ssl

Summary

Example object

{
  "cipher_filter": "",
  "protocols": [
    "TLSv1.1",
    "TLSv1.2"
  ],
  "cert_key_pairs": [
    {
      "certificate_path": "/etc/proxy/tls/sidecar/server.crt",
      "key_path": "/etc/proxy/tls/sidecar/server.key"
    }
  ],
  "require_client_certs": true,
  "trust_file": "/etc/proxy/tls/sidecar/ca.crt",
  "sni": null
}

Fields

cipher_filter

Envoy cipher suite. If specified, only the listed ciphers will be accepted. Only valid with TLSv1-TLSv1.2, but has no affect with TLSv1.3.

Examples include the values below, but full options should be found in the link above.

• [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]

• [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]

• ECDHE-ECDSA-AES128-SHA

• ECDHE-RSA-AES128-SHA

• AES128-GCM-SHA256

• AES128-SHA

• ECDHE-ECDSA-AES256-GCM-SHA384

• ECDHE-RSA-AES256-GCM-SHA384

• ECDHE-ECDSA-AES256-SHA

• ECDHE-RSA-AES256-SHA

• AES256-GCM-SHA384

• AES256-SHA

protocols

Array of SSL protocols to accept: "TLSv1, TLSv1.1, TLSv1.2, TLSv1.3"

cert_key_pairs

Array of (cert, key) pairs to use when receiving requests on this listener. Each cert or key must point to files on disk.

require_client_certs

If true, client cert verification will be performed. false will disable this check and not require client certificates to be presented when connecting to this listener.

trust_file

String representing the path on disk to the SSL trust file to use when receiving requests on this listener. If omitted, then no trust verification will be performed.

sni

String representing how this listener will identify itself during SSL SNI.