Interface TlsParametersOrBuilder
- All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder
,com.google.protobuf.MessageOrBuilder
- All Known Implementing Classes:
TlsParameters
,TlsParameters.Builder
public interface TlsParametersOrBuilder
extends com.google.protobuf.MessageOrBuilder
-
Method Summary
Modifier and TypeMethodDescriptiongetCipherSuites
(int index) If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).com.google.protobuf.ByteString
getCipherSuitesBytes
(int index) If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).int
If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).getEcdhCurves
(int index) If specified, the TLS connection will only support the specified ECDH curves.com.google.protobuf.ByteString
getEcdhCurvesBytes
(int index) If specified, the TLS connection will only support the specified ECDH curves.int
If specified, the TLS connection will only support the specified ECDH curves.If specified, the TLS connection will only support the specified ECDH curves.getSignatureAlgorithms
(int index) If specified, the TLS connection will only support the specified signature algorithms.com.google.protobuf.ByteString
getSignatureAlgorithmsBytes
(int index) If specified, the TLS connection will only support the specified signature algorithms.int
If specified, the TLS connection will only support the specified signature algorithms.If specified, the TLS connection will only support the specified signature algorithms.Maximum TLS protocol version.int
Maximum TLS protocol version.Minimum TLS protocol version.int
Minimum TLS protocol version.Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder
isInitialized
Methods inherited from interface com.google.protobuf.MessageOrBuilder
findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
-
Method Details
-
getTlsMinimumProtocolVersionValue
int getTlsMinimumProtocolVersionValue()Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. TLS protocol versions below TLSv1_2 require setting compatible ciphers with the ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers. .. attention:: Using TLS protocol versions below TLSv1_2 has serious security considerations and risks.
.envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_minimum_protocol_version = 1 [(.validate.rules) = { ... }
- Returns:
- The enum numeric value on the wire for tlsMinimumProtocolVersion.
-
getTlsMinimumProtocolVersion
TlsParameters.TlsProtocol getTlsMinimumProtocolVersion()Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. TLS protocol versions below TLSv1_2 require setting compatible ciphers with the ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers. .. attention:: Using TLS protocol versions below TLSv1_2 has serious security considerations and risks.
.envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_minimum_protocol_version = 1 [(.validate.rules) = { ... }
- Returns:
- The tlsMinimumProtocolVersion.
-
getTlsMaximumProtocolVersionValue
int getTlsMaximumProtocolVersionValue()Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for servers.
.envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_maximum_protocol_version = 2 [(.validate.rules) = { ... }
- Returns:
- The enum numeric value on the wire for tlsMaximumProtocolVersion.
-
getTlsMaximumProtocolVersion
TlsParameters.TlsProtocol getTlsMaximumProtocolVersion()Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for servers.
.envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_maximum_protocol_version = 2 [(.validate.rules) = { ... }
- Returns:
- The tlsMaximumProtocolVersion.
-
getCipherSuitesList
If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not specified, a default list will be used. Defaults are different for server (downstream) and client (upstream) TLS configurations. Defaults will change over time in response to security considerations; If you care, configure it instead of using the default. In non-FIPS builds, the default server cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In non-FIPS builds, the default client cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
repeated string cipher_suites = 3;
- Returns:
- A list containing the cipherSuites.
-
getCipherSuitesCount
int getCipherSuitesCount()If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not specified, a default list will be used. Defaults are different for server (downstream) and client (upstream) TLS configurations. Defaults will change over time in response to security considerations; If you care, configure it instead of using the default. In non-FIPS builds, the default server cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In non-FIPS builds, the default client cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
repeated string cipher_suites = 3;
- Returns:
- The count of cipherSuites.
-
getCipherSuites
If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not specified, a default list will be used. Defaults are different for server (downstream) and client (upstream) TLS configurations. Defaults will change over time in response to security considerations; If you care, configure it instead of using the default. In non-FIPS builds, the default server cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In non-FIPS builds, the default client cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
repeated string cipher_suites = 3;
- Parameters:
index
- The index of the element to return.- Returns:
- The cipherSuites at the given index.
-
getCipherSuitesBytes
com.google.protobuf.ByteString getCipherSuitesBytes(int index) If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not specified, a default list will be used. Defaults are different for server (downstream) and client (upstream) TLS configurations. Defaults will change over time in response to security considerations; If you care, configure it instead of using the default. In non-FIPS builds, the default server cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In non-FIPS builds, the default client cipher list is: .. code-block:: none [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: .. code-block:: none ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
repeated string cipher_suites = 3;
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the cipherSuites at the given index.
-
getEcdhCurvesList
If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. In non-FIPS builds, the default curves are: .. code-block:: none X25519 P-256 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: .. code-block:: none P-256
repeated string ecdh_curves = 4;
- Returns:
- A list containing the ecdhCurves.
-
getEcdhCurvesCount
int getEcdhCurvesCount()If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. In non-FIPS builds, the default curves are: .. code-block:: none X25519 P-256 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: .. code-block:: none P-256
repeated string ecdh_curves = 4;
- Returns:
- The count of ecdhCurves.
-
getEcdhCurves
If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. In non-FIPS builds, the default curves are: .. code-block:: none X25519 P-256 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: .. code-block:: none P-256
repeated string ecdh_curves = 4;
- Parameters:
index
- The index of the element to return.- Returns:
- The ecdhCurves at the given index.
-
getEcdhCurvesBytes
com.google.protobuf.ByteString getEcdhCurvesBytes(int index) If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used. In non-FIPS builds, the default curves are: .. code-block:: none X25519 P-256 In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: .. code-block:: none P-256
repeated string ecdh_curves = 4;
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the ecdhCurves at the given index.
-
getSignatureAlgorithmsList
If specified, the TLS connection will only support the specified signature algorithms. The list is ordered by preference. If not specified, the default signature algorithms defined by BoringSSL will be used. Default signature algorithms selected by BoringSSL (may be out of date): .. code-block:: none ecdsa_secp256r1_sha256 rsa_pss_rsae_sha256 rsa_pkcs1_sha256 ecdsa_secp384r1_sha384 rsa_pss_rsae_sha384 rsa_pkcs1_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha512 rsa_pkcs1_sha1 Signature algorithms supported by BoringSSL (may be out of date): .. code-block:: none rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 ed25519 rsa_pkcs1_sha1 ecdsa_sha1
repeated string signature_algorithms = 5;
- Returns:
- A list containing the signatureAlgorithms.
-
getSignatureAlgorithmsCount
int getSignatureAlgorithmsCount()If specified, the TLS connection will only support the specified signature algorithms. The list is ordered by preference. If not specified, the default signature algorithms defined by BoringSSL will be used. Default signature algorithms selected by BoringSSL (may be out of date): .. code-block:: none ecdsa_secp256r1_sha256 rsa_pss_rsae_sha256 rsa_pkcs1_sha256 ecdsa_secp384r1_sha384 rsa_pss_rsae_sha384 rsa_pkcs1_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha512 rsa_pkcs1_sha1 Signature algorithms supported by BoringSSL (may be out of date): .. code-block:: none rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 ed25519 rsa_pkcs1_sha1 ecdsa_sha1
repeated string signature_algorithms = 5;
- Returns:
- The count of signatureAlgorithms.
-
getSignatureAlgorithms
If specified, the TLS connection will only support the specified signature algorithms. The list is ordered by preference. If not specified, the default signature algorithms defined by BoringSSL will be used. Default signature algorithms selected by BoringSSL (may be out of date): .. code-block:: none ecdsa_secp256r1_sha256 rsa_pss_rsae_sha256 rsa_pkcs1_sha256 ecdsa_secp384r1_sha384 rsa_pss_rsae_sha384 rsa_pkcs1_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha512 rsa_pkcs1_sha1 Signature algorithms supported by BoringSSL (may be out of date): .. code-block:: none rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 ed25519 rsa_pkcs1_sha1 ecdsa_sha1
repeated string signature_algorithms = 5;
- Parameters:
index
- The index of the element to return.- Returns:
- The signatureAlgorithms at the given index.
-
getSignatureAlgorithmsBytes
com.google.protobuf.ByteString getSignatureAlgorithmsBytes(int index) If specified, the TLS connection will only support the specified signature algorithms. The list is ordered by preference. If not specified, the default signature algorithms defined by BoringSSL will be used. Default signature algorithms selected by BoringSSL (may be out of date): .. code-block:: none ecdsa_secp256r1_sha256 rsa_pss_rsae_sha256 rsa_pkcs1_sha256 ecdsa_secp384r1_sha384 rsa_pss_rsae_sha384 rsa_pkcs1_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha512 rsa_pkcs1_sha1 Signature algorithms supported by BoringSSL (may be out of date): .. code-block:: none rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 ed25519 rsa_pkcs1_sha1 ecdsa_sha1
repeated string signature_algorithms = 5;
- Parameters:
index
- The index of the value to return.- Returns:
- The bytes of the signatureAlgorithms at the given index.
-