web-check/api/tls-connection.js

import tls from 'tls';
import middleware from './_common/middleware.js';
import { parseTarget } from './_common/parse-target.js';

const HANDSHAKE_TIMEOUT = 4000;

const isIp = (h) => /^[\d.]+$/.test(h) || h.includes(':');

// Open one TLS handshake to the host and capture what was negotiated
const handshake = ({ hostname, port }) =>
  new Promise((resolve, reject) => {
    let ocspStapled = false;
    const socket = tls.connect({
      host: hostname,
      port: port ? Number(port) : 443,
      ...(isIp(hostname) ? {} : { servername: hostname }),
      ALPNProtocols: ['h2', 'http/1.1'],
      rejectUnauthorized: false,
      requestOCSP: true,
    });
    socket.on('OCSPResponse', (res) => {
      ocspStapled = res?.length > 0;
    });

    let settled = false;
    const finish = (fn) => (arg) => {
      if (settled) return;
      settled = true;
      fn(arg);
    };
    socket.setTimeout(HANDSHAKE_TIMEOUT);
    socket.once(
      'secureConnect',
      finish(() => {
        const cipher = socket.getCipher();
        const protocol = socket.getProtocol();
        const ephemeral =
          typeof socket.getEphemeralKeyInfo === 'function' ? socket.getEphemeralKeyInfo() : null;
        const result = {
          protocol,
          cipher: cipher && {
            name: cipher.name,
            standardName: cipher.standardName,
            version: cipher.version,
          },
          alpnProtocol: socket.alpnProtocol || null,
          sessionResumption: !!socket.getSession(),
          forwardSecrecy: protocol === 'TLSv1.3' || (!!cipher && /^(ECDHE|DHE)/.test(cipher.name)),
          authorized: socket.authorized,
          authError: socket.authorizationError ? String(socket.authorizationError) : null,
          ephemeralKey: ephemeral && {
            type: ephemeral.type || null,
            name: ephemeral.name || null,
            size: ephemeral.size || null,
          },
          ocspStapled,
        };
        socket.end();
        resolve(result);
      }),
    );
    socket.once(
      'timeout',
      finish(() => {
        socket.destroy();
        reject(new Error('TLS handshake timed-out'));
      }),
    );
    socket.once(
      'error',
      finish((err) => {
        socket.destroy();
        reject(err);
      }),
    );
  });

const tlsConnectionHandler = async (url) => {
  const { hostname, port } = parseTarget(url);
  return handshake({ hostname, port });
};

export const handler = middleware(tlsConnectionHandler);
export default handler;