Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Interface DownstreamTlsContextOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
DownstreamTlsContext, DownstreamTlsContext.Builder
public interface DownstreamTlsContextOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Details

    • hasCommonTlsContext

      boolean hasCommonTlsContext()
       Common TLS context settings.
      .envoy.extensions.transport_sockets.tls.v3.CommonTlsContext common_tls_context = 1;
      Returns:
      Whether the commonTlsContext field is set.

    • getCommonTlsContext

      CommonTlsContext getCommonTlsContext()
       Common TLS context settings.
      .envoy.extensions.transport_sockets.tls.v3.CommonTlsContext common_tls_context = 1;
      Returns:
      The commonTlsContext.

    • getCommonTlsContextOrBuilder

      CommonTlsContextOrBuilder getCommonTlsContextOrBuilder()
       Common TLS context settings.
      .envoy.extensions.transport_sockets.tls.v3.CommonTlsContext common_tls_context = 1;

    • hasRequireClientCertificate

      boolean hasRequireClientCertificate()
       If specified, Envoy will reject connections without a valid client
 certificate.
      .google.protobuf.BoolValue require_client_certificate = 2;
      Returns:
      Whether the requireClientCertificate field is set.

    • getRequireClientCertificate

      com.google.protobuf.BoolValue getRequireClientCertificate()
       If specified, Envoy will reject connections without a valid client
 certificate.
      .google.protobuf.BoolValue require_client_certificate = 2;
      Returns:
      The requireClientCertificate.

    • getRequireClientCertificateOrBuilder

      com.google.protobuf.BoolValueOrBuilder getRequireClientCertificateOrBuilder()
       If specified, Envoy will reject connections without a valid client
 certificate.
      .google.protobuf.BoolValue require_client_certificate = 2;

    • hasRequireSni

      boolean hasRequireSni()
       If specified, Envoy will reject connections without a valid and matching SNI.
 [#not-implemented-hide:]
      .google.protobuf.BoolValue require_sni = 3;
      Returns:
      Whether the requireSni field is set.

    • getRequireSni

      com.google.protobuf.BoolValue getRequireSni()
       If specified, Envoy will reject connections without a valid and matching SNI.
 [#not-implemented-hide:]
      .google.protobuf.BoolValue require_sni = 3;
      Returns:
      The requireSni.

    • getRequireSniOrBuilder

      com.google.protobuf.BoolValueOrBuilder getRequireSniOrBuilder()
       If specified, Envoy will reject connections without a valid and matching SNI.
 [#not-implemented-hide:]
      .google.protobuf.BoolValue require_sni = 3;

    • hasSessionTicketKeys

      boolean hasSessionTicketKeys()
       TLS session ticket key settings.
      .envoy.extensions.transport_sockets.tls.v3.TlsSessionTicketKeys session_ticket_keys = 4;
      Returns:
      Whether the sessionTicketKeys field is set.

    • getSessionTicketKeys

      TlsSessionTicketKeys getSessionTicketKeys()
       TLS session ticket key settings.
      .envoy.extensions.transport_sockets.tls.v3.TlsSessionTicketKeys session_ticket_keys = 4;
      Returns:
      The sessionTicketKeys.

    • getSessionTicketKeysOrBuilder

      TlsSessionTicketKeysOrBuilder getSessionTicketKeysOrBuilder()
       TLS session ticket key settings.
      .envoy.extensions.transport_sockets.tls.v3.TlsSessionTicketKeys session_ticket_keys = 4;

    • hasSessionTicketKeysSdsSecretConfig

      boolean hasSessionTicketKeysSdsSecretConfig()
       Config for fetching TLS session ticket keys via SDS API.
      .envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
      Returns:
      Whether the sessionTicketKeysSdsSecretConfig field is set.

    • getSessionTicketKeysSdsSecretConfig

      SdsSecretConfig getSessionTicketKeysSdsSecretConfig()
       Config for fetching TLS session ticket keys via SDS API.
      .envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
      Returns:
      The sessionTicketKeysSdsSecretConfig.

    • getSessionTicketKeysSdsSecretConfigOrBuilder

      SdsSecretConfigOrBuilder getSessionTicketKeysSdsSecretConfigOrBuilder()
       Config for fetching TLS session ticket keys via SDS API.
      .envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig session_ticket_keys_sds_secret_config = 5;

    • hasDisableStatelessSessionResumption

      boolean hasDisableStatelessSessionResumption()
       Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
 server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
 If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
 the keys specified through either :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
 or :ref:`session_ticket_keys_sds_secret_config <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
 If this config is set to false and no keys are explicitly configured, the TLS server will issue
 TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
 implication that sessions cannot be resumed across hot restarts or on different hosts.
      bool disable_stateless_session_resumption = 7;
      Returns:
      Whether the disableStatelessSessionResumption field is set.

    • getDisableStatelessSessionResumption

      boolean getDisableStatelessSessionResumption()
       Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
 server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
 If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
 the keys specified through either :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
 or :ref:`session_ticket_keys_sds_secret_config <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
 If this config is set to false and no keys are explicitly configured, the TLS server will issue
 TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
 implication that sessions cannot be resumed across hot restarts or on different hosts.
      bool disable_stateless_session_resumption = 7;
      Returns:
      The disableStatelessSessionResumption.

    • getDisableStatefulSessionResumption

      boolean getDisableStatefulSessionResumption()
       If ``true``, the TLS server will not maintain a session cache of TLS sessions.

 .. note::
   This applies only to TLSv1.2 and earlier.
      bool disable_stateful_session_resumption = 10;
      Returns:
      The disableStatefulSessionResumption.

    • hasSessionTimeout

      boolean hasSessionTimeout()
       Maximum lifetime of TLS sessions. If specified, ``session_timeout`` will change the maximum lifetime
 of the TLS session.

 This serves as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
 Only whole seconds are considered; fractional seconds are ignored.
      .google.protobuf.Duration session_timeout = 6 [(.validate.rules) = { ... }
      Returns:
      Whether the sessionTimeout field is set.

    • getSessionTimeout

      com.google.protobuf.Duration getSessionTimeout()
       Maximum lifetime of TLS sessions. If specified, ``session_timeout`` will change the maximum lifetime
 of the TLS session.

 This serves as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
 Only whole seconds are considered; fractional seconds are ignored.
      .google.protobuf.Duration session_timeout = 6 [(.validate.rules) = { ... }
      Returns:
      The sessionTimeout.

    • getSessionTimeoutOrBuilder

      com.google.protobuf.DurationOrBuilder getSessionTimeoutOrBuilder()
       Maximum lifetime of TLS sessions. If specified, ``session_timeout`` will change the maximum lifetime
 of the TLS session.

 This serves as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
 Only whole seconds are considered; fractional seconds are ignored.
      .google.protobuf.Duration session_timeout = 6 [(.validate.rules) = { ... }

    • getOcspStaplePolicyValue

      int getOcspStaplePolicyValue()
       Configuration for handling certificates without an OCSP response or with expired responses.

 Defaults to ``LENIENT_STAPLING``
      .envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext.OcspStaplePolicy ocsp_staple_policy = 8 [(.validate.rules) = { ... }
      Returns:
      The enum numeric value on the wire for ocspStaplePolicy.

    • getOcspStaplePolicy

      DownstreamTlsContext.OcspStaplePolicy getOcspStaplePolicy()
       Configuration for handling certificates without an OCSP response or with expired responses.

 Defaults to ``LENIENT_STAPLING``
      .envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext.OcspStaplePolicy ocsp_staple_policy = 8 [(.validate.rules) = { ... }
      Returns:
      The ocspStaplePolicy.

    • hasFullScanCertsOnSniMismatch

      boolean hasFullScanCertsOnSniMismatch()
       Multiple certificates are allowed in Downstream transport socket to serve different SNI.
 This option controls the behavior when no matching certificate is found for the received SNI value,
 or no SNI value was sent. If enabled, all certificates will be evaluated for a match for non-SNI criteria
 such as key type and OCSP settings. If disabled, the first provided certificate will be used.
 Defaults to ``false``. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
      .google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;
      Returns:
      Whether the fullScanCertsOnSniMismatch field is set.

    • getFullScanCertsOnSniMismatch

      com.google.protobuf.BoolValue getFullScanCertsOnSniMismatch()
       Multiple certificates are allowed in Downstream transport socket to serve different SNI.
 This option controls the behavior when no matching certificate is found for the received SNI value,
 or no SNI value was sent. If enabled, all certificates will be evaluated for a match for non-SNI criteria
 such as key type and OCSP settings. If disabled, the first provided certificate will be used.
 Defaults to ``false``. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
      .google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;
      Returns:
      The fullScanCertsOnSniMismatch.

    • getFullScanCertsOnSniMismatchOrBuilder

      com.google.protobuf.BoolValueOrBuilder getFullScanCertsOnSniMismatchOrBuilder()
       Multiple certificates are allowed in Downstream transport socket to serve different SNI.
 This option controls the behavior when no matching certificate is found for the received SNI value,
 or no SNI value was sent. If enabled, all certificates will be evaluated for a match for non-SNI criteria
 such as key type and OCSP settings. If disabled, the first provided certificate will be used.
 Defaults to ``false``. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
      .google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;

    • getPreferClientCiphers

      boolean getPreferClientCiphers()
       If ``true``, the downstream client's preferred cipher is used during the handshake. If ``false``, Envoy
 uses its preferred cipher.

 .. note::
   This has no effect when using TLSv1_3.
      bool prefer_client_ciphers = 11;
      Returns:
      The preferClientCiphers.

    • getSessionTicketKeysTypeCase

      DownstreamTlsContext.SessionTicketKeysTypeCase getSessionTicketKeysTypeCase()