Package io.quarkus.tls.runtime.config

Interface TlsBucketConfig

public interface TlsBucketConfig

  • Method Details

    • keyStore

      Optional<KeyStoreConfig> keyStore()
      The key store configuration. Key stores are used to store private keys and their associated X.509 certificate chains. For example, for HTTPS, it stores the server's private key and the server's certificate. The certificate is used to prove the server's identity to the client.

    • trustStore

      Optional<TrustStoreConfig> trustStore()
      The trust store configuration. Trust stores are used to store certificates from trusted entities. For example, for HTTPS, it stores the certificate authorities that are trusted by the server. The server uses the trust store to verify the client's certificate when mTLS (client authentication) is enabled.

    • cipherSuites

      Optional<List<String>> cipherSuites()
      Sets the ordered list of enabled cipher suites. If none is given, a reasonable default is selected from the built-in ciphers.

      When suites are set, it takes precedence over the default suite defined by the SSLEngineOptions in use.

    • protocols

      @WithDefault("TLSv1.3,TLSv1.2") Set<String> protocols()
      Sets the ordered list of enabled TLS protocols.

      If not set, it defaults to "TLSv1.3, TLSv1.2". The following list of protocols are supported: TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. To only enable TLSv1.3, set the value to to "TLSv1.3".

      Note that setting an empty list, and enabling TLS is invalid. You must at least have one protocol.

      Also, setting this replaces the default list of protocols.

    • handshakeTimeout

      @WithDefault("10S") Duration handshakeTimeout()
      The timeout for the TLS handshake phase.

      If not set, it defaults to 10 seconds.

    • alpn

      @WithDefault("true") boolean alpn()
      Enables the Application-Layer Protocol Negotiation (ALPN).

      Application-Layer Protocol Negotiation is a TLS extension that allows the client and server during the TLS handshake to negotiate which protocol they will use for communication. ALPN enables more efficient communication by allowing the client to indicate its preferred application protocol to the server before the TLS connection is established. This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for faster protocol selection.

    • certificateRevocationList

      Optional<List<Path>> certificateRevocationList()
      Sets the list of revoked certificates (paths to files).

      A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. When a certificate is compromised, no longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to trust the certificate anymore.

      Two formats are allowed: DER and PKCS#7 (also known as P7B). When using the DER format, you must pass DER-encoded CRLs. When using the PKCS#7 format, you must pass PKCS#7 SignedData object, with the only significant field being crls.

    • trustAll

      @WithDefault("false") boolean trustAll()
      If set to true, the server trusts all certificates.

      This is useful for testing, but should not be used in production.

    • hostnameVerificationAlgorithm

      Optional<String> hostnameVerificationAlgorithm()
      The hostname verification algorithm to use in case the server's identity should be checked. Should be HTTPS (default), LDAPS or NONE.

      If set to NONE, it does not verify the hostname.

      If not set, the configured extension decides the default algorithm to use. For example, for HTTP, it will be "HTTPS". For TCP, it can depend on the protocol. Nevertheless, it is recommended to set it to "HTTPS" or "LDAPS".

    • reloadPeriod

      Optional<Duration> reloadPeriod()
      When configured, the server will reload the certificates (from the file system for example) and fires a CertificateUpdatedEvent if the reload is successful

      This property configures the period to reload the certificates. IF not set, the certificates won't be reloaded automatically. However, the application can still trigger the reload manually using the TlsConfiguration.reload() method, and then fire the CertificateUpdatedEvent manually.

      The fired event is used to notify the application that the certificates have been updated, and thus proceed with the actual switch of certificates.