# ssl

## Summary

### Example object

```javascript
{
  "cipher_filter": "",
  "protocols": [
    "TLSv1_0",
    "TLSv1_1",
    "TLSv1_2",
    "TLSv1_3"
  ],
  "cert_key_pairs": [
    {
      "certificate_path": "/etc/proxy/tls/sidecar/server.crt",
      "key_path": "/etc/proxy/tls/sidecar/server.key"
    }
  ],
  "trust_file": "/etc/proxy/tls/sidecar/ca.crt",
  "crl": {
    "filename": "/etc/proxy/tls/sidecar/ca.crl",
    "inline_string": ""
  },
  "sni": null
}
```

### Fields

#### `cipher_filter`

[Envoy cipher suite](https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters). If specified, only the listed ciphers will be accepted. Only valid with TLSv1-TLSv1.2, but has no affect with TLSv1.3

Examples include the values below, but full options should be found in the link above.

* \[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
* \[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
* ECDHE-ECDSA-AES128-SHA
* ECDHE-RSA-AES128-SHA
* AES128-GCM-SHA256
* AES128-SHA
* ECDHE-ECDSA-AES256-GCM-SHA384
* ECDHE-RSA-AES256-GCM-SHA384
* ECDHE-ECDSA-AES256-SHA
* ECDHE-RSA-AES256-SHA
* AES256-GCM-SHA384
* AES256-SHA

#### `protocols`

Array of SSL protocols to accept: "TLSv1\_0", "TLSv1\_1", "TLSv1\_2", "TLSv1\_3"

#### `cert_key_pairs`

Array of (cert, key) pairs to use when sending requests to the instances of the [cluster](#cluster). Each cert or key must point to files on disk.

#### `trust_file`

String representing the path on disk to the SSL trust file to use when sending requests to the instances of the [cluster](#cluster). If omitted, then no trust verification will be performed.

The trust file may also include one or more PEM-encoded certificate revocation lists (CRL) that will be enforced by the sidecar. See additional caveats below on the use of CRLs.

### `crl`

An object for adding one or more PEM-encoded certificate revocation lists (CRL) to the cluster. CRLs may be added by pointing to a path on disk to a CRL file from the `filename` field or by specifying CRLs directly through the `inline_string` field.

Only one of `filename` or `inline_string` may be used; if both are added, the `filename` takes precedence.

**Note**: If a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain in order for verification to be enforced for revoked and unrevoked certificates.

#### `sni`

String representing the intended target of the request. Used when the server is behind a load balancer that identifies hosts through SNI.