Get tls socket peer certificate

[delvedor]

Hello! I'm using the Pool api, and I need to perform CA fingerprint validation.
With the "normal" Node.js HTTP client, what I do is:

const onSocket = socket => {
  if (!socket.isSessionReused()) {
    socket.once('secureConnect', () => {
      if ('my:fingerprint' !== getIssuerCertificate(socket).fingerprint256) {
        // handle error
      }
    })
  }
}

request.on('response', onResponse)
request.on('timeout', onTimeout)
request.on('error', onError)
request.on('abort', onAbort)
request.on('socket', onSocket)

function getIssuerCertificate (socket) {
  let certificate = socket.getPeerCertificate(true)
  while (certificate && Object.keys(certificate).length > 0) {
    if (certificate.issuerCertificate !== undefined) {
      // For self-signed certificates, `issuerCertificate` may be a circular reference.
      if (certificate.fingerprint256 === certificate.issuerCertificate.fingerprint256) {
        break
      }
      certificate = certificate.issuerCertificate
    } else {
      break
    }
  }
  return certificate
}

How can I do something similar with undici? From the documentation it does not seems that there is an easy way to access the socket that will be used for executing the HTTP request.

[delvedor]

It looks like that use a custom connect function might do the trick, but I'm wondering if there is a less overkill way to achieve this, maybe with the on('connect') event?

[delvedor]

Answer in #906!