tls: remove deprecated tls.createSecurePair and SecurePair

benchmark/tls/secure-pair.js

@@ -2,7 +2,7 @@
 const common = require('../common.js');
 const bench = common.createBenchmark(main, {
   dur: [5],
-  securing: ['SecurePair', 'TLSSocket', 'clear'],
+  securing: ['TLSSocket', 'clear'],
   size: [100, 1024, 1024 * 1024],
 }, {
   flags: ['--no-warnings'],
@@ -68,9 +68,6 @@ function main({ dur, size, securing }) {
   function onProxyConnection(conn) {
     const client = net.connect(REDIRECT_PORT, () => {
       switch (securing) {
-        case 'SecurePair':
-          securePair(conn, client);
-          break;
         case 'TLSSocket':
           secureTLSSocket(conn, client);
           break;
@@ -83,17 +80,6 @@ function main({ dur, size, securing }) {
     });
   }
 
-  function securePair(conn, client) {
-    const serverCtx = tls.createSecureContext(options);
-    const serverPair = tls.createSecurePair(serverCtx, true, true, false);
-    conn.pipe(serverPair.encrypted);
-    serverPair.encrypted.pipe(conn);
-    serverPair.on('error', (error) => {
-      throw new Error(`Pair error: ${error}`);
-    });
-    serverPair.cleartext.pipe(client);
-  }
-
   function secureTLSSocket(conn, client) {
     const serverSocket = new tls.TLSSocket(conn, options);
     serverSocket.on('error', (e) => {

doc/api/deprecations.md

@@ -947,6 +947,9 @@ The [`tls.CryptoStream`][] class was removed. Please use
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/57361
+    description: End-of-Life.
   - version: v8.0.0
     pr-url: https://github.com/nodejs/node/pull/11349
     description: Runtime deprecation.
@@ -966,9 +969,9 @@ changes:
     description: Runtime deprecation.
 -->
 
-Type: Documentation-only
+Type: End-of-Life
 
-The [`tls.SecurePair`][] class is deprecated. Please use
+The `tls.SecurePair` class is deprecated. Please use
 [`tls.TLSSocket`][] instead.
 
 ### DEP0044: `util.isArray()`
@@ -1488,6 +1491,9 @@ officially supported API.
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/57361
+    description: End-of-Life.
   - version: v8.0.0
     pr-url: https://github.com/nodejs/node/pull/11349
     description: Runtime deprecation.
@@ -1507,7 +1513,7 @@ changes:
     description: Runtime deprecation.
 -->
 
-Type: Runtime
+Type: End-of-Life
 
 The `tls.createSecurePair()` API was deprecated in documentation in Node.js
 0.11.3. Users should use `tls.Socket` instead.
@@ -3955,7 +3961,6 @@ deprecated, as their values are guaranteed to be identical to that of `process.f
 [`timeout.unref()`]: timers.md#timeoutunref
 [`tls.CryptoStream`]: tls.md#class-tlscryptostream
 [`tls.SecureContext`]: tls.md#tlscreatesecurecontextoptions
-[`tls.SecurePair`]: tls.md#class-tlssecurepair
 [`tls.TLSSocket`]: tls.md#class-tlstlssocket
 [`tls.checkServerIdentity()`]: tls.md#tlscheckserveridentityhostname-cert
 [`tls.createSecureContext()`]: tls.md#tlscreatesecurecontextoptions

doc/api/tls.md

@@ -570,32 +570,6 @@ The `cryptoStream.bytesWritten` property returns the total number of bytes
 written to the underlying socket _including_ the bytes required for the
 implementation of the TLS protocol.
 
-## Class: `tls.SecurePair`
-
-<!-- YAML
-added: v0.3.2
-deprecated: v0.11.3
--->
-
-> Stability: 0 - Deprecated: Use [`tls.TLSSocket`][] instead.
-
-Returned by [`tls.createSecurePair()`][].
-
-### Event: `'secure'`
-
-<!-- YAML
-added: v0.3.2
-deprecated: v0.11.3
--->
-
-The `'secure'` event is emitted by the `SecurePair` object once a secure
-connection has been established.
-
-As with checking for the server
-[`'secureConnection'`][]
-event, `pair.cleartext.authorized` should be inspected to confirm whether the
-certificate used is properly authorized.
-
 ## Class: `tls.Server`
 
 <!-- YAML
@@ -2125,70 +2099,6 @@ be used to create custom parameters. The key length must be greater than or
 equal to 1024 bits or else an error will be thrown. Although 1024 bits is
 permissible, use 2048 bits or larger for stronger security.
 
-## `tls.createSecurePair([context][, isServer][, requestCert][, rejectUnauthorized][, options])`
-
-<!-- YAML
-added: v0.3.2
-deprecated: v0.11.3
-changes:
-  - version: v5.0.0
-    pr-url: https://github.com/nodejs/node/pull/2564
-    description: ALPN options are supported now.
--->
-
-> Stability: 0 - Deprecated: Use [`tls.TLSSocket`][] instead.
-
-* `context` {Object} A secure context object as returned by
-  `tls.createSecureContext()`
-* `isServer` {boolean} `true` to specify that this TLS connection should be
-  opened as a server.
-* `requestCert` {boolean} `true` to specify whether a server should request a
-  certificate from a connecting client. Only applies when `isServer` is `true`.
-* `rejectUnauthorized` {boolean} If not `false` a server automatically reject
-  clients with invalid certificates. Only applies when `isServer` is `true`.
-* `options`
-  * `enableTrace`: See [`tls.createServer()`][]
-  * `secureContext`: A TLS context object from [`tls.createSecureContext()`][]
-  * `isServer`: If `true` the TLS socket will be instantiated in server-mode.
-    **Default:** `false`.
-  * `server` {net.Server} A [`net.Server`][] instance
-  * `requestCert`: See [`tls.createServer()`][]
-  * `rejectUnauthorized`: See [`tls.createServer()`][]
-  * `ALPNProtocols`: See [`tls.createServer()`][]
-  * `SNICallback`: See [`tls.createServer()`][]
-  * `session` {Buffer} A `Buffer` instance containing a TLS session.
-  * `requestOCSP` {boolean} If `true`, specifies that the OCSP status request
-    extension will be added to the client hello and an `'OCSPResponse'` event
-    will be emitted on the socket before establishing a secure communication.
-
-Creates a new secure pair object with two streams, one of which reads and writes
-the encrypted data and the other of which reads and writes the cleartext data.
-Generally, the encrypted stream is piped to/from an incoming encrypted data
-stream and the cleartext one is used as a replacement for the initial encrypted
-stream.
-
-`tls.createSecurePair()` returns a `tls.SecurePair` object with `cleartext` and
-`encrypted` stream properties.
-
-Using `cleartext` has the same API as [`tls.TLSSocket`][].
-
-The `tls.createSecurePair()` method is now deprecated in favor of
-`tls.TLSSocket()`. For example, the code:
-
-```js
-pair = tls.createSecurePair(/* ... */);
-pair.encrypted.pipe(socket);
-socket.pipe(pair.encrypted);
-```
-
-can be replaced by:
-
-```js
-secureSocket = tls.TLSSocket(socket, options);
-```
-
-where `secureSocket` has the same API as `pair.cleartext`.
-
 ## `tls.createServer([options][, secureConnectionListener])`
 
 <!-- YAML
@@ -2556,7 +2466,6 @@ added:
 [`tls.TLSSocket`]: #class-tlstlssocket
 [`tls.connect()`]: #tlsconnectoptions-callback
 [`tls.createSecureContext()`]: #tlscreatesecurecontextoptions
-[`tls.createSecurePair()`]: #tlscreatesecurepaircontext-isserver-requestcert-rejectunauthorized-options
 [`tls.createServer()`]: #tlscreateserveroptions-secureconnectionlistener
 [`tls.getCACertificates()`]: #tlsgetcacertificatestype
 [`tls.getCiphers()`]: #tlsgetciphers

lib/tls.js

@@ -57,7 +57,6 @@ const { Buffer } = require('buffer');
 const { canonicalizeIP } = internalBinding('cares_wrap');
 const _tls_common = require('_tls_common');
 const _tls_wrap = require('_tls_wrap');
-const { createSecurePair } = require('internal/tls/secure-pair');
 const { validateString } = require('internal/validators');
 
 // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
@@ -393,8 +392,3 @@ exports.TLSSocket = _tls_wrap.TLSSocket;
 exports.Server = _tls_wrap.Server;
 exports.createServer = _tls_wrap.createServer;
 exports.connect = _tls_wrap.connect;
-
-exports.createSecurePair = internalUtil.deprecate(
-  createSecurePair,
-  'tls.createSecurePair() is deprecated. Please use ' +
-  'tls.TLSSocket instead.', 'DEP0064');

test/parallel/test-tls-basic-validations.js

@@ -80,15 +80,6 @@ assert.throws(() => tls.createServer({ ticketKeys: Buffer.alloc(0) }), {
   message: /The property 'options\.ticketKeys' must be exactly 48 bytes/
 });
 
-assert.throws(
-  () => tls.createSecurePair({}),
-  {
-    message: 'context must be a SecureContext',
-    code: 'ERR_TLS_INVALID_CONTEXT',
-    name: 'TypeError',
-  }
-);
-
 {
   const buffer = Buffer.from('abcd');
   const out = {};

test/parallel/test-tls-external-accessor.js

@@ -14,9 +14,3 @@ const tls = require('tls');
   assert.throws(() => cctx._external, TypeError);
   pctx._external; // eslint-disable-line no-unused-expressions
 }
-{
-  const pctx = tls.createSecurePair().credentials.context;
-  const cctx = { __proto__: pctx };
-  assert.throws(() => cctx._external, TypeError);
-  pctx._external; // eslint-disable-line no-unused-expressions
-}