search
GreyMatter.ioTwitterGitHubSupport

ssl

hashtag
Summary

hashtag
Example object

{
  "cipher_filter": "",
  "protocols": [
    "TLSv1_0",
    "TLSv1_1",
    "TLSv1_2",
    "TLSv1_3"
  ],
  "cert_key_pairs": [
    {
      "certificate_path": "/etc/proxy/tls/sidecar/server.crt",
      "key_path": "/etc/proxy/tls/sidecar/server.key"
    }
  ],
  "trust_file": "/etc/proxy/tls/sidecar/ca.crt",
  "crl": {
    "filename": "/etc/proxy/tls/sidecar/ca.crl",
    "inline_string": ""
  },
  "sni": null
}

hashtag
Fields

hashtag
cipher_filter

Envoy cipher suitearrow-up-right. If specified, only the listed ciphers will be accepted. Only valid with TLSv1-TLSv1.2, but has no affect with TLSv1.3

Examples include the values below, but full options should be found in the link above.

  • [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]

  • [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-RSA-AES128-SHA

  • AES128-GCM-SHA256

  • AES128-SHA

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES256-SHA

  • AES256-GCM-SHA384

  • AES256-SHA

hashtag
protocols

Array of SSL protocols to accept: "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3"

hashtag
cert_key_pairs

Array of (cert, key) pairs to use when sending requests to the instances of the cluster. Each cert or key must point to files on disk.

hashtag
trust_file

String representing the path on disk to the SSL trust file to use when sending requests to the instances of the cluster. If omitted, then no trust verification will be performed.

The trust file may also include one or more PEM-encoded certificate revocation lists (CRL) that will be enforced by the sidecar. See additional caveats below on the use of CRLs.

hashtag
crl

An object for adding one or more PEM-encoded certificate revocation lists (CRL) to the cluster. CRLs may be added by pointing to a path on disk to a CRL file from the filename field or by specifying CRLs directly through the inline_string field.

Only one of filename or inline_string may be used; if both are added, the filename takes precedence.

Note: If a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain in order for verification to be enforced for revoked and unrevoked certificates.

hashtag
sni

String representing the intended target of the request. Used when the server is behind a load balancer that identifies hosts through SNI.

Previouscircuit-breakersNexthealth checks

Last updated

Was this helpful?