ResolvedTlsProfile
Defined in: src/profiles/resolveConnectionProfileSecrets.ts:23
TLS profile with certificate-bearing secret sources resolved.
Extends
Section titled “Extends”Omit<TlsProfile,"ca"|"cert"|"key"|"passphrase"|"pfx">
Properties
Section titled “Properties”| Property | Type | Description | Inherited from | Defined in |
|---|---|---|---|---|
ca? | | SecretValue | SecretValue[] | Resolved certificate authority bundle. | - | src/profiles/resolveConnectionProfileSecrets.ts:28 |
cert? | SecretValue | Resolved client certificate PEM. | - | src/profiles/resolveConnectionProfileSecrets.ts:30 |
checkServerIdentity? | (host: string, cert: PeerCertificate) => Error | undefined | Optional custom server identity checker for private PKI or certificate pinning. | TlsProfile.checkServerIdentity | src/types/public.ts:196 |
key? | SecretValue | Resolved client private key PEM. | - | src/profiles/resolveConnectionProfileSecrets.ts:32 |
maxVersion? | SecureVersion | Maximum TLS protocol version accepted by the client. | TlsProfile.maxVersion | src/types/public.ts:182 |
minVersion? | SecureVersion | Minimum TLS protocol version accepted by the client. | TlsProfile.minVersion | src/types/public.ts:180 |
passphrase? | SecretValue | Resolved encrypted private-key or PFX/P12 passphrase. | - | src/profiles/resolveConnectionProfileSecrets.ts:34 |
pfx? | SecretValue | Resolved PFX/P12 client certificate bundle. | - | src/profiles/resolveConnectionProfileSecrets.ts:36 |
pinnedFingerprint256? | string | readonly string[] | Optional. Expected server certificate SHA-256 fingerprint(s) for certificate pinning, in hex form with or without colons. When present, the TLS handshake additionally requires the leaf certificate’s SHA-256 fingerprint to match one of these values. Not required for normal CA-trusted endpoints - public CAs and ca bundles already gate trust via rejectUnauthorized. Pinning is recommended for production when you control the server and want defence-in-depth against rogue certificates issued by trusted CAs. Example "AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33:44:55:66:77:88:99" | TlsProfile.pinnedFingerprint256 | src/types/public.ts:194 |
rejectUnauthorized? | boolean | Whether TLS certificate validation is required. Defaults to true. | TlsProfile.rejectUnauthorized | src/types/public.ts:178 |
servername? | string | Server name used for SNI and certificate identity checks. Defaults to the profile host. | TlsProfile.servername | src/types/public.ts:176 |