import { Socket, Server as NetServer, SocketOptions } from './net';
export interface PeerCertificate {
    subject: {
        [key: string]: string;
    };
    issuer: {
        [key: string]: string;
    };
    valid_from: string;
    valid_to: string;
    fingerprint: string;
    fingerprint256: string;
    serialNumber: string;
}
export interface ConnectionOptions extends SocketOptions {
    host?: string;
    port?: number;
    path?: string;
    servername?: string;
    rejectUnauthorized?: boolean;
    session?: ArrayBuffer;
    secureContext?: SecureContext;
    ca?: string | string[];
    cert?: string | string[];
    key?: string | string[];
    pfx?: string | ArrayBuffer;
    passphrase?: string;
    keylog?: boolean;
    /**
     * Custom hostname verification function.
     * If provided, it will be called after the TLS handshake to verify the peer certificate.
     * Return `undefined` if valid, or an `Error` if invalid.
     * If not provided, the default `checkServerIdentity` is used.
     */
    checkServerIdentity?: (hostname: string, cert: PeerCertificate) => Error | undefined;
}
export interface SecureContextOptions {
    pfx?: string | ArrayBuffer;
    passphrase?: string;
    cert?: string | string[];
    key?: string | string[];
    ca?: string | string[];
}
export declare const DEFAULT_MIN_VERSION = "TLSv1.2";
export declare const DEFAULT_MAX_VERSION = "TLSv1.3";
export declare const rootCertificates: string[];
export declare const DEFAULT_ECDH_CURVE = "auto";
export declare const SLAB_BUFFER_SIZE: number;
export declare class SecureContext {
    private _id;
    constructor(options?: SecureContextOptions);
    setOCSPResponse(ocsp: ArrayBuffer): void;
    getTicketKeys(): ArrayBuffer | undefined;
    setTicketKeys(keys: ArrayBuffer): void;
    get id(): number;
    addCACert(ca: string): void;
}
export declare function createSecureContext(options?: SecureContextOptions): SecureContext;
export declare class TLSSocket extends Socket {
    private _servername?;
    get encrypted(): boolean;
    get servername(): string | undefined;
    get authorized(): boolean;
    get authorizationError(): string | undefined;
    get alpnProtocol(): string | undefined;
    getProtocol(): string | undefined;
    getCipher(): {
        name: string;
        version: string;
    } | undefined;
    getPeerCertificate(detailed?: boolean): PeerCertificate | {};
    isSessionReused(): boolean;
    getSession(): ArrayBuffer | undefined;
    getEphemeralKeyInfo(): string | undefined;
    getFinished(): Buffer | undefined;
    getPeerFinished(): Buffer | undefined;
    getSharedSigalgs(): string | undefined;
    renegotiate(options: any, callback: (err: Error | null) => void): boolean;
    disableRenegotiation(): void;
    /**
     * Enables trace output for this socket.
     */
    enableTrace(): void;
    /**
     * Exports keying material for use by external protocols.
     *
     * @param length The number of bytes to return.
     * @param label A label identifying the keying material.
     * @param context An optional context.
     * @returns Buffer containing keying material.
     * @throws Error if export fails (e.g., TLS not connected).
     */
    exportKeyingMaterial(length: number, label: string, context?: Buffer): Buffer;
    constructor(socket: Socket, options?: ConnectionOptions);
    constructor(options: ConnectionOptions);
    connect(options: any, connectionListener?: () => void): this;
}
export declare function connect(options: ConnectionOptions, connectionListener?: () => void): TLSSocket;
export declare function connect(port: number, host?: string, options?: ConnectionOptions, connectionListener?: () => void): TLSSocket;
export declare function connect(port: number, options?: ConnectionOptions, connectionListener?: () => void): TLSSocket;
export declare class Server extends NetServer {
    private _secureContextId;
    constructor(options?: any, connectionListener?: (socket: Socket) => void);
    addContext(hostname: string, context: {
        key: string;
        cert: string;
    }): void;
    setSecureContext(options: {
        key: string;
        cert: string;
        ca?: string | string[];
    }): void;
    getTicketKeys(): ArrayBuffer | undefined;
    setTicketKeys(keys: ArrayBuffer): void;
    listen(port?: any, host?: any, backlog?: any, callback?: any): this;
}
export declare function createServer(options?: any, connectionListener?: (socket: Socket) => void): Server;
export declare function getCiphers(): string[];
export declare function checkServerIdentity(hostname: string, cert: PeerCertificate): Error | undefined;
/**
 * Legacy CryptoStream for Node.js compatibility.
 * In this implementation, it's a simple wrapper around TLSSocket.
 */
export declare class CryptoStream extends TLSSocket {
    constructor(options?: ConnectionOptions);
}
/**
 * Legacy SecurePair for Node.js compatibility.
 */
export declare class SecurePair {
    cleartext: CryptoStream;
    encrypted: CryptoStream;
    constructor(secureContext?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean);
}
export declare function createSecurePair(secureContext?: SecureContext, isServer?: boolean, requestCert?: boolean, rejectUnauthorized?: boolean): SecurePair;
/**
 * Legacy certificate string parser.
 */
export declare function parseCertString(certString: string): {
    [key: string]: string;
};
/**
 * Mock implementation of convertTLSV1CertToPEM.
 */
export declare function convertTLSV1CertToPEM(cert: string | Buffer): string;
//# sourceMappingURL=tls.d.ts.map