Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Interface UpstreamTlsContextOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
UpstreamTlsContext, UpstreamTlsContext.Builder
public interface UpstreamTlsContextOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    getAllowRenegotiation()
    If true, server-initiated TLS renegotiation will be allowed. .. attention:: TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
    boolean
    getAutoHostSni()
    If true, replaces the SNI for the connection with the hostname of the upstream host, if the hostname is known due to either a DNS cluster type or the :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` is set on the host.
    boolean
    getAutoSniSanValidation()
    If true, replaces any Subject Alternative Name (SAN) validations with a validation for a DNS SAN matching the SNI value sent.
    CommonTlsContext
    getCommonTlsContext()
    Common TLS context settings. .. attention:: Server certificate verification is not enabled by default.
    CommonTlsContextOrBuilder
    getCommonTlsContextOrBuilder()
    Common TLS context settings. .. attention:: Server certificate verification is not enabled by default.
    com.google.protobuf.BoolValue
    getEnforceRsaKeyUsage()
    Controls enforcement of the ``keyUsage`` extension in peer certificates.
    com.google.protobuf.BoolValueOrBuilder
    getEnforceRsaKeyUsageOrBuilder()
    Controls enforcement of the ``keyUsage`` extension in peer certificates.
    com.google.protobuf.UInt32Value
    getMaxSessionKeys()
    Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets for TLSv1.2 and older) to be stored for session resumption.
    com.google.protobuf.UInt32ValueOrBuilder
    getMaxSessionKeysOrBuilder()
    Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets for TLSv1.2 and older) to be stored for session resumption.
    String
    getSni()
    SNI string to use when creating TLS backend connections.
    com.google.protobuf.ByteString
    getSniBytes()
    SNI string to use when creating TLS backend connections.
    boolean
    hasCommonTlsContext()
    Common TLS context settings. .. attention:: Server certificate verification is not enabled by default.
    boolean
    hasEnforceRsaKeyUsage()
    Controls enforcement of the ``keyUsage`` extension in peer certificates.
    boolean
    hasMaxSessionKeys()
    Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets for TLSv1.2 and older) to be stored for session resumption.

    Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

    isInitialized

    Methods inherited from interface com.google.protobuf.MessageOrBuilder

    findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

  • Method Details

    • hasCommonTlsContext

      boolean hasCommonTlsContext()
       Common TLS context settings.

 .. attention::

   Server certificate verification is not enabled by default. To enable verification, configure
   :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
      .envoy.extensions.transport_sockets.tls.v3.CommonTlsContext common_tls_context = 1;
      Returns:
      Whether the commonTlsContext field is set.

    • getCommonTlsContext

      CommonTlsContext getCommonTlsContext()
       Common TLS context settings.

 .. attention::

   Server certificate verification is not enabled by default. To enable verification, configure
   :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
      .envoy.extensions.transport_sockets.tls.v3.CommonTlsContext common_tls_context = 1;
      Returns:
      The commonTlsContext.

    • getCommonTlsContextOrBuilder

      CommonTlsContextOrBuilder getCommonTlsContextOrBuilder()
       Common TLS context settings.

 .. attention::

   Server certificate verification is not enabled by default. To enable verification, configure
   :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
      .envoy.extensions.transport_sockets.tls.v3.CommonTlsContext common_tls_context = 1;

    • getSni

      String getSni()
       SNI string to use when creating TLS backend connections.
      string sni = 2 [(.validate.rules) = { ... }
      Returns:
      The sni.

    • getSniBytes

      com.google.protobuf.ByteString getSniBytes()
       SNI string to use when creating TLS backend connections.
      string sni = 2 [(.validate.rules) = { ... }
      Returns:
      The bytes for sni.

    • getAutoHostSni

      boolean getAutoHostSni()
       If true, replaces the SNI for the connection with the hostname of the upstream host, if
 the hostname is known due to either a DNS cluster type or the
 :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` is set on
 the host.

 See :ref:`SNI configuration <start_quick_start_securing_sni_client>` for details on how this
 interacts with other validation options.
      bool auto_host_sni = 6;
      Returns:
      The autoHostSni.

    • getAutoSniSanValidation

      boolean getAutoSniSanValidation()
       If true, replaces any Subject Alternative Name (SAN) validations with a validation for a DNS SAN matching
 the SNI value sent. The validation uses the actual requested SNI, regardless of how the SNI is configured.

 For common cases where an SNI value is present and the server certificate should include a corresponding SAN,
 this option ensures the SAN is properly validated.

 See the :ref:`validation configuration <start_quick_start_securing_validation>` for how this interacts with
 other validation options.
      bool auto_sni_san_validation = 7;
      Returns:
      The autoSniSanValidation.

    • getAllowRenegotiation

      boolean getAllowRenegotiation()
       If true, server-initiated TLS renegotiation will be allowed.

 .. attention::

   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
      bool allow_renegotiation = 3;
      Returns:
      The allowRenegotiation.

    • hasMaxSessionKeys

      boolean hasMaxSessionKeys()
       Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
 for TLSv1.2 and older) to be stored for session resumption.

 Defaults to 1, setting this to 0 disables session resumption.
      .google.protobuf.UInt32Value max_session_keys = 4;
      Returns:
      Whether the maxSessionKeys field is set.

    • getMaxSessionKeys

      com.google.protobuf.UInt32Value getMaxSessionKeys()
       Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
 for TLSv1.2 and older) to be stored for session resumption.

 Defaults to 1, setting this to 0 disables session resumption.
      .google.protobuf.UInt32Value max_session_keys = 4;
      Returns:
      The maxSessionKeys.

    • getMaxSessionKeysOrBuilder

      com.google.protobuf.UInt32ValueOrBuilder getMaxSessionKeysOrBuilder()
       Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
 for TLSv1.2 and older) to be stored for session resumption.

 Defaults to 1, setting this to 0 disables session resumption.
      .google.protobuf.UInt32Value max_session_keys = 4;

    • hasEnforceRsaKeyUsage

      boolean hasEnforceRsaKeyUsage()
       Controls enforcement of the ``keyUsage`` extension in peer certificates. If set to ``true``, the handshake will fail if
 the ``keyUsage`` is incompatible with TLS usage.

 .. note::
   The default value is ``false`` (i.e., enforcement off). It is expected to change to ``true`` in a future release.

 The ``ssl.was_key_usage_invalid`` in :ref:`listener metrics <config_listener_stats>` metric will be incremented
 for configurations that would fail if this option were enabled.
      .google.protobuf.BoolValue enforce_rsa_key_usage = 5;
      Returns:
      Whether the enforceRsaKeyUsage field is set.

    • getEnforceRsaKeyUsage

      com.google.protobuf.BoolValue getEnforceRsaKeyUsage()
       Controls enforcement of the ``keyUsage`` extension in peer certificates. If set to ``true``, the handshake will fail if
 the ``keyUsage`` is incompatible with TLS usage.

 .. note::
   The default value is ``false`` (i.e., enforcement off). It is expected to change to ``true`` in a future release.

 The ``ssl.was_key_usage_invalid`` in :ref:`listener metrics <config_listener_stats>` metric will be incremented
 for configurations that would fail if this option were enabled.
      .google.protobuf.BoolValue enforce_rsa_key_usage = 5;
      Returns:
      The enforceRsaKeyUsage.

    • getEnforceRsaKeyUsageOrBuilder

      com.google.protobuf.BoolValueOrBuilder getEnforceRsaKeyUsageOrBuilder()
       Controls enforcement of the ``keyUsage`` extension in peer certificates. If set to ``true``, the handshake will fail if
 the ``keyUsage`` is incompatible with TLS usage.

 .. note::
   The default value is ``false`` (i.e., enforcement off). It is expected to change to ``true`` in a future release.

 The ``ssl.was_key_usage_invalid`` in :ref:`listener metrics <config_listener_stats>` metric will be incremented
 for configurations that would fail if this option were enabled.
      .google.protobuf.BoolValue enforce_rsa_key_usage = 5;