TLS context

{
  "alpn_protocols": "...",
  "cert_chain_file": "...",
  "private_key_file": "...",
  "ca_cert_file": "...",
  "verify_certificate_hash": "...",
  "verify_subject_alt_name": [],
  "cipher_suites": "...",
  "ecdh_curves": "...",
  "sni": "..."
}

alpn_protocols

(optional, string) Supplies the list of ALPN protocols that connections should request. In practice this is likely to be set to a single value or not set at all:

• “h2” If upstream connections should use HTTP/2. In the current implementation this must be set alongside the http2 cluster features option. The two options together will use ALPN to tell a server that expects ALPN that Envoy supports HTTP/2. Then the http2 feature will cause new connections to use HTTP/2.

cert_chain_file

(optional, string) The certificate chain file that should be served by the connection. This is used to provide a client side TLS certificate to an upstream host.

private_key_file

(optional, string) The private key that corresponds to the certificate chain file.

ca_cert_file

(optional, string) A file containing certificate authority certificates to use in verifying a presented server certificate.

verify_certificate_hash

(optional, string) If specified, Envoy will verify (pin) the hash of the presented server certificate.

verify_subject_alt_name

(optional, array) An optional list of subject alt names. If specified, Envoy will verify that the server certificate’s subject alt name matches one of the specified values.

cipher_suites

(optional, string) If specified, the TLS connection will only support the specified cipher list. If not specified, the default list:

[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA

will be used.

ecdh_curves

(optional, string) If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves (X25519, P-256) will be used.

sni

(optional, string) If specified, the string will be presented as the SNI during the TLS handshake.