Symbol.for('nodejs.rejection')
See how to write a custom
rejection handler
. - static defaultMaxListeners: number
By default, a maximum of
10
listeners can be registered for any single event. This limit can be changed for individualEventEmitter
instances using theemitter.setMaxListeners(n)
method. To change the default for allEventEmitter
instances, theevents.defaultMaxListeners
property can be used. If this value is not a positive number, aRangeError
is thrown.Take caution when setting the
events.defaultMaxListeners
because the change affects allEventEmitter
instances, including those created before the change is made. However, callingemitter.setMaxListeners(n)
still has precedence overevents.defaultMaxListeners
.This is not a hard limit. The
EventEmitter
instance will allow more listeners to be added but will output a trace warning to stderr indicating that a "possible EventEmitter memory leak" has been detected. For any singleEventEmitter
, theemitter.getMaxListeners()
andemitter.setMaxListeners()
methods can be used to temporarily avoid this warning:import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.setMaxListeners(emitter.getMaxListeners() + 1); emitter.once('event', () => { // do stuff emitter.setMaxListeners(Math.max(emitter.getMaxListeners() - 1, 0)); });
The
--trace-warnings
command-line flag can be used to display the stack trace for such warnings.The emitted warning can be inspected with
process.on('warning')
and will have the additionalemitter
,type
, andcount
properties, referring to the event emitter instance, the event's name and the number of attached listeners, respectively. Itsname
property is set to'MaxListenersExceededWarning'
. - readonly static errorMonitor: typeof errorMonitor
This symbol shall be used to install a listener for only monitoring
'error'
events. Listeners installed using this symbol are called before the regular'error'
listeners are called.Installing a listener using this symbol does not change the behavior once an
'error'
event is emitted. Therefore, the process will still crash if no regular'error'
listener is installed. Calls
readable.destroy()
with anAbortError
and returns a promise that fulfills when the stream is finished.- event: string,listener: (...args: any[]) => void): this;
events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'OCSPResponse',): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'secureConnect',listener: () => void): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'session',): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
event: 'keylog',): this;events.EventEmitter
- close
- connect
- connectionAttempt
- connectionAttemptFailed
- connectionAttemptTimeout
- data
- drain
- end
- error
- lookup
- ready
- timeout
Returns the bound
address
, the addressfamily
name andport
of the socket as reported by the operating system:{ port: 12346, family: 'IPv4', address: '127.0.0.1' }
This method returns a new stream with chunks of the underlying stream paired with a counter in the form
[index, chunk]
. The first index value is0
and it increases by 1 for each chunk produced.@returnsa stream of indexed pairs.
- stream: ComposeFnParam | T | Iterable<T, any, any> | AsyncIterable<T, any, any>,): T;
- connectionListener?: () => void): this;
Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])
socket.connect(path[, connectListener])
forIPC
connections.socket.connect(port[, host][, connectListener])
for TCP connections.- Returns:
net.Socket
The socket itself.
This function is asynchronous. When the connection is established, the
'connect'
event will be emitted. If there is a problem connecting, instead of a'connect'
event, an'error'
event will be emitted with the error passed to the'error'
listener. The last parameterconnectListener
, if supplied, will be added as a listener for the'connect'
event once.This function should only be used for reconnecting a socket after
'close'
has been emitted or otherwise it may lead to undefined behavior.port: number,host: string,connectionListener?: () => void): this;Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])
socket.connect(path[, connectListener])
forIPC
connections.socket.connect(port[, host][, connectListener])
for TCP connections.- Returns:
net.Socket
The socket itself.
This function is asynchronous. When the connection is established, the
'connect'
event will be emitted. If there is a problem connecting, instead of a'connect'
event, an'error'
event will be emitted with the error passed to the'error'
listener. The last parameterconnectListener
, if supplied, will be added as a listener for the'connect'
event once.This function should only be used for reconnecting a socket after
'close'
has been emitted or otherwise it may lead to undefined behavior.port: number,connectionListener?: () => void): this;Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])
socket.connect(path[, connectListener])
forIPC
connections.socket.connect(port[, host][, connectListener])
for TCP connections.- Returns:
net.Socket
The socket itself.
This function is asynchronous. When the connection is established, the
'connect'
event will be emitted. If there is a problem connecting, instead of a'connect'
event, an'error'
event will be emitted with the error passed to the'error'
listener. The last parameterconnectListener
, if supplied, will be added as a listener for the'connect'
event once.This function should only be used for reconnecting a socket after
'close'
has been emitted or otherwise it may lead to undefined behavior.path: string,connectionListener?: () => void): this;Initiate a connection on a given socket.
Possible signatures:
socket.connect(options[, connectListener])
socket.connect(path[, connectListener])
forIPC
connections.socket.connect(port[, host][, connectListener])
for TCP connections.- Returns:
net.Socket
The socket itself.
This function is asynchronous. When the connection is established, the
'connect'
event will be emitted. If there is a problem connecting, instead of a'connect'
event, an'error'
event will be emitted with the error passed to the'error'
listener. The last parameterconnectListener
, if supplied, will be added as a listener for the'connect'
event once.This function should only be used for reconnecting a socket after
'close'
has been emitted or otherwise it may lead to undefined behavior. The
writable.cork()
method forces all written data to be buffered in memory. The buffered data will be flushed when either the uncork or end methods are called.The primary intent of
writable.cork()
is to accommodate a situation in which several small chunks are written to the stream in rapid succession. Instead of immediately forwarding them to the underlying destination,writable.cork()
buffers all the chunks untilwritable.uncork()
is called, which will pass them all towritable._writev()
, if present. This prevents a head-of-line blocking situation where data is being buffered while waiting for the first small chunk to be processed. However, use ofwritable.cork()
without implementingwritable._writev()
may have an adverse effect on throughput.See also:
writable.uncork()
,writable._writev()
.- ): this;
Destroy the stream. Optionally emit an
'error'
event, and emit a'close'
event (unlessemitClose
is set tofalse
). After this call, the readable stream will release any internal resources and subsequent calls topush()
will be ignored.Once
destroy()
has been called any further calls will be a no-op and no further errors except from_destroy()
may be emitted as'error'
.Implementors should not override this method, but instead implement
readable._destroy()
.@param errorError which will be passed as payload in
'error'
event Destroys the socket after all data is written. If the
finish
event was already emitted the socket is destroyed immediately. If the socket is still writable it implicitly callssocket.end()
.Disables TLS renegotiation for this
TLSSocket
instance. Once called, attempts to renegotiate will trigger an'error'
event on theTLSSocket
.- drop(limit: number,
This method returns a new stream with the first limit chunks dropped from the start.
@param limitthe number of chunks to drop from the readable.
@returnsa stream with limit chunks dropped from the start.
- emit(event: string | symbol,...args: any[]): boolean;
Synchronously calls each of the listeners registered for the event named
eventName
, in the order they were registered, passing the supplied arguments to each.Returns
true
if the event had listeners,false
otherwise.import { EventEmitter } from 'node:events'; const myEmitter = new EventEmitter(); // First listener myEmitter.on('event', function firstListener() { console.log('Helloooo! first listener'); }); // Second listener myEmitter.on('event', function secondListener(arg1, arg2) { console.log(`event with parameters ${arg1}, ${arg2} in second listener`); }); // Third listener myEmitter.on('event', function thirdListener(...args) { const parameters = args.join(', '); console.log(`event with parameters ${parameters} in third listener`); }); console.log(myEmitter.listeners('event')); myEmitter.emit('event', 1, 2, 3, 4, 5); // Prints: // [ // [Function: firstListener], // [Function: secondListener], // [Function: thirdListener] // ] // Helloooo! first listener // event with parameters 1, 2 in second listener // event with parameters 1, 2, 3, 4, 5 in third listener
When enabled, TLS packet trace information is written to
stderr
. This can be used to debug TLS connection problems.The format of the output is identical to the output of
openssl s_client -trace
oropenssl s_server -trace
. While it is produced by OpenSSL'sSSL_trace()
function, the format is undocumented, can change without notice, and should not be relied on.- end(callback?: () => void): this;
Half-closes the socket. i.e., it sends a FIN packet. It is possible the server will still send some data.
See
writable.end()
for further details.@param callbackOptional callback for when the socket is finished.
@returnsThe socket itself.
end(callback?: () => void): this;Half-closes the socket. i.e., it sends a FIN packet. It is possible the server will still send some data.
See
writable.end()
for further details.@param callbackOptional callback for when the socket is finished.
@returnsThe socket itself.
end(encoding?: BufferEncoding,callback?: () => void): this;Half-closes the socket. i.e., it sends a FIN packet. It is possible the server will still send some data.
See
writable.end()
for further details.@param encodingOnly used when data is
string
.@param callbackOptional callback for when the socket is finished.
@returnsThe socket itself.
Returns an array listing the events for which the emitter has registered listeners. The values in the array are strings or
Symbol
s.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => {}); myEE.on('bar', () => {}); const sym = Symbol('symbol'); myEE.on(sym, () => {}); console.log(myEE.eventNames()); // Prints: [ 'foo', 'bar', Symbol(symbol) ]
- ): Promise<boolean>;
This method is similar to
Array.prototype.every
and calls fn on each chunk in the stream to check if all awaited return values are truthy value for fn. Once an fn call on a chunkawait
ed return value is falsy, the stream is destroyed and the promise is fulfilled withfalse
. If all of the fn calls on the chunks return a truthy value, the promise is fulfilled withtrue
.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to
true
if fn returned a truthy value for every one of the chunks. - length: number,label: string,
Keying material is used for validations to prevent different kind of attacks in network protocols, for example in the specifications of IEEE 802.1X.
Example
const keyingMaterial = tlsSocket.exportKeyingMaterial( 128, 'client finished'); /* Example return value of keyingMaterial: <Buffer 76 26 af 99 c5 56 8e 42 09 91 ef 9f 93 cb ad 6c 7b 65 f8 53 f1 d8 d9 12 5a 33 b8 b5 25 df 7b 37 9f e0 e2 4f b8 67 83 a3 2f cd 5d 41 42 4c 91 74 ef 2c ... 78 more bytes>
See the OpenSSL
SSL_export_keying_material
documentation for more information.@param lengthnumber of bytes to retrieve from keying material
@param labelan application specific label, typically this will be a value from the IANA Exporter Label Registry.
@param contextOptionally provide a context.
@returnsrequested bytes of the keying material
This method allows filtering the stream. For each chunk in the stream the fn function will be called and if it returns a truthy value, the chunk will be passed to the result stream. If the fn function returns a promise - that promise will be
await
ed.@param fna function to filter chunks from the stream. Async or not.
@returnsa stream filtered with the predicate fn.
- ): Promise<undefined | T>;
This method is similar to
Array.prototype.find
and calls fn on each chunk in the stream to find a chunk with a truthy value for fn. Once an fn call's awaited return value is truthy, the stream is destroyed and the promise is fulfilled with value for which fn returned a truthy value. If all of the fn calls on the chunks return a falsy value, the promise is fulfilled withundefined
.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to the first chunk for which fn evaluated with a truthy value, or
undefined
if no element was found.find(): Promise<any>;This method is similar to
Array.prototype.find
and calls fn on each chunk in the stream to find a chunk with a truthy value for fn. Once an fn call's awaited return value is truthy, the stream is destroyed and the promise is fulfilled with value for which fn returned a truthy value. If all of the fn calls on the chunks return a falsy value, the promise is fulfilled withundefined
.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to the first chunk for which fn evaluated with a truthy value, or
undefined
if no element was found. This method returns a new stream by applying the given callback to each chunk of the stream and then flattening the result.
It is possible to return a stream or another iterable or async iterable from fn and the result streams will be merged (flattened) into the returned stream.
@param fna function to map over every chunk in the stream. May be async. May be a stream or generator.
@returnsa stream flat-mapped with the function fn.
- ): Promise<void>;
This method allows iterating a stream. For each chunk in the stream the fn function will be called. If the fn function returns a promise - that promise will be
await
ed.This method is different from
for await...of
loops in that it can optionally process chunks concurrently. In addition, aforEach
iteration can only be stopped by having passed asignal
option and aborting the related AbortController whilefor await...of
can be stopped withbreak
orreturn
. In either case the stream will be destroyed.This method is different from listening to the
'data'
event in that it uses thereadable
event in the underlying machinary and can limit the number of concurrent fn calls.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise for when the stream has finished.
Returns an object representing the local certificate. The returned object has some properties corresponding to the fields of the certificate.
See TLSSocket.getPeerCertificate for an example of the certificate structure.
If there is no local certificate, an empty object will be returned. If the socket has been destroyed,
null
will be returned.Returns an object containing information on the negotiated cipher suite.
For example, a TLSv1.2 protocol with AES256-SHA cipher:
{ "name": "AES256-SHA", "standardName": "TLS_RSA_WITH_AES_256_CBC_SHA", "version": "SSLv3" }
See SSL_CIPHER_get_name for more information.
Returns an object representing the type, name, and size of parameter of an ephemeral key exchange in
perfect forward secrecy
on a client connection. It returns an empty object when the key exchange is not ephemeral. As this is only supported on a client socket;null
is returned if called on a server socket. The supported types are'DH'
and'ECDH'
. Thename
property is available only when type is'ECDH'
.For example:
{ type: 'ECDH', name: 'prime256v1', size: 256 }
.As the
Finished
messages are message digests of the complete handshake (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can be used for external authentication procedures when the authentication provided by SSL/TLS is not desired or is not enough.Corresponds to the
SSL_get_finished
routine in OpenSSL and may be used to implement thetls-unique
channel binding from RFC 5929.@returnsThe latest
Finished
message that has been sent to the socket as part of a SSL/TLS handshake, orundefined
if noFinished
message has been sent yet.Returns the current max listener value for the
EventEmitter
which is either set byemitter.setMaxListeners(n)
or defaults to EventEmitter.defaultMaxListeners.- detailed: true
Returns an object representing the peer's certificate. If the peer does not provide a certificate, an empty object will be returned. If the socket has been destroyed,
null
will be returned.If the full certificate chain was requested, each certificate will include an
issuerCertificate
property containing an object representing its issuer's certificate.@param detailedInclude the full certificate chain if
true
, otherwise include just the peer's certificate.@returnsA certificate object.
detailed?: falseReturns an object representing the peer's certificate. If the peer does not provide a certificate, an empty object will be returned. If the socket has been destroyed,
null
will be returned.If the full certificate chain was requested, each certificate will include an
issuerCertificate
property containing an object representing its issuer's certificate.@param detailedInclude the full certificate chain if
true
, otherwise include just the peer's certificate.@returnsA certificate object.
detailed?: booleanReturns an object representing the peer's certificate. If the peer does not provide a certificate, an empty object will be returned. If the socket has been destroyed,
null
will be returned.If the full certificate chain was requested, each certificate will include an
issuerCertificate
property containing an object representing its issuer's certificate.@param detailedInclude the full certificate chain if
true
, otherwise include just the peer's certificate.@returnsA certificate object.
As the
Finished
messages are message digests of the complete handshake (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can be used for external authentication procedures when the authentication provided by SSL/TLS is not desired or is not enough.Corresponds to the
SSL_get_peer_finished
routine in OpenSSL and may be used to implement thetls-unique
channel binding from RFC 5929.@returnsThe latest
Finished
message that is expected or has actually been received from the socket as part of a SSL/TLS handshake, orundefined
if there is noFinished
message so far.Returns the peer certificate as an
X509Certificate
object.If there is no peer certificate, or the socket has been destroyed,
undefined
will be returned.Returns a string containing the negotiated SSL/TLS protocol version of the current connection. The value
'unknown'
will be returned for connected sockets that have not completed the handshaking process. The valuenull
will be returned for server sockets or disconnected client sockets.Protocol versions are:
'SSLv3'
'TLSv1'
'TLSv1.1'
'TLSv1.2'
'TLSv1.3'
See the OpenSSL
SSL_get_version
documentation for more information.Returns the TLS session data or
undefined
if no session was negotiated. On the client, the data can be provided to thesession
option of connect to resume the connection. On the server, it may be useful for debugging.See
Session Resumption
for more information.Note:
getSession()
works only for TLSv1.2 and below. For TLSv1.3, applications must use the'session'
event (it also works for TLSv1.2 and below).For a client, returns the TLS session ticket if one is available, or
undefined
. For a server, always returnsundefined
.It may be useful for debugging.
See
Session Resumption
for more information.Returns the local certificate as an
X509Certificate
object.If there is no local certificate, or the socket has been destroyed,
undefined
will be returned.The
readable.isPaused()
method returns the current operating state of theReadable
. This is used primarily by the mechanism that underlies thereadable.pipe()
method. In most typical cases, there will be no reason to use this method directly.const readable = new stream.Readable(); readable.isPaused(); // === false readable.pause(); readable.isPaused(); // === true readable.resume(); readable.isPaused(); // === false
See
Session Resumption
for more information.@returnstrue
if the session was reused,false
otherwise.- options?: { destroyOnReturn: boolean }): AsyncIterator<any>;
The iterator created by this method gives users the option to cancel the destruction of the stream if the
for await...of
loop is exited byreturn
,break
, orthrow
, or if the iterator should destroy the stream if the stream emitted an error during iteration. - eventName: string | symbol,listener?: Function): number;
Returns the number of listeners listening for the event named
eventName
. Iflistener
is provided, it will return how many times the listener is found in the list of the listeners of the event.@param eventNameThe name of the event being listened for
@param listenerThe event handler function
- eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName
.server.on('connection', (stream) => { console.log('someone connected!'); }); console.log(util.inspect(server.listeners('connection'))); // Prints: [ [Function] ]
- map(
This method allows mapping over the stream. The fn function will be called for every chunk in the stream. If the fn function returns a promise - that promise will be
await
ed before being passed to the result stream.@param fna function to map over every chunk in the stream. Async or not.
@returnsa stream mapped with the function fn.
- eventName: string | symbol,listener: (...args: any[]) => void): this;
Alias for
emitter.removeListener()
. - on(event: string,listener: (...args: any[]) => void): this;
Adds the
listener
function to the end of the listeners array for the event namedeventName
. No checks are made to see if thelistener
has already been added. Multiple calls passing the same combination ofeventName
andlistener
will result in thelistener
being added, and called, multiple times.server.on('connection', (stream) => { console.log('someone connected!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependListener()
method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.on('foo', () => console.log('a')); myEE.prependListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a
@param listenerThe callback function
- once(event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listener
function for the event namedeventName
. The next timeeventName
is triggered, this listener is removed and then invoked.server.once('connection', (stream) => { console.log('Ah, we have our first user!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.By default, event listeners are invoked in the order they are added. The
emitter.prependOnceListener()
method can be used as an alternative to add the event listener to the beginning of the listeners array.import { EventEmitter } from 'node:events'; const myEE = new EventEmitter(); myEE.once('foo', () => console.log('a')); myEE.prependOnceListener('foo', () => console.log('b')); myEE.emit('foo'); // Prints: // b // a
@param listenerThe callback function
Pauses the reading of data. That is,
'data'
events will not be emitted. Useful to throttle back an upload.@returnsThe socket itself.
- event: string,listener: (...args: any[]) => void): this;
Adds the
listener
function to the beginning of the listeners array for the event namedeventName
. No checks are made to see if thelistener
has already been added. Multiple calls passing the same combination ofeventName
andlistener
will result in thelistener
being added, and called, multiple times.server.prependListener('connection', (stream) => { console.log('someone connected!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.@param listenerThe callback function
- event: string,listener: (...args: any[]) => void): this;
Adds a one-time
listener
function for the event namedeventName
to the beginning of the listeners array. The next timeeventName
is triggered, this listener is removed, and then invoked.server.prependOnceListener('connection', (stream) => { console.log('Ah, we have our first user!'); });
Returns a reference to the
EventEmitter
, so that calls can be chained.@param listenerThe callback function
- eventName: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName
, including any wrappers (such as those created by.once()
).import { EventEmitter } from 'node:events'; const emitter = new EventEmitter(); emitter.once('log', () => console.log('log once')); // Returns a new Array with a function `onceWrapper` which has a property // `listener` which contains the original listener bound above const listeners = emitter.rawListeners('log'); const logFnWrapper = listeners[0]; // Logs "log once" to the console and does not unbind the `once` event logFnWrapper.listener(); // Logs "log once" to the console and removes the listener logFnWrapper(); emitter.on('log', () => console.log('log persistently')); // Will return a new Array with a single function bound by `.on()` above const newListeners = emitter.rawListeners('log'); // Logs "log persistently" twice newListeners[0](); emitter.emit('log');
- read(size?: number): any;
The
readable.read()
method reads data out of the internal buffer and returns it. If no data is available to be read,null
is returned. By default, the data is returned as aBuffer
object unless an encoding has been specified using thereadable.setEncoding()
method or the stream is operating in object mode.The optional
size
argument specifies a specific number of bytes to read. Ifsize
bytes are not available to be read,null
will be returned unless the stream has ended, in which case all of the data remaining in the internal buffer will be returned.If the
size
argument is not specified, all of the data contained in the internal buffer will be returned.The
size
argument must be less than or equal to 1 GiB.The
readable.read()
method should only be called onReadable
streams operating in paused mode. In flowing mode,readable.read()
is called automatically until the internal buffer is fully drained.const readable = getReadableStreamSomehow(); // 'readable' may be triggered multiple times as data is buffered in readable.on('readable', () => { let chunk; console.log('Stream is readable (new data received in buffer)'); // Use a loop to make sure we read all currently available data while (null !== (chunk = readable.read())) { console.log(`Read ${chunk.length} bytes of data...`); } }); // 'end' will be triggered once when there is no more data available readable.on('end', () => { console.log('Reached end of stream.'); });
Each call to
readable.read()
returns a chunk of data, ornull
. The chunks are not concatenated. Awhile
loop is necessary to consume all data currently in the buffer. When reading a large file.read()
may returnnull
, having consumed all buffered content so far, but there is still more data to come not yet buffered. In this case a new'readable'
event will be emitted when there is more data in the buffer. Finally the'end'
event will be emitted when there is no more data to come.Therefore to read a file's whole contents from a
readable
, it is necessary to collect chunks across multiple'readable'
events:const chunks = []; readable.on('readable', () => { let chunk; while (null !== (chunk = readable.read())) { chunks.push(chunk); } }); readable.on('end', () => { const content = chunks.join(''); });
A
Readable
stream in object mode will always return a single item from a call toreadable.read(size)
, regardless of the value of thesize
argument.If the
readable.read()
method returns a chunk of data, a'data'
event will also be emitted.Calling read after the
'end'
event has been emitted will returnnull
. No runtime error will be raised.@param sizeOptional argument to specify how much data to read.
- initial?: undefined,): Promise<T>;
This method calls fn on each chunk of the stream in order, passing it the result from the calculation on the previous element. It returns a promise for the final value of the reduction.
If no initial value is supplied the first chunk of the stream is used as the initial value. If the stream is empty, the promise is rejected with a
TypeError
with theERR_INVALID_ARGS
code property.The reducer function iterates the stream element-by-element which means that there is no concurrency parameter or parallelism. To perform a reduce concurrently, you can extract the async function to
readable.map
method.@param fna reducer function to call over every chunk in the stream. Async or not.
@param initialthe initial value to use in the reduction.
@returnsa promise for the final value of the reduction.
initial: T,): Promise<T>;This method calls fn on each chunk of the stream in order, passing it the result from the calculation on the previous element. It returns a promise for the final value of the reduction.
If no initial value is supplied the first chunk of the stream is used as the initial value. If the stream is empty, the promise is rejected with a
TypeError
with theERR_INVALID_ARGS
code property.The reducer function iterates the stream element-by-element which means that there is no concurrency parameter or parallelism. To perform a reduce concurrently, you can extract the async function to
readable.map
method.@param fna reducer function to call over every chunk in the stream. Async or not.
@param initialthe initial value to use in the reduction.
@returnsa promise for the final value of the reduction.
Opposite of
unref()
, callingref()
on a previouslyunref
ed socket will not let the program exit if it's the only socket left (the default behavior). If the socket isref
ed callingref
again will have no effect.@returnsThe socket itself.
- eventName?: string | symbol): this;
Removes all listeners, or those of the specified
eventName
.It is bad practice to remove listeners added elsewhere in the code, particularly when the
EventEmitter
instance was created by some other component or module (e.g. sockets or file streams).Returns a reference to the
EventEmitter
, so that calls can be chained. - event: 'close',listener: () => void): this;
Removes the specified
listener
from the listener array for the event namedeventName
.const callback = (stream) => { console.log('someone connected!'); }; server.on('connection', callback); // ... server.removeListener('connection', callback);
removeListener()
will remove, at most, one instance of a listener from the listener array. If any single listener has been added multiple times to the listener array for the specifiedeventName
, thenremoveListener()
must be called multiple times to remove each instance.Once an event is emitted, all listeners attached to it at the time of emitting are called in order. This implies that any
removeListener()
orremoveAllListeners()
calls after emitting and before the last listener finishes execution will not remove them fromemit()
in progress. Subsequent events behave as expected.import { EventEmitter } from 'node:events'; class MyEmitter extends EventEmitter {} const myEmitter = new MyEmitter(); const callbackA = () => { console.log('A'); myEmitter.removeListener('event', callbackB); }; const callbackB = () => { console.log('B'); }; myEmitter.on('event', callbackA); myEmitter.on('event', callbackB); // callbackA removes listener callbackB but it will still be called. // Internal listener array at time of emit [callbackA, callbackB] myEmitter.emit('event'); // Prints: // A // B // callbackB is now removed. // Internal listener array [callbackA] myEmitter.emit('event'); // Prints: // A
Because listeners are managed using an internal array, calling this will change the position indices of any listener registered after the listener being removed. This will not impact the order in which listeners are called, but it means that any copies of the listener array as returned by the
emitter.listeners()
method will need to be recreated.When a single function has been added as a handler multiple times for a single event (as in the example below),
removeListener()
will remove the most recently added instance. In the example theonce('ping')
listener is removed:import { EventEmitter } from 'node:events'; const ee = new EventEmitter(); function pong() { console.log('pong'); } ee.on('ping', pong); ee.once('ping', pong); ee.removeListener('ping', pong); ee.emit('ping'); ee.emit('ping');
Returns a reference to the
EventEmitter
, so that calls can be chained. - options: { rejectUnauthorized: boolean; requestCert: boolean },): undefined | boolean;
The
tlsSocket.renegotiate()
method initiates a TLS renegotiation process. Upon completion, thecallback
function will be passed a single argument that is either anError
(if the request failed) ornull
.This method can be used to request a peer's certificate after the secure connection has been established.
When running as the server, the socket will be destroyed with an error after
handshakeTimeout
timeout.For TLSv1.3, renegotiation cannot be initiated, it is not supported by the protocol.
@param callbackIf
renegotiate()
returnedtrue
, callback is attached once to the'secure'
event. Ifrenegotiate()
returnedfalse
,callback
will be called in the next tick with an error, unless thetlsSocket
has been destroyed, in which casecallback
will not be called at all.@returnstrue
if renegotiation was initiated,false
otherwise. Close the TCP connection by sending an RST packet and destroy the stream. If this TCP socket is in connecting status, it will send an RST packet and destroy this TCP socket once it is connected. Otherwise, it will call
socket.destroy
with anERR_SOCKET_CLOSED
Error. If this is not a TCP socket (for example, a pipe), calling this method will immediately throw anERR_INVALID_HANDLE_TYPE
Error.Resumes reading after a call to
socket.pause()
.@returnsThe socket itself.
- encoding: BufferEncoding): this;
The
writable.setDefaultEncoding()
method sets the defaultencoding
for aWritable
stream.@param encodingThe new default encoding
- encoding?: BufferEncoding): this;
Set the encoding for the socket as a
Readable Stream
. Seereadable.setEncoding()
for more information.@returnsThe socket itself.
- enable?: boolean,initialDelay?: number): this;
Enable/disable keep-alive functionality, and optionally set the initial delay before the first keepalive probe is sent on an idle socket.
Set
initialDelay
(in milliseconds) to set the delay between the last data packet received and the first keepalive probe. Setting0
forinitialDelay
will leave the value unchanged from the default (or previous) setting.Enabling the keep-alive functionality will set the following socket options:
SO_KEEPALIVE=1
TCP_KEEPIDLE=initialDelay
TCP_KEEPCNT=10
TCP_KEEPINTVL=1
@returnsThe socket itself.
- ): void;
The
tlsSocket.setKeyCert()
method sets the private key and certificate to use for the socket. This is mainly useful if you wish to select a server certificate from a TLS server'sALPNCallback
.@param contextAn object containing at least
key
andcert
properties from the ()options
, or a TLS context object created with () itself. - n: number): this;
By default
EventEmitter
s will print a warning if more than10
listeners are added for a particular event. This is a useful default that helps finding memory leaks. Theemitter.setMaxListeners()
method allows the limit to be modified for this specificEventEmitter
instance. The value can be set toInfinity
(or0
) to indicate an unlimited number of listeners.Returns a reference to the
EventEmitter
, so that calls can be chained. - size?: number): boolean;
The
tlsSocket.setMaxSendFragment()
method sets the maximum TLS fragment size. Returnstrue
if setting the limit succeeded;false
otherwise.Smaller fragment sizes decrease the buffering latency on the client: larger fragments are buffered by the TLS layer until the entire fragment is received and its integrity is verified; large fragments can span multiple roundtrips and their processing can be delayed due to packet loss or reordering. However, smaller fragments add extra TLS framing bytes and CPU overhead, which may decrease overall server throughput.
@param sizeThe maximum TLS fragment size. The maximum value is
16384
. - noDelay?: boolean): this;
Enable/disable the use of Nagle's algorithm.
When a TCP connection is created, it will have Nagle's algorithm enabled.
Nagle's algorithm delays data before it is sent via the network. It attempts to optimize throughput at the expense of latency.
Passing
true
fornoDelay
or not passing an argument will disable Nagle's algorithm for the socket. Passingfalse
fornoDelay
will enable Nagle's algorithm.@returnsThe socket itself.
- timeout: number,callback?: () => void): this;
Sets the socket to timeout after
timeout
milliseconds of inactivity on the socket. By defaultnet.Socket
do not have a timeout.When an idle timeout is triggered the socket will receive a
'timeout'
event but the connection will not be severed. The user must manually callsocket.end()
orsocket.destroy()
to end the connection.socket.setTimeout(3000); socket.on('timeout', () => { console.log('socket timeout'); socket.end(); });
If
timeout
is 0, then the existing idle timeout is disabled.The optional
callback
parameter will be added as a one-time listener for the'timeout'
event.@returnsThe socket itself.
- some(): Promise<boolean>;
This method is similar to
Array.prototype.some
and calls fn on each chunk in the stream until the awaited return value istrue
(or any truthy value). Once an fn call on a chunkawait
ed return value is truthy, the stream is destroyed and the promise is fulfilled withtrue
. If none of the fn calls on the chunks return a truthy value, the promise is fulfilled withfalse
.@param fna function to call on each chunk of the stream. Async or not.
@returnsa promise evaluating to
true
if fn returned a truthy value for at least one of the chunks. - @param limit
the number of chunks to take from the readable.
@returnsa stream with limit chunks taken.
- ): Promise<any[]>;
This method allows easily obtaining the contents of a stream.
As this method reads the entire stream into memory, it negates the benefits of streams. It's intended for interoperability and convenience, not as the primary way to consume streams.
@returnsa promise containing an array with the contents of the stream.
The
writable.uncork()
method flushes all data buffered since cork was called.When using
writable.cork()
andwritable.uncork()
to manage the buffering of writes to a stream, defer calls towritable.uncork()
usingprocess.nextTick()
. Doing so allows batching of allwritable.write()
calls that occur within a given Node.js event loop phase.stream.cork(); stream.write('some '); stream.write('data '); process.nextTick(() => stream.uncork());
If the
writable.cork()
method is called multiple times on a stream, the same number of calls towritable.uncork()
must be called to flush the buffered data.stream.cork(); stream.write('some '); stream.cork(); stream.write('data '); process.nextTick(() => { stream.uncork(); // The data will not be flushed until uncork() is called a second time. stream.uncork(); });
See also:
writable.cork()
.- destination?: WritableStream): this;
The
readable.unpipe()
method detaches aWritable
stream previously attached using the pipe method.If the
destination
is not specified, then all pipes are detached.If the
destination
is specified, but no pipe is set up for it, then the method does nothing.import fs from 'node:fs'; const readable = getReadableStreamSomehow(); const writable = fs.createWriteStream('file.txt'); // All the data from readable goes into 'file.txt', // but only for the first second. readable.pipe(writable); setTimeout(() => { console.log('Stop writing to file.txt.'); readable.unpipe(writable); console.log('Manually close the file stream.'); writable.end(); }, 1000);
@param destinationOptional specific stream to unpipe
Calling
unref()
on a socket will allow the program to exit if this is the only active socket in the event system. If the socket is alreadyunref
ed callingunref()
again will have no effect.@returnsThe socket itself.
- chunk: any,encoding?: BufferEncoding): void;
Passing
chunk
asnull
signals the end of the stream (EOF) and behaves the same asreadable.push(null)
, after which no more data can be written. The EOF signal is put at the end of the buffer and any buffered data will still be flushed.The
readable.unshift()
method pushes a chunk of data back into the internal buffer. This is useful in certain situations where a stream is being consumed by code that needs to "un-consume" some amount of data that it has optimistically pulled out of the source, so that the data can be passed on to some other party.The
stream.unshift(chunk)
method cannot be called after the'end'
event has been emitted or a runtime error will be thrown.Developers using
stream.unshift()
often should consider switching to use of aTransform
stream instead. See theAPI for stream implementers
section for more information.// Pull off a header delimited by \n\n. // Use unshift() if we get too much. // Call the callback with (error, header, stream). import { StringDecoder } from 'node:string_decoder'; function parseHeader(stream, callback) { stream.on('error', callback); stream.on('readable', onReadable); const decoder = new StringDecoder('utf8'); let header = ''; function onReadable() { let chunk; while (null !== (chunk = stream.read())) { const str = decoder.write(chunk); if (str.includes('\n\n')) { // Found the header boundary. const split = str.split(/\n\n/); header += split.shift(); const remaining = split.join('\n\n'); const buf = Buffer.from(remaining, 'utf8'); stream.removeListener('error', callback); // Remove the 'readable' listener before unshifting. stream.removeListener('readable', onReadable); if (buf.length) stream.unshift(buf); // Now the body of the message can be read from the stream. callback(null, header, stream); return; } // Still reading the header. header += str; } } }
Unlike push,
stream.unshift(chunk)
will not end the reading process by resetting the internal reading state of the stream. This can cause unexpected results ifreadable.unshift()
is called during a read (i.e. from within a _read implementation on a custom stream). Following the call toreadable.unshift()
with an immediate push will reset the reading state appropriately, however it is best to simply avoid callingreadable.unshift()
while in the process of performing a read.@param chunkChunk of data to unshift onto the read queue. For streams not operating in object mode,
chunk
must be a {string}, {Buffer}, {TypedArray}, {DataView} ornull
. For object mode streams,chunk
may be any JavaScript value.@param encodingEncoding of string chunks. Must be a valid
Buffer
encoding, such as'utf8'
or'ascii'
. - wrap(stream: ReadableStream): this;
Prior to Node.js 0.10, streams did not implement the entire
node:stream
module API as it is currently defined. (SeeCompatibility
for more information.)When using an older Node.js library that emits
'data'
events and has a pause method that is advisory only, thereadable.wrap()
method can be used to create aReadable
stream that uses the old stream as its data source.It will rarely be necessary to use
readable.wrap()
but the method has been provided as a convenience for interacting with older Node.js applications and libraries.import { OldReader } from './old-api-module.js'; import { Readable } from 'node:stream'; const oreader = new OldReader(); const myReader = new Readable().wrap(oreader); myReader.on('readable', () => { myReader.read(); // etc. });
@param streamAn "old style" readable stream
- ): boolean;
Sends data on the socket. The second parameter specifies the encoding in the case of a string. It defaults to UTF8 encoding.
Returns
true
if the entire data was flushed successfully to the kernel buffer. Returnsfalse
if all or part of the data was queued in user memory.'drain'
will be emitted when the buffer is again free.The optional
callback
parameter will be executed when the data is finally written out, which may not be immediately.See
Writable
streamwrite()
method for more information.encoding?: BufferEncoding,): boolean;Sends data on the socket. The second parameter specifies the encoding in the case of a string. It defaults to UTF8 encoding.
Returns
true
if the entire data was flushed successfully to the kernel buffer. Returnsfalse
if all or part of the data was queued in user memory.'drain'
will be emitted when the buffer is again free.The optional
callback
parameter will be executed when the data is finally written out, which may not be immediately.See
Writable
streamwrite()
method for more information.@param encodingOnly used when data is
string
. - ): Disposable;
Listens once to the
abort
event on the providedsignal
.Listening to the
abort
event on abort signals is unsafe and may lead to resource leaks since another third party with the signal can calle.stopImmediatePropagation()
. Unfortunately Node.js cannot change this since it would violate the web standard. Additionally, the original API makes it easy to forget to remove listeners.This API allows safely using
AbortSignal
s in Node.js APIs by solving these two issues by listening to the event such thatstopImmediatePropagation
does not prevent the listener from running.Returns a disposable so that it may be unsubscribed from more easily.
import { addAbortListener } from 'node:events'; function example(signal) { let disposable; try { signal.addEventListener('abort', (e) => e.stopImmediatePropagation()); disposable = addAbortListener(signal, (e) => { // Do something when signal is aborted. }); } finally { disposable?.[Symbol.dispose](); } }
@returnsDisposable that removes the
abort
listener. - src: string | Object | Stream | ArrayBuffer | Blob | Iterable<any, any, any> | AsyncIterable<any, any, any> | AsyncGeneratorFunction | Promise<any>
A utility method for creating duplex streams.
Stream
converts writable stream into writableDuplex
and readable stream toDuplex
.Blob
converts into readableDuplex
.string
converts into readableDuplex
.ArrayBuffer
converts into readableDuplex
.AsyncIterable
converts into a readableDuplex
. Cannot yieldnull
.AsyncGeneratorFunction
converts into a readable/writable transformDuplex
. Must take a sourceAsyncIterable
as first parameter. Cannot yieldnull
.AsyncFunction
converts into a writableDuplex
. Must return eithernull
orundefined
Object ({ writable, readable })
convertsreadable
andwritable
intoStream
and then combines them intoDuplex
where theDuplex
will write to thewritable
and read from thereadable
.Promise
converts into readableDuplex
. Valuenull
is ignored.
- options?: Pick<DuplexOptions<Duplex>, 'signal' | 'allowHalfOpen' | 'decodeStrings' | 'encoding' | 'highWaterMark' | 'objectMode'>
A utility method for creating a
Duplex
from a webReadableStream
andWritableStream
. - name: string | symbol): Function[];
Returns a copy of the array of listeners for the event named
eventName
.For
EventEmitter
s this behaves exactly the same as calling.listeners
on the emitter.For
EventTarget
s this is the only way to get the event listeners for the event target. This is useful for debugging and diagnostic purposes.import { getEventListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); const listener = () => console.log('Events are fun'); ee.on('foo', listener); console.log(getEventListeners(ee, 'foo')); // [ [Function: listener] ] } { const et = new EventTarget(); const listener = () => console.log('Events are fun'); et.addEventListener('foo', listener); console.log(getEventListeners(et, 'foo')); // [ [Function: listener] ] }
- ): number;
Returns the currently set max amount of listeners.
For
EventEmitter
s this behaves exactly the same as calling.getMaxListeners
on the emitter.For
EventTarget
s this is the only way to get the max event listeners for the event target. If the number of event handlers on a single EventTarget exceeds the max set, the EventTarget will print a warning.import { getMaxListeners, setMaxListeners, EventEmitter } from 'node:events'; { const ee = new EventEmitter(); console.log(getMaxListeners(ee)); // 10 setMaxListeners(11, ee); console.log(getMaxListeners(ee)); // 11 } { const et = new EventTarget(); console.log(getMaxListeners(et)); // 10 setMaxListeners(11, et); console.log(getMaxListeners(et)); // 11 }
- emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;
import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here
Returns an
AsyncIterator
that iterateseventName
events. It will throw if theEventEmitter
emits'error'
. It removes all listeners when exiting the loop. Thevalue
returned by each iteration is an array composed of the emitted event arguments.An
AbortSignal
can be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());
Use the
close
option to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'
@returnsAn
AsyncIterator
that iterateseventName
events emitted by theemitter
eventName: string,options?: StaticEventEmitterIteratorOptions): AsyncIterator<any[]>;import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo')) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here
Returns an
AsyncIterator
that iterateseventName
events. It will throw if theEventEmitter
emits'error'
. It removes all listeners when exiting the loop. Thevalue
returned by each iteration is an array composed of the emitted event arguments.An
AbortSignal
can be used to cancel waiting on events:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ac = new AbortController(); (async () => { const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); }); for await (const event of on(ee, 'foo', { signal: ac.signal })) { // The execution of this inner block is synchronous and it // processes one event at a time (even with await). Do not use // if concurrent execution is required. console.log(event); // prints ['bar'] [42] } // Unreachable here })(); process.nextTick(() => ac.abort());
Use the
close
option to specify an array of event names that will end the iteration:import { on, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); // Emit later on process.nextTick(() => { ee.emit('foo', 'bar'); ee.emit('foo', 42); ee.emit('close'); }); for await (const event of on(ee, 'foo', { close: ['close'] })) { console.log(event); // prints ['bar'] [42] } // the loop will exit after 'close' is emitted console.log('done'); // prints 'done'
@returnsAn
AsyncIterator
that iterateseventName
events emitted by theemitter
- emitter: EventEmitter,eventName: string | symbol,options?: StaticEventEmitterOptions): Promise<any[]>;
Creates a
Promise
that is fulfilled when theEventEmitter
emits the given event or that is rejected if theEventEmitter
emits'error'
while waiting. ThePromise
will resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'
event semantics and does not listen to the'error'
event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }
The special handling of the
'error'
event is only used whenevents.once()
is used to wait for another event. Ifevents.once()
is used to wait for the 'error'
event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boom
An
AbortSignal
can be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled!
eventName: string,options?: StaticEventEmitterOptions): Promise<any[]>;Creates a
Promise
that is fulfilled when theEventEmitter
emits the given event or that is rejected if theEventEmitter
emits'error'
while waiting. ThePromise
will resolve with an array of all the arguments emitted to the given event.This method is intentionally generic and works with the web platform EventTarget interface, which has no special
'error'
event semantics and does not listen to the'error'
event.import { once, EventEmitter } from 'node:events'; import process from 'node:process'; const ee = new EventEmitter(); process.nextTick(() => { ee.emit('myevent', 42); }); const [value] = await once(ee, 'myevent'); console.log(value); const err = new Error('kaboom'); process.nextTick(() => { ee.emit('error', err); }); try { await once(ee, 'myevent'); } catch (err) { console.error('error happened', err); }
The special handling of the
'error'
event is only used whenevents.once()
is used to wait for another event. Ifevents.once()
is used to wait for the 'error'
event itself, then it is treated as any other kind of event without special handling:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); once(ee, 'error') .then(([err]) => console.log('ok', err.message)) .catch((err) => console.error('error', err.message)); ee.emit('error', new Error('boom')); // Prints: ok boom
An
AbortSignal
can be used to cancel waiting for the event:import { EventEmitter, once } from 'node:events'; const ee = new EventEmitter(); const ac = new AbortController(); async function foo(emitter, event, signal) { try { await once(emitter, event, { signal }); console.log('event emitted!'); } catch (error) { if (error.name === 'AbortError') { console.error('Waiting for the event was canceled!'); } else { console.error('There was an error', error.message); } } } foo(ee, 'foo', ac.signal); ac.abort(); // Abort waiting for the event ee.emit('foo'); // Prints: Waiting for the event was canceled!
- n?: number,): void;
import { setMaxListeners, EventEmitter } from 'node:events'; const target = new EventTarget(); const emitter = new EventEmitter(); setMaxListeners(5, target, emitter);
@param nA non-negative number. The maximum number of listeners per
EventTarget
event.@param eventTargetsZero or more {EventTarget} or {EventEmitter} instances. If none are specified,
n
is set as the default max for all newly created {EventTarget} and {EventEmitter} objects. A utility method for creating a web
ReadableStream
andWritableStream
from aDuplex
.
The default value of the
ciphers
option of{@link createSecureContext()}
. It can be assigned any of the supported OpenSSL ciphers. Defaults to the content ofcrypto.constants.defaultCoreCipherList
, unless changed using CLI options using--tls-default-ciphers
.The default curve name to use for ECDH key agreement in a tls server. The default value is
'auto'
. See{@link createSecureContext()}
for further information.The default value of the
maxVersion
option of{@link createSecureContext()}
. It can be assigned any of the supported TLS protocol versions,'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Default:'TLSv1.3'
, unless changed using CLI options. Using--tls-max-v1.2
sets the default to'TLSv1.2'
. Using--tls-max-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the highest maximum is used.The default value of the
minVersion
option of{@link createSecureContext()}
. It can be assigned any of the supported TLS protocol versions,'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Default:'TLSv1.2'
, unless changed using CLI options. Using--tls-min-v1.0
sets the default to'TLSv1'
. Using--tls-min-v1.1
sets the default to'TLSv1.1'
. Using--tls-min-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the lowest minimum is used.An immutable array of strings representing the root certificates (in PEM format) from the bundled Mozilla CA store as supplied by the current Node.js version.
The bundled CA store, as supplied by Node.js, is a snapshot of Mozilla CA store that is fixed at release time. It is identical on all supported platforms.
- hostname: string,
Verifies the certificate
cert
is issued tohostname
.Returns Error object, populating it with
reason
,host
, andcert
on failure. On success, returns undefined.This function is intended to be used in combination with the
checkServerIdentity
option that can be passed to connect and as such operates on acertificate object
. For other purposes, consider usingx509.checkHost()
instead.This function can be overwritten by providing an alternative function as the
options.checkServerIdentity
option that is passed totls.connect()
. The overwriting function can calltls.checkServerIdentity()
of course, to augment the checks done with additional verification.This function is only called if the certificate passed all other checks, such as being issued by trusted CA (
options.ca
).Earlier versions of Node.js incorrectly accepted certificates for a given
hostname
if a matchinguniformResourceIdentifier
subject alternative name was present (see CVE-2021-44531). Applications that wish to acceptuniformResourceIdentifier
subject alternative names can use a customoptions.checkServerIdentity
function that implements the desired behavior.@param hostnameThe host name or IP address to verify the certificate against.
@param certA
certificate object
representing the peer's certificate. - secureConnectListener?: () => void
The
callback
function, if specified, will be added as a listener for the'secureConnect'
event.tls.connect()
returns a TLSSocket object.Unlike the
https
API,tls.connect()
does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservername
option in addition tohost
.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });
port: number,host?: string,secureConnectListener?: () => voidThe
callback
function, if specified, will be added as a listener for the'secureConnect'
event.tls.connect()
returns a TLSSocket object.Unlike the
https
API,tls.connect()
does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservername
option in addition tohost
.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });
port: number,secureConnectListener?: () => voidThe
callback
function, if specified, will be added as a listener for the'secureConnect'
event.tls.connect()
returns a TLSSocket object.Unlike the
https
API,tls.connect()
does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservername
option in addition tohost
.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });
secureConnectListener?: () => voidThe
callback
function, if specified, will be added as a listener for the'secureConnect'
event.tls.connect()
returns a TLSSocket object.Unlike the
https
API,tls.connect()
does not enable the SNI (Server Name Indication) extension by default, which may cause some servers to return an incorrect certificate or reject the connection altogether. To enable SNI, set theservername
option in addition tohost
.The following illustrates a client for the echo server example from createServer:
// Assumes an echo server that is listening on port 8000. import tls from 'node:tls'; import fs from 'node:fs'; const options = { // Necessary only if the server requires client certificate authentication. key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), // Necessary only if the server uses a self-signed certificate. ca: [ fs.readFileSync('server-cert.pem') ], // Necessary only if the server's cert isn't for "localhost". checkServerIdentity: () => { return null; }, }; const socket = tls.connect(8000, options, () => { console.log('client connected', socket.authorized ? 'authorized' : 'unauthorized'); process.stdin.pipe(socket); process.stdin.resume(); }); socket.setEncoding('utf8'); socket.on('data', (data) => { console.log(data); }); socket.on('end', () => { console.log('server ends connection'); });
{@link createServer}
sets the default value of thehonorCipherOrder
option totrue
, other APIs that create secure contexts leave it unset.{@link createServer}
uses a 128 bit truncated SHA1 hash value generated fromprocess.argv
as the default value of thesessionIdContext
option, other APIs that create secure contexts have no default value.The
tls.createSecureContext()
method creates aSecureContext
object. It is usable as an argument to severaltls
APIs, such asserver.addContext()
, but has no public methods. The Server constructor and the createServer method do not support thesecureContext
option.A key is required for ciphers that use certificates. Either
key
orpfx
can be used to provide it.If the
ca
option is not given, then Node.js will default to using Mozilla's publicly trusted list of CAs.Custom DHE parameters are discouraged in favor of the new
dhparam: 'auto'
option. When set to'auto'
, well-known DHE parameters of sufficient strength will be selected automatically. Otherwise, if necessary,openssl dhparam
can be used to create custom parameters. The key length must be greater than or equal to 1024 bits or else an error will be thrown. Although 1024 bits is permissible, use 2048 bits or larger for stronger security.Creates a new Server. The
secureConnectionListener
, if provided, is automatically set as a listener for the'secureConnection'
event.The
ticketKeys
options is automatically shared betweennode:cluster
module workers.The following illustrates a simple echo server:
import tls from 'node:tls'; import fs from 'node:fs'; const options = { key: fs.readFileSync('server-key.pem'), cert: fs.readFileSync('server-cert.pem'), // This is necessary only if using client certificate authentication. requestCert: true, // This is necessary only if the client uses a self-signed certificate. ca: [ fs.readFileSync('client-cert.pem') ], }; const server = tls.createServer(options, (socket) => { console.log('server connected', socket.authorized ? 'authorized' : 'unauthorized'); socket.write('welcome!\n'); socket.setEncoding('utf8'); socket.pipe(socket); }); server.listen(8000, () => { console.log('server bound'); });
The server can be tested by connecting to it using the example client from connect.
Creates a new Server. The
secureConnectionListener
, if provided, is automatically set as a listener for the'secureConnection'
event.The
ticketKeys
options is automatically shared betweennode:cluster
module workers.The following illustrates a simple echo server:
import tls from 'node:tls'; import fs from 'node:fs'; const options = { key: fs.readFileSync('server-key.pem'), cert: fs.readFileSync('server-cert.pem'), // This is necessary only if using client certificate authentication. requestCert: true, // This is necessary only if the client uses a self-signed certificate. ca: [ fs.readFileSync('client-cert.pem') ], }; const server = tls.createServer(options, (socket) => { console.log('server connected', socket.authorized ? 'authorized' : 'unauthorized'); socket.write('welcome!\n'); socket.setEncoding('utf8'); socket.pipe(socket); }); server.listen(8000, () => { console.log('server bound'); });
The server can be tested by connecting to it using the example client from connect.
- type?: 'default' | 'system' | 'bundled' | 'extra'): string[];
Returns an array containing the CA certificates from various sources, depending on
type
:"default"
: return the CA certificates that will be used by the Node.js TLS clients by default.- When
--use-bundled-ca
is enabled (default), or--use-openssl-ca
is not enabled, this would include CA certificates from the bundled Mozilla CA store. - When
--use-system-ca
is enabled, this would also include certificates from the system's trusted store. - When
NODE_EXTRA_CA_CERTS
is used, this would also include certificates loaded from the specified file.
- When
"system"
: return the CA certificates that are loaded from the system's trusted store, according to rules set by--use-system-ca
. This can be used to get the certificates from the system when--use-system-ca
is not enabled."bundled"
: return the CA certificates from the bundled Mozilla CA store. This would be the same astls.rootCertificates
."extra"
: return the CA certificates loaded fromNODE_EXTRA_CA_CERTS
. It's an empty array ifNODE_EXTRA_CA_CERTS
is not set.
@param typeThe type of CA certificates that will be returned. Valid values are
"default"
,"system"
,"bundled"
and"extra"
. Default:"default"
.@returnsAn array of PEM-encoded certificates. The array may contain duplicates if the same certificate is repeatedly stored in multiple sources.
Returns an array with the names of the supported TLS ciphers. The names are lower-case for historical reasons, but must be uppercased to be used in the
ciphers
option of{@link createSecureContext}
.Not all supported ciphers are enabled by default. See Modifying the default TLS cipher suite.
Cipher names that start with
'tls_'
are for TLSv1.3, all the others are for TLSv1.2 and below.console.log(tls.getCiphers()); // ['aes128-gcm-sha256', 'aes128-sha', ...]
Type definitions
interface BunConnectionOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servername
andprotocols
fields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols
, which will be returned to the client as the selected ALPN protocol, orundefined
, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocols
option, and setting both options will throw an error. - ALPNProtocols?: Uint8Array<ArrayBufferLike> | string[] | Uint8Array<ArrayBufferLike>[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- ca?: string | Buffer<ArrayBufferLike> | TypedArray<ArrayBufferLike> | BunFile | string | Buffer<ArrayBufferLike> | BunFile[]
Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are explicitly specified using this option.
- cert?: string | Buffer<ArrayBufferLike> | TypedArray<ArrayBufferLike> | BunFile | unknown[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr
. This can be used to debug TLS connection problems. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | TypedArray<ArrayBufferLike> | BunFile | unknown[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. Default:'TLSv1.3'
, unless changed using CLI options. Using--tls-max-v1.2
sets the default to'TLSv1.2'
. Using--tls-max-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2'
, unless changed using CLI options. Using--tls-v1.0
sets the default to'TLSv1'
. Using--tls-v1.1
sets the default to'TLSv1.1'
. Using--tls-min-v1.3
sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
interface CipherNameAndProtocol
interface CommonConnectionOptions
- ALPNProtocols?: Uint8Array<ArrayBufferLike> | string[] | Uint8Array<ArrayBufferLike>[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr
. This can be used to debug TLS connection problems. - requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
interface ConnectionOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servername
andprotocols
fields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols
, which will be returned to the client as the selected ALPN protocol, orundefined
, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocols
option, and setting both options will throw an error. - ALPNProtocols?: Uint8Array<ArrayBufferLike> | string[] | Uint8Array<ArrayBufferLike>[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr
. This can be used to debug TLS connection problems. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. Default:'TLSv1.3'
, unless changed using CLI options. Using--tls-max-v1.2
sets the default to'TLSv1.2'
. Using--tls-max-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2'
, unless changed using CLI options. Using--tls-v1.0
sets the default to'TLSv1'
. Using--tls-v1.1
sets the default to'TLSv1.1'
. Using--tls-min-v1.3
sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
- hint: null | string
When negotiating TLS-PSK (pre-shared keys), this function is called with optional identity
hint
provided by the server ornull
in case of TLS 1.3 wherehint
was removed. It will be necessary to provide a customtls.checkServerIdentity()
for the connection as the default one will try to check hostname/IP of the server against the certificate but that's not applicable for PSK because there won't be a certificate present. More information can be found in the RFC 4279.@param hintmessage sent from the server to help client decide which identity to use during negotiation. Always
null
if TLS 1.3 is used.@returnsReturn
null
to stop the negotiation process.psk
must be compatible with the selected cipher's digest.identity
must use UTF-8 encoding.
interface DetailedPeerCertificate
- asn1Curve?: string
The ASN.1 name of the OID of the elliptic curve. Well-known curves are identified by an OID. While it is unusual, it is possible that the curve is identified by its mathematical properties, in which case it will not have an OID.
- fingerprint: string
The SHA-1 digest of the DER encoded certificate. It is returned as a
:
separated hexadecimal string. - fingerprint256: string
The SHA-256 digest of the DER encoded certificate. It is returned as a
:
separated hexadecimal string. - fingerprint512: string
The SHA-512 digest of the DER encoded certificate. It is returned as a
:
separated hexadecimal string. - issuerCertificate: DetailedPeerCertificate
The issuer certificate object. For self-signed certificates, this may be a circular reference.
- nistCurve?: string
The NIST name for the elliptic curve, if it has one (not all well-known curves have been assigned names by NIST).
- subjectaltname?: string
A string containing concatenated names for the subject, an alternative to the
subject
names.
interface EphemeralKeyInfo
interface KeyObject
interface PeerCertificate
- asn1Curve?: string
The ASN.1 name of the OID of the elliptic curve. Well-known curves are identified by an OID. While it is unusual, it is possible that the curve is identified by its mathematical properties, in which case it will not have an OID.
- fingerprint: string
The SHA-1 digest of the DER encoded certificate. It is returned as a
:
separated hexadecimal string. - fingerprint256: string
The SHA-256 digest of the DER encoded certificate. It is returned as a
:
separated hexadecimal string. - fingerprint512: string
The SHA-512 digest of the DER encoded certificate. It is returned as a
:
separated hexadecimal string. - nistCurve?: string
The NIST name for the elliptic curve, if it has one (not all well-known curves have been assigned names by NIST).
- subjectaltname?: string
A string containing concatenated names for the subject, an alternative to the
subject
names.
interface PSKCallbackNegotation
interface PxfObject
interface SecureContext
interface SecureContextOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servername
andprotocols
fields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols
, which will be returned to the client as the selected ALPN protocol, orundefined
, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocols
option, and setting both options will throw an error. - cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. Default:'TLSv1.3'
, unless changed using CLI options. Using--tls-max-v1.2
sets the default to'TLSv1.2'
. Using--tls-max-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2'
, unless changed using CLI options. Using--tls-v1.0
sets the default to'TLSv1'
. Using--tls-v1.1
sets the default to'TLSv1.1'
. Using--tls-min-v1.3
sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
interface TlsOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servername
andprotocols
fields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols
, which will be returned to the client as the selected ALPN protocol, orundefined
, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocols
option, and setting both options will throw an error. - ALPNProtocols?: Uint8Array<ArrayBufferLike> | string[] | Uint8Array<ArrayBufferLike>[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- blockList?: BlockList
blockList
can be used for disabling inbound access to specific IP addresses, IP ranges, or IP subnets. This does not work if the server is behind a reverse proxy, NAT, etc. because the address checked against the block list is the address of the proxy, or the one specified by the NAT. - cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr
. This can be used to debug TLS connection problems. - handshakeTimeout?: number
Abort the connection if the SSL/TLS handshake does not finish in the specified number of milliseconds. A 'tlsClientError' is emitted on the tls.Server object whenever a handshake times out. Default: 120000 (120 seconds).
- highWaterMark?: number
Optionally overrides all
net.Socket
s'readableHighWaterMark
andwritableHighWaterMark
. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- keepAlive?: boolean
If set to
true
, it enables keep-alive functionality on the socket immediately after a new incoming connection is received, similarly on what is done insocket.setKeepAlive([enable][, initialDelay])
. - keepAliveInitialDelay?: number
If set to a positive number, it sets the initial delay before the first keepalive probe is sent on an idle socket.
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. Default:'TLSv1.3'
, unless changed using CLI options. Using--tls-max-v1.2
sets the default to'TLSv1.2'
. Using--tls-max-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2'
, unless changed using CLI options. Using--tls-v1.0
sets the default to'TLSv1'
. Using--tls-v1.1
sets the default to'TLSv1.1'
. Using--tls-min-v1.3
sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - noDelay?: boolean
If set to
true
, it disables the use of Nagle's algorithm immediately after a new incoming connection is received. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- pskIdentityHint?: string
hint to send to a client to help with selecting the identity during TLS-PSK negotiation. Will be ignored in TLS 1.3. Upon failing to set pskIdentityHint
tlsClientError
will be emitted withERR_TLS_PSK_SET_IDENTIY_HINT_FAILED
code. - requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- identity: string): null | TypedArray<ArrayBufferLike> | DataView<ArrayBufferLike>;@param identity
identity parameter sent from the client.
@returnspre-shared key that must either be a buffer or
null
to stop the negotiation process. Returned PSK must be compatible with the selected cipher's digest.When negotiating TLS-PSK (pre-shared keys), this function is called with the identity provided by the client. If the return value is
null
the negotiation process will stop and an "unknown_psk_identity" alert message will be sent to the other party. If the server wishes to hide the fact that the PSK identity was not known, the callback must provide some random data aspsk
to make the connection fail with "decrypt_error" before negotiation is finished. PSK ciphers are disabled by default, and using TLS-PSK thus requires explicitly specifying a cipher suite with theciphers
option. More information can be found in the RFC 4279.
interface TLSSocketOptions
- allowPartialTrustChain?: boolean
Treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.
- ALPNCallback?: (arg: { protocols: string[]; servername: string }) => undefined | string
If set, this will be called when a client opens a connection using the ALPN extension. One argument will be passed to the callback: an object containing
servername
andprotocols
fields, respectively containing the server name from the SNI extension (if any) and an array of ALPN protocol name strings. The callback must return either one of the strings listed inprotocols
, which will be returned to the client as the selected ALPN protocol, orundefined
, to reject the connection with a fatal alert. If a string is returned that does not match one of the client's ALPN protocols, an error will be thrown. This option cannot be used with theALPNProtocols
option, and setting both options will throw an error. - ALPNProtocols?: Uint8Array<ArrayBufferLike> | string[] | Uint8Array<ArrayBufferLike>[]
An array of strings or a Buffer naming possible ALPN protocols. (Protocols should be ordered by their priority.)
- cert?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike>[]
Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.
- ciphers?: string
Cipher suite specification, replacing the default. For more information, see modifying the default cipher suite. Permitted ciphers can be obtained via tls.getCiphers(). Cipher names must be uppercased in order for OpenSSL to accept them.
- ecdhCurve?: string
A string describing a named curve or a colon separated list of curve NIDs or names, for example P-521:P-384:P-256, to use for ECDH key agreement. Set to auto to select the curve automatically. Use crypto.getCurves() to obtain a list of available curve names. On recent releases, openssl ecparam -list_curves will also display the name and description of each available elliptic curve. Default: tls.DEFAULT_ECDH_CURVE.
- enableTrace?: boolean
When enabled, TLS packet trace information is written to
stderr
. This can be used to debug TLS connection problems. - honorCipherOrder?: boolean
Attempt to use the server's cipher suite preferences instead of the client's. When true, causes SSL_OP_CIPHER_SERVER_PREFERENCE to be set in secureOptions
- key?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | KeyObject[]
Private keys in PEM format. PEM allows the option of private keys being encrypted. Encrypted keys will be decrypted with options.passphrase. Multiple keys using different algorithms can be provided either as an array of unencrypted key strings or buffers, or an array of objects in the form {pem: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted keys will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- maxVersion?: SecureVersion
Optionally set the maximum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. Default:'TLSv1.3'
, unless changed using CLI options. Using--tls-max-v1.2
sets the default to'TLSv1.2'
. Using--tls-max-v1.3
sets the default to'TLSv1.3'
. If multiple of the options are provided, the highest maximum is used. - minVersion?: SecureVersion
Optionally set the minimum TLS version to allow. One of
'TLSv1.3'
,'TLSv1.2'
,'TLSv1.1'
, or'TLSv1'
. Cannot be specified along with thesecureProtocol
option, use one or the other. It is not recommended to use less than TLSv1.2, but it may be required for interoperability. Default:'TLSv1.2'
, unless changed using CLI options. Using--tls-v1.0
sets the default to'TLSv1'
. Using--tls-v1.1
sets the default to'TLSv1.1'
. Using--tls-min-v1.3
sets the default to 'TLSv1.3'. If multiple of the options are provided, the lowest minimum is used. - pfx?: string | Buffer<ArrayBufferLike> | string | Buffer<ArrayBufferLike> | PxfObject[]
PFX or PKCS12 encoded private key and certificate chain. pfx is an alternative to providing key and cert individually. PFX is usually encrypted, if it is, passphrase will be used to decrypt it. Multiple PFX can be provided either as an array of unencrypted PFX buffers, or an array of objects in the form {buf: <string|buffer>[, passphrase: <string>]}. The object form can only occur in an array. object.passphrase is optional. Encrypted PFX will be decrypted with object.passphrase if provided, or options.passphrase if it is not.
- requestCert?: boolean
If true the server will request a certificate from clients that connect and attempt to verify that certificate. Defaults to false.
- requestOCSP?: boolean
If true, specifies that the OCSP status request extension will be added to the client hello and an 'OCSPResponse' event will be emitted on the socket before establishing a secure communication
- secureOptions?: number
Optionally affect the OpenSSL protocol behavior, which is not usually necessary. This should be used carefully if at all! Value is a numeric bitmask of the SSL_OP_* options from OpenSSL Options
- secureProtocol?: string
Legacy mechanism to select the TLS protocol version to use, it does not support independent control of the minimum and maximum version, and does not support limiting the protocol to TLSv1.3. Use minVersion and maxVersion instead. The possible values are listed as SSL_METHODS, use the function names as strings. For example, use 'TLSv1_1_method' to force TLS version 1.1, or 'TLS_method' to allow any TLS protocol version up to TLSv1.3. It is not recommended to use TLS versions less than 1.2, but it may be required for interoperability. Default: none, see minVersion.
- sessionIdContext?: string
Opaque identifier used by servers to ensure session state is not shared between applications. Unused by clients.
- sessionTimeout?: number
The number of seconds after which a TLS session created by the server will no longer be resumable. See Session Resumption for more information. Default: 300.
- sigalgs?: string
Colon-separated list of supported signature algorithms. The list can contain digest algorithms (SHA256, MD5 etc.), public key algorithms (RSA-PSS, ECDSA etc.), combination of both (e.g 'RSA+SHA384') or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512).
- SNICallback?: (servername: string, cb: (err: null | Error, ctx?: SecureContext) => void) => void
SNICallback(servername, cb) <Function> A function that will be called if the client supports SNI TLS extension. Two arguments will be passed when called: servername and cb. SNICallback should invoke cb(null, ctx), where ctx is a SecureContext instance. (tls.createSecureContext(...) can be used to get a proper SecureContext.) If SNICallback wasn't provided the default callback with high-level API will be used (see below).
- ticketKeys?: Buffer<ArrayBufferLike>
48-bytes of cryptographically strong pseudo-random data. See Session Resumption for more information.
- type SecureVersion = 'TLSv1.3' | 'TLSv1.2' | 'TLSv1.1' | 'TLSv1'