3. Security and Validation

ssl

Version

Configures inbound or outbound SSL connections.

Can be used in

api github google httpClientConfig internal ldapUserDataProvider membrane microsoftEntraID proxy proxy-configuration registration serviceProxy soapProxy sslProxy-routerIpResolver stompClient stompProxy target

Syntax

<ssl
  [algorithm="..."]
  [protocol="..."]
  [ciphers="..."]
  [clientAuth="..."]>
  <keystore
	location="..." [password="..."]
	[type="..."] [provider="..."]
	[keyPassword="..."] [keyAlias="..."] >?
  <truststore
	location="..." [password="..."]
	[type="..."] [provider="..."]
	[algorithm="..."] >?
</ssl>
<ssl
  [algorithm="..."]
  [protocol="..."]
  [ciphers="..."]
  [clientAuth="..."]>
  <keystore
	location="..." [password="..."]
	[type="..."] [provider="..."]
	[keyPassword="..."] [keyAlias="..."] >?
  <truststore
	location="..." [password="..."]
	[type="..."] [provider="..."]
	[algorithm="..."] >?
</ssl>

Sample

<serviceProxy port="443">
  <ssl>
	<keystore
	  location="../../conf/membrane.jks"
	  password="secret" keyPassword="secret" />
	<truststore
	  location="../../conf/membrane.jks" password="secret" />
  </ssl>
  <wsdlRewriter protocol="https" />
  <target host="thomas-bayer.com" />
</serviceProxy><serviceProxy port="8080">
  <path>/svn</path>
  <target host="predic8.com" port="443">
	<ssl />
  </target>
</serviceProxy>
<serviceProxy port="443">
  <ssl>
	<keystore
	  location="../../conf/membrane.jks"
	  password="secret" keyPassword="secret" />
	<truststore
	  location="../../conf/membrane.jks" password="secret" />
  </ssl>
  <wsdlRewriter protocol="https" />
  <target host="thomas-bayer.com" />
</serviceProxy><serviceProxy port="8080">
  <path>/svn</path>
  <target host="predic8.com" port="443">
	<ssl />
  </target>
</serviceProxy>

Attributes

NameRequiredDefaultDescriptionExamples
algorithmfalsejava defaultgetDefaultAlgorithm()SunX509
ciphersfalseall system default ciphersSpace separated list of ciphers to allow. getSupportedCipherSuites()TLS_ECDH_anon_WITH_RC4_128_SHA
clientAuthfalsenot setEither not set (=no), or want or need.need
endpointIdentificationAlgorithmfalseHTTPSSee setEndpointIdentificationAlgorithm().-
ignoreTimestampCheckFailurefalse---
protocolfalseTLSSSLContext.getInstance()-
protocolsfalseTLS*SSLSocket.setEnabledProtocols()-
serverNamefalsesame as target hostname.Setting the serverName tells Java to use the SNI (...) on outbound TLS connections to indicate to the TLS server, which hostname the client wants to connect to.-
showSSLExceptionsfalsetrueTells Membrane to show SSL exceptions in its log-
useAsDefaultfalsetruewhether to use the SSLContext built from this SSLParser when no SNI header was transmitted.-
useExperimentalHttp2falsefalsewhether to enable receiving HTTP/2 requests. (experimental)-

Child Elements

ElementDescriptionCardinality
acmeConfigures an ACME (RFC 8555) client, e.g. to retrieve TLS certificates from Let's Encrypt.0..1
keyExperimental.0..1
keyGeneratorExperimental.0..1
keystoreConfiguration element for a keystore holding private keys and certificates.0..1
trustAllows to insert one or more PEM blocks containing the certificates to be trusted directly into the proxies.xml file.0..1
truststoreConfiguration element for a truststore containing trusted CA certificates.0..1