Forward-compatible HTTPS options

I recently discovered that `create-servers` (used by `slay`) was not preserving my `requestCert` option. By changing it to pass through all https options by default, it will now enable client certs and other SSL features which are currently blocked (most likely unintentionally). Also changed the code so it does not mutate the original options.

Author: jpage-godaddy

index.js

@@ -122,54 +122,54 @@ module.exports = function createServers(options, listening) {
       return onListen('https');
     }
 
-    var port = +options.https.port || 443,
-        ssl  = options.https,
+    var ssl  = options.https,
+        port = +ssl.port || 443,
+        ciphers = ssl.ciphers || CIPHERS,
+        ca = ssl.ca,
+        key = fs.readFileSync(path.resolve(ssl.root, ssl.key)),
+        cert = fs.readFileSync(path.resolve(ssl.root, ssl.cert)),
+        honorCipherOrder = !!ssl.honorCipherOrder,
         server,
-        args,
-        ip;
-
-    ssl.ciphers = ssl.ciphers || CIPHERS;
+        args;
 
     //
     // Remark: If an array is passed in lets join it like we do the defaults
     //
-    if (Array.isArray(ssl.ciphers)) {
-      ssl.ciphers = ssl.ciphers.join(':');
+    if (Array.isArray(ciphers)) {
+      ciphers = ciphers.join(':');
     }
 
-    if (ssl.ca && !Array.isArray(ssl.ca)) {
-      ssl.ca = [ssl.ca];
+    if (ca && !Array.isArray(ca)) {
+      ca = [ca];
     }
 
-    log('https | listening on %d', port);
-    server = https.createServer({
+    var finalHttpsOptions = Object.assign({}, ssl, {
       //
       // Load default SSL key, cert and ca(s).
       //
-      key:  fs.readFileSync(path.resolve(ssl.root, ssl.key)),
-      cert: fs.readFileSync(path.resolve(ssl.root, ssl.cert)),
-      ca:   ssl.ca && ssl.ca.map(
-        function (file) {
-          return fs.readFileSync(path.resolve(ssl.root, file));
-        }
+      key: key,
+      cert: cert,
+      ca: ca && ca.map(
+          function (file) {
+            return fs.readFileSync(path.resolve(ssl.root, file));
+          }
       ),
       //
       // Properly expose ciphers for an A+ SSL rating:
       // https://certsimple.com/blog/a-plus-node-js-ssl
       //
-      ciphers: ssl.ciphers,
-      honorCipherOrder: !!ssl.honorCipherOrder,
-      //
-      // Optionally support SNI-based SSL.
-      //
-      SNICallback: ssl.SNICallback,
+      ciphers: ciphers,
+      honorCipherOrder: honorCipherOrder,
       //
       // Protect against the POODLE attack by disabling SSLv3
       // @see http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html
       //
       secureProtocol: 'SSLv23_method',
       secureOptions: require('constants').SSL_OP_NO_SSLv3
-    }, ssl.handler || handler);
+    });
+
+    log('https | listening on %d', port);
+    server = https.createServer(finalHttpsOptions, ssl.handler || handler);
 
     args = [server, port];
     if (options.https.host) {

package.json

@@ -26,6 +26,7 @@
     "errs": "~0.3.0"
   },
   "devDependencies": {
+    "sinon": "^1.17.4",
     "tape": "~2.14.0"
   }
 }

test/create-servers-test.js

@@ -7,7 +7,9 @@
 
 var path = require('path'),
     http = require('http'),
+    https = require('https'),
     test = require('tape'),
+    sinon = require('sinon'),
     createServers = require('../');
 
 //
@@ -173,3 +175,24 @@ test('http && https with different handlers', function (t) {
     });
   });
 });
+
+test('supports requestCert https option', function (t) {
+  t.plan(2);
+  var spy = sinon.spy(https, 'createServer');
+  createServers({
+    log: console.log,
+    https: {
+      port:        3456,
+      root:        path.join(__dirname, 'fixtures'),
+      cert:        'agent2-cert.pem',
+      key:         'agent2-key.pem',
+      requestCert: true
+    },
+    handler: fend
+  }, function (err, servers) {
+    t.error(err);
+    t.equals(spy.lastCall.args[0].requestCert, true, 'should preserve the requestCert option');
+    servers.https.close();
+    spy.restore();
+  });
+});