事件:'OCSPRequest'

¥Event: 'OCSPRequest'

新增于: v0.11.13

当客户端发送证书状态请求时会触发 'OCSPRequest' 事件。监听器回调在调用时传入三个参数:

¥The 'OCSPRequest' event is emitted when the client sends a certificate status request. The listener callback is passed three arguments when called:

  • certificate <Buffer> 服务器证书

    ¥certificate <Buffer> The server certificate

  • issuer <Buffer> 发行人证书

    ¥issuer <Buffer> The issuer's certificate

  • callback <Function> 必须调用的回调函数来提供 OCSP 请求的结果。

    ¥callback <Function> A callback function that must be invoked to provide the results of the OCSP request.

可以解析服务器当前的证书,获取 OCSP URL 和证书 ID;在获得 OCSP 响应后,然后调用 callback(null, resp),其中 resp 是包含 OCSP 响应的 Buffer 实例。certificateissuer 都是主证书和颁发者证书的 Buffer DER 表示。这些可用于获取 OCSP 证书 ID 和 OCSP 端点 URL。

¥The server's current certificate can be parsed to obtain the OCSP URL and certificate ID; after obtaining an OCSP response, callback(null, resp) is then invoked, where resp is a Buffer instance containing the OCSP response. Both certificate and issuer are Buffer DER-representations of the primary and issuer's certificates. These can be used to obtain the OCSP certificate ID and OCSP endpoint URL.

或者,可以调用 callback(null, null),表示没有 OCSP 响应。

¥Alternatively, callback(null, null) may be called, indicating that there was no OCSP response.

调用 callback(err) 将导致调用 socket.destroy(err)

¥Calling callback(err) will result in a socket.destroy(err) call.

OCSP 请求的典型流程如下:

¥The typical flow of an OCSP request is as follows:

  1. 客户端连接到服务器并发送 'OCSPRequest'(通过 ClientHello 中的状态信息扩展)。

    ¥Client connects to the server and sends an 'OCSPRequest' (via the status info extension in ClientHello).

  2. 服务器收到请求并触发 'OCSPRequest' 事件,如果已注册则调用监听器。

    ¥Server receives the request and emits the 'OCSPRequest' event, calling the listener if registered.

  3. 服务器从 certificateissuer 中提取 OCSP URL,并向 CA 执行 OCSP 请求

    ¥Server extracts the OCSP URL from either the certificate or issuer and performs an OCSP request to the CA.

  4. 服务器从 CA 接收 'OCSPResponse' 并通过 callback 参数将其发送回客户端

    ¥Server receives 'OCSPResponse' from the CA and sends it back to the client via the callback argument

  5. 客户端验证响应并销毁套接字或执行握手。

    ¥Client validates the response and either destroys the socket or performs a handshake.

如果证书是自签名证书或颁发者不在根证书列表中,则 issuer 可以是 null。(在建立 TLS 连接时可以通过 ca 选项提供颁发者。)

¥The issuer can be null if the certificate is either self-signed or the issuer is not in the root certificates list. (An issuer may be provided via the ca option when establishing the TLS connection.)

监听此事件只会对添加事件监听器后建立的连接有影响。

¥Listening for this event will have an effect only on connections established after the addition of the event listener.

可以使用像 asn1.js 这样的 npm 模块来解析证书。

¥An npm module like asn1.js may be used to parse the certificates.