Configures inbound or outbound SSL connections.
Syntax
ssl:
'$ref': <string>
acme: {}
algorithm: <string>
ciphers: <string>
clientAuth: <string>
endpointIdentificationAlgorithm: <string>
ignoreTimestampCheckFailure: <boolean>
key: {}
keyGenerator: {}
keystore: {}
protocol: <string>
protocols: <string>
serverName: <string>
showSSLExceptions: <boolean>
trust: {}
truststore: {}
useAsDefault: <boolean>
useExperimentalHttp2: <boolean>
ssl:
'$ref': <string>
acme: {}
algorithm: <string>
ciphers: <string>
clientAuth: <string>
endpointIdentificationAlgorithm: <string>
ignoreTimestampCheckFailure: <boolean>
key: {}
keyGenerator: {}
keystore: {}
protocol: <string>
protocols: <string>
serverName: <string>
showSSLExceptions: <boolean>
trust: {}
truststore: {}
useAsDefault: <boolean>
useExperimentalHttp2: <boolean>
Sample
<serviceProxy port="443">
<ssl>
<keystore
location="../../conf/membrane.jks"
password="secret" keyPassword="secret" />
<truststore
location="../../conf/membrane.jks" password="secret" />
</ssl>
<wsdlRewriter protocol="https" />
<target host="thomas-bayer.com" />
</serviceProxy><serviceProxy port="8080">
<path>/svn</path>
<target host="predic8.com" port="443">
<ssl />
</target>
</serviceProxy><serviceProxy port="443"> <ssl> <keystore location="../../conf/membrane.jks" password="secret" keyPassword="secret" /> <truststore location="../../conf/membrane.jks" password="secret" /> </ssl> <wsdlRewriter protocol="https" /> <target host="thomas-bayer.com" /> </serviceProxy><serviceProxy port="8080"> <path>/svn</path> <target host="predic8.com" port="443"> <ssl /> </target> </serviceProxy>
Attributes
| Name | Required | Default | Description | Examples |
|---|---|---|---|---|
| $ref | false | - | Reference a component defined under components. | - |
| algorithm | false | java default | getDefaultAlgorithm() | SunX509 |
| ciphers | false | all system default ciphers | Space separated list of ciphers to allow. getSupportedCipherSuites() | TLS_ECDH_anon_WITH_RC4_128_SHA |
| clientAuth | false | not set | Either not set (=no), or want or need. | need |
| endpointIdentificationAlgorithm | false | HTTPS | See setEndpointIdentificationAlgorithm(). | - |
| ignoreTimestampCheckFailure | false | - | - | - |
| protocol | false | TLS | SSLContext.getInstance() | - |
| protocols | false | TLS* | SSLSocket.setEnabledProtocols() | - |
| serverName | false | same as target hostname. | Setting the serverName tells Java to use the SNI (...) on outbound TLS connections to indicate to the TLS server, which hostname the client wants to connect to. | - |
| showSSLExceptions | false | true | Tells Membrane to show SSL exceptions in its log | - |
| useAsDefault | false | true | whether to use the SSLContext built from this SSLParser when no SNI header was transmitted. | - |
| useExperimentalHttp2 | false | false | whether to enable receiving HTTP/2 requests. (experimental) | - |
Child Structure
| Element | Cardinality | Description |
|---|---|---|
| acme | 0..1 | Configures an ACME (RFC 8555) client, e.g. to retrieve TLS certificates from Let's Encrypt. |
| key | 0..1 | Used to manually compose the keystore. |
| keyGenerator | 0..1 | Used to dynamically generate a key for the incoming connection on the fly. |
| keystore | 0..1 | Configuration element for a keystore holding private keys and certificates. |
| trust | 0..1 | Used to manually compose the truststore. |
| truststore | 0..1 | Configuration element for a truststore containing trusted CA certificates. |