Interface TlsParametersOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
TlsParameters, TlsParameters.Builder

public interface TlsParametersOrBuilder extends com.google.protobuf.MessageOrBuilder
  • Method Summary

    Modifier and Type
    Method
    Description
    getCipherSuites(int index)
    If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
    com.google.protobuf.ByteString
    If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
    int
    If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
    If specified, the TLS listener will only support the specified `cipher list <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
    getEcdhCurves(int index)
    If specified, the TLS connection will only support the specified ECDH curves.
    com.google.protobuf.ByteString
    getEcdhCurvesBytes(int index)
    If specified, the TLS connection will only support the specified ECDH curves.
    int
    If specified, the TLS connection will only support the specified ECDH curves.
    If specified, the TLS connection will only support the specified ECDH curves.
    If specified, the TLS connection will only support the specified signature algorithms.
    com.google.protobuf.ByteString
    If specified, the TLS connection will only support the specified signature algorithms.
    int
    If specified, the TLS connection will only support the specified signature algorithms.
    If specified, the TLS connection will only support the specified signature algorithms.
    Maximum TLS protocol version.
    int
    Maximum TLS protocol version.
    Minimum TLS protocol version.
    int
    Minimum TLS protocol version.

    Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

    isInitialized

    Methods inherited from interface com.google.protobuf.MessageOrBuilder

    findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
  • Method Details

    • getTlsMinimumProtocolVersionValue

      int getTlsMinimumProtocolVersionValue()
       Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers.
      
       TLS protocol versions below TLSv1_2 require setting compatible ciphers with the
       ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers.
      
       .. attention::
      
       Using TLS protocol versions below TLSv1_2 has serious security considerations and risks.
       
      .envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_minimum_protocol_version = 1 [(.validate.rules) = { ... }
      Returns:
      The enum numeric value on the wire for tlsMinimumProtocolVersion.
    • getTlsMinimumProtocolVersion

      TlsParameters.TlsProtocol getTlsMinimumProtocolVersion()
       Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers.
      
       TLS protocol versions below TLSv1_2 require setting compatible ciphers with the
       ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers.
      
       .. attention::
      
       Using TLS protocol versions below TLSv1_2 has serious security considerations and risks.
       
      .envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_minimum_protocol_version = 1 [(.validate.rules) = { ... }
      Returns:
      The tlsMinimumProtocolVersion.
    • getTlsMaximumProtocolVersionValue

      int getTlsMaximumProtocolVersionValue()
       Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for
       servers.
       
      .envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_maximum_protocol_version = 2 [(.validate.rules) = { ... }
      Returns:
      The enum numeric value on the wire for tlsMaximumProtocolVersion.
    • getTlsMaximumProtocolVersion

      TlsParameters.TlsProtocol getTlsMaximumProtocolVersion()
       Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for
       servers.
       
      .envoy.extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol tls_maximum_protocol_version = 2 [(.validate.rules) = { ... }
      Returns:
      The tlsMaximumProtocolVersion.
    • getCipherSuitesList

      List<String> getCipherSuitesList()
       If specified, the TLS listener will only support the specified `cipher list
       <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
       when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
      
       If not specified, a default list will be used. Defaults are different for server (downstream) and
       client (upstream) TLS configurations.
       Defaults will change over time in response to security considerations; If you care, configure
       it instead of using the default.
      
       In non-FIPS builds, the default server cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In non-FIPS builds, the default client cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
       
      repeated string cipher_suites = 3;
      Returns:
      A list containing the cipherSuites.
    • getCipherSuitesCount

      int getCipherSuitesCount()
       If specified, the TLS listener will only support the specified `cipher list
       <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
       when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
      
       If not specified, a default list will be used. Defaults are different for server (downstream) and
       client (upstream) TLS configurations.
       Defaults will change over time in response to security considerations; If you care, configure
       it instead of using the default.
      
       In non-FIPS builds, the default server cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In non-FIPS builds, the default client cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
       
      repeated string cipher_suites = 3;
      Returns:
      The count of cipherSuites.
    • getCipherSuites

      String getCipherSuites(int index)
       If specified, the TLS listener will only support the specified `cipher list
       <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
       when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
      
       If not specified, a default list will be used. Defaults are different for server (downstream) and
       client (upstream) TLS configurations.
       Defaults will change over time in response to security considerations; If you care, configure
       it instead of using the default.
      
       In non-FIPS builds, the default server cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In non-FIPS builds, the default client cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
       
      repeated string cipher_suites = 3;
      Parameters:
      index - The index of the element to return.
      Returns:
      The cipherSuites at the given index.
    • getCipherSuitesBytes

      com.google.protobuf.ByteString getCipherSuitesBytes(int index)
       If specified, the TLS listener will only support the specified `cipher list
       <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
       when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
      
       If not specified, a default list will be used. Defaults are different for server (downstream) and
       client (upstream) TLS configurations.
       Defaults will change over time in response to security considerations; If you care, configure
       it instead of using the default.
      
       In non-FIPS builds, the default server cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In non-FIPS builds, the default client cipher list is:
      
       .. code-block:: none
      
       [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
       [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
      
       .. code-block:: none
      
       ECDHE-ECDSA-AES128-GCM-SHA256
       ECDHE-RSA-AES128-GCM-SHA256
       ECDHE-ECDSA-AES256-GCM-SHA384
       ECDHE-RSA-AES256-GCM-SHA384
       
      repeated string cipher_suites = 3;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the cipherSuites at the given index.
    • getEcdhCurvesList

      List<String> getEcdhCurvesList()
       If specified, the TLS connection will only support the specified ECDH
       curves. If not specified, the default curves will be used.
      
       In non-FIPS builds, the default curves are:
      
       .. code-block:: none
      
       X25519
       P-256
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
      
       .. code-block:: none
      
       P-256
       
      repeated string ecdh_curves = 4;
      Returns:
      A list containing the ecdhCurves.
    • getEcdhCurvesCount

      int getEcdhCurvesCount()
       If specified, the TLS connection will only support the specified ECDH
       curves. If not specified, the default curves will be used.
      
       In non-FIPS builds, the default curves are:
      
       .. code-block:: none
      
       X25519
       P-256
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
      
       .. code-block:: none
      
       P-256
       
      repeated string ecdh_curves = 4;
      Returns:
      The count of ecdhCurves.
    • getEcdhCurves

      String getEcdhCurves(int index)
       If specified, the TLS connection will only support the specified ECDH
       curves. If not specified, the default curves will be used.
      
       In non-FIPS builds, the default curves are:
      
       .. code-block:: none
      
       X25519
       P-256
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
      
       .. code-block:: none
      
       P-256
       
      repeated string ecdh_curves = 4;
      Parameters:
      index - The index of the element to return.
      Returns:
      The ecdhCurves at the given index.
    • getEcdhCurvesBytes

      com.google.protobuf.ByteString getEcdhCurvesBytes(int index)
       If specified, the TLS connection will only support the specified ECDH
       curves. If not specified, the default curves will be used.
      
       In non-FIPS builds, the default curves are:
      
       .. code-block:: none
      
       X25519
       P-256
      
       In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
      
       .. code-block:: none
      
       P-256
       
      repeated string ecdh_curves = 4;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the ecdhCurves at the given index.
    • getSignatureAlgorithmsList

      List<String> getSignatureAlgorithmsList()
       If specified, the TLS connection will only support the specified signature algorithms.
       The list is ordered by preference.
       If not specified, the default signature algorithms defined by BoringSSL will be used.
      
       Default signature algorithms selected by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       ecdsa_secp256r1_sha256
       rsa_pss_rsae_sha256
       rsa_pkcs1_sha256
       ecdsa_secp384r1_sha384
       rsa_pss_rsae_sha384
       rsa_pkcs1_sha384
       rsa_pss_rsae_sha512
       rsa_pkcs1_sha512
       rsa_pkcs1_sha1
      
       Signature algorithms supported by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       rsa_pkcs1_sha256
       rsa_pkcs1_sha384
       rsa_pkcs1_sha512
       ecdsa_secp256r1_sha256
       ecdsa_secp384r1_sha384
       ecdsa_secp521r1_sha512
       rsa_pss_rsae_sha256
       rsa_pss_rsae_sha384
       rsa_pss_rsae_sha512
       ed25519
       rsa_pkcs1_sha1
       ecdsa_sha1
       
      repeated string signature_algorithms = 5;
      Returns:
      A list containing the signatureAlgorithms.
    • getSignatureAlgorithmsCount

      int getSignatureAlgorithmsCount()
       If specified, the TLS connection will only support the specified signature algorithms.
       The list is ordered by preference.
       If not specified, the default signature algorithms defined by BoringSSL will be used.
      
       Default signature algorithms selected by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       ecdsa_secp256r1_sha256
       rsa_pss_rsae_sha256
       rsa_pkcs1_sha256
       ecdsa_secp384r1_sha384
       rsa_pss_rsae_sha384
       rsa_pkcs1_sha384
       rsa_pss_rsae_sha512
       rsa_pkcs1_sha512
       rsa_pkcs1_sha1
      
       Signature algorithms supported by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       rsa_pkcs1_sha256
       rsa_pkcs1_sha384
       rsa_pkcs1_sha512
       ecdsa_secp256r1_sha256
       ecdsa_secp384r1_sha384
       ecdsa_secp521r1_sha512
       rsa_pss_rsae_sha256
       rsa_pss_rsae_sha384
       rsa_pss_rsae_sha512
       ed25519
       rsa_pkcs1_sha1
       ecdsa_sha1
       
      repeated string signature_algorithms = 5;
      Returns:
      The count of signatureAlgorithms.
    • getSignatureAlgorithms

      String getSignatureAlgorithms(int index)
       If specified, the TLS connection will only support the specified signature algorithms.
       The list is ordered by preference.
       If not specified, the default signature algorithms defined by BoringSSL will be used.
      
       Default signature algorithms selected by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       ecdsa_secp256r1_sha256
       rsa_pss_rsae_sha256
       rsa_pkcs1_sha256
       ecdsa_secp384r1_sha384
       rsa_pss_rsae_sha384
       rsa_pkcs1_sha384
       rsa_pss_rsae_sha512
       rsa_pkcs1_sha512
       rsa_pkcs1_sha1
      
       Signature algorithms supported by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       rsa_pkcs1_sha256
       rsa_pkcs1_sha384
       rsa_pkcs1_sha512
       ecdsa_secp256r1_sha256
       ecdsa_secp384r1_sha384
       ecdsa_secp521r1_sha512
       rsa_pss_rsae_sha256
       rsa_pss_rsae_sha384
       rsa_pss_rsae_sha512
       ed25519
       rsa_pkcs1_sha1
       ecdsa_sha1
       
      repeated string signature_algorithms = 5;
      Parameters:
      index - The index of the element to return.
      Returns:
      The signatureAlgorithms at the given index.
    • getSignatureAlgorithmsBytes

      com.google.protobuf.ByteString getSignatureAlgorithmsBytes(int index)
       If specified, the TLS connection will only support the specified signature algorithms.
       The list is ordered by preference.
       If not specified, the default signature algorithms defined by BoringSSL will be used.
      
       Default signature algorithms selected by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       ecdsa_secp256r1_sha256
       rsa_pss_rsae_sha256
       rsa_pkcs1_sha256
       ecdsa_secp384r1_sha384
       rsa_pss_rsae_sha384
       rsa_pkcs1_sha384
       rsa_pss_rsae_sha512
       rsa_pkcs1_sha512
       rsa_pkcs1_sha1
      
       Signature algorithms supported by BoringSSL (may be out of date):
      
       .. code-block:: none
      
       rsa_pkcs1_sha256
       rsa_pkcs1_sha384
       rsa_pkcs1_sha512
       ecdsa_secp256r1_sha256
       ecdsa_secp384r1_sha384
       ecdsa_secp521r1_sha512
       rsa_pss_rsae_sha256
       rsa_pss_rsae_sha384
       rsa_pss_rsae_sha512
       ed25519
       rsa_pkcs1_sha1
       ecdsa_sha1
       
      repeated string signature_algorithms = 5;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the signatureAlgorithms at the given index.