@@ -120,14 +120,15 @@ of an application. The `--tls-cipher-list` switch should by used only if
120
120
absolutely necessary.
121
121
122
122
123
- ## NPN and SNI
123
+ ## ALPN, NPN and SNI
124
124
125
125
<!-- type=misc -->
126
126
127
- NPN (Next Protocol Negotiation) and SNI (Server Name Indication) are TLS
127
+ ALPN (Application-Layer Protocol Negotiation Extension), NPN (Next
128
+ Protocol Negotiation) and SNI (Server Name Indication) are TLS
128
129
handshake extensions allowing you:
129
130
130
- * NPN - to use one TLS server for multiple protocols (HTTP, SPDY)
131
+ * ALPN/ NPN - to use one TLS server for multiple protocols (HTTP, SPDY, HTTP/2 )
131
132
* SNI - to use one TLS server for multiple hostnames with different SSL
132
133
certificates.
133
134
@@ -305,7 +306,13 @@ server. If `socket.authorized` is false, then
305
306
` socket.authorizationError ` is set to describe how authorization
306
307
failed. Implied but worth mentioning: depending on the settings of the TLS
307
308
server, you unauthorized connections may be accepted.
308
- ` socket.npnProtocol ` is a string containing selected NPN protocol.
309
+
310
+ ` socket.npnProtocol ` is a string containing the selected NPN protocol
311
+ and ` socket.alpnProtocol ` is a string containing the selected ALPN
312
+ protocol, When both NPN and ALPN extensions are received, ALPN takes
313
+ precedence over NPN and the next protocol is selected by ALPN. When
314
+ ALPN has no selected protocol, this returns false.
315
+
309
316
` socket.servername ` is a string containing servername requested with
310
317
SNI.
311
318
@@ -429,6 +436,8 @@ Construct a new TLSSocket object from existing TCP socket.
429
436
430
437
- ` NPNProtocols ` : Optional, see [ ` tls.createServer() ` ] [ ]
431
438
439
+ - ` ALPNProtocols ` : Optional, see [ tls.createServer] [ ]
440
+
432
441
- ` SNICallback ` : Optional, see [ ` tls.createServer() ` ] [ ]
433
442
434
443
- ` session ` : Optional, a ` Buffer ` instance, containing TLS session
@@ -460,8 +469,9 @@ The listener will be called no matter if the server's certificate was
460
469
authorized or not. It is up to the user to test ` tlsSocket.authorized `
461
470
to see if the server certificate was signed by one of the specified CAs.
462
471
If ` tlsSocket.authorized === false ` then the error can be found in
463
- ` tlsSocket.authorizationError ` . Also if NPN was used you can check
464
- ` tlsSocket.npnProtocol ` for negotiated protocol.
472
+ ` tlsSocket.authorizationError ` . Also if ALPN or NPN was used - you can
473
+ check ` tlsSocket.alpnProtocol ` or ` tlsSocket.npnProtocol ` for the
474
+ negotiated protocol.
465
475
466
476
### tlsSocket.address()
467
477
<!-- YAML
@@ -684,6 +694,12 @@ Creates a new client connection to the given `port` and `host` (old API) or
684
694
where first byte is next protocol name's length. (Passing array should
685
695
usually be much simpler: ` ['hello', 'world'] ` .)
686
696
697
+ - ` ALPNProtocols ` : An array of strings or ` Buffer ` s containing
698
+ supported ALPN protocols. ` Buffer ` s should have following format:
699
+ ` 0x05hello0x05world ` , where the first byte is the next protocol
700
+ name's length. (Passing array should usually be much simpler:
701
+ ` ['hello', 'world'] ` .)
702
+
687
703
- ` servername ` : Servername for SNI (Server Name Indication) TLS extension.
688
704
689
705
- ` checkServerIdentity(servername, cert) ` : Provide an override for checking
@@ -925,6 +941,12 @@ automatically set as a listener for the [`'secureConnection'`][] event. The
925
941
- ` NPNProtocols` : An array or ` Buffer` of possible NPN protocols. (Protocols
926
942
should be ordered by their priority).
927
943
944
+ - ` ALPNProtocols` : An array or ` Buffer` of possible ALPN
945
+ protocols. (Protocols should be ordered by their priority). When
946
+ the server receives both NPN and ALPN extensions from the client,
947
+ ALPN takes precedence over NPN and the server does not send an NPN
948
+ extension to the client.
949
+
928
950
- ` SNICallback(servername, cb)` : A function that will be called if client
929
951
supports SNI TLS extension. Two argument will be passed to it: `servername`,
930
952
and `cb`. `SNICallback` should invoke `cb (null , ctx )`, where `ctx` is a
0 commit comments