ssl

Summary

Example object

{
  "cipher_filter": "",
  "protocols": [
    "TLSv1.1",
    "TLSv1.2"
  ],
  "cert_key_pairs": [
    {
      "certificate_path": "/etc/proxy/tls/sidecar/server.crt",
      "key_path": "/etc/proxy/tls/sidecar/server.key"
    }
  ],
  "require_client_certs": true,
  "trust_file": "/etc/proxy/tls/sidecar/ca.crt",
  "sni": null
}

Fields

`cipher_filter`

Envoy cipher suite. If specified, only the listed ciphers will be accepted. Only valid with TLSv1-TLSv1.2, but has no affect with TLSv1.3.

Examples include the values below, but full options should be found in the link above.

[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA

`protocols`

Array of SSL protocols to accept: "TLSv1, TLSv1.1, TLSv1.2, TLSv1.3"

`cert_key_pairs`

Array of (cert, key) pairs to use when receiving requests on this listener. Each cert or key must point to files on disk.

`require_client_certs`

If true, client cert verification will be performed. false will disable this check and not require client certificates to be presented when connecting to this listener.

`trust_file`

String representing the path on disk to the SSL trust file to use when receiving requests on this listener. If omitted, then no trust verification will be performed.

`sni`

String representing how this listener will identify itself during SSL SNI.

Previousheader_constraint Nextredirect

Last updated 4 years ago

Was this helpful?