• Home
• io.quarkus
• quarkus-tls-registry
• 3.17.0.CR1
• source code
• TlsBucketConfig.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.quarkus.tls.runtime.config.TlsBucketConfig Maven / Gradle / Ivy

package io.quarkus.tls.runtime.config;

import java.nio.file.Path;
import java.time.Duration;
import java.util.List;
import java.util.Optional;
import java.util.Set;

import io.quarkus.runtime.annotations.ConfigGroup;
import io.quarkus.tls.CertificateUpdatedEvent;
import io.smallrye.config.WithDefault;

@ConfigGroup
public interface TlsBucketConfig {

    /**
     * The key store configuration.
     * Key stores are used to store private keys and their associated X.509 certificate chains.
     * For example, for {@code HTTPS}, it stores the server's private key and the server's certificate.
     * The certificate is used to prove the server's identity to the client.
     */
    Optional keyStore();

    /**
     * The trust store configuration.
     * Trust stores are used to store certificates from trusted entities.
     * For example, for {@code HTTPS}, it stores the certificate authorities that are trusted by the server.
     * The server uses the trust store to verify the client's certificate when mTLS (client authentication) is enabled.
     */
    Optional trustStore();

    /**
     * Sets the ordered list of enabled cipher suites.
     * If none is given, a reasonable default is selected from the built-in ciphers.
     * 

     * When suites are set, it takes precedence over the default suite defined by the {@code SSLEngineOptions} in use.
     */
    Optional> cipherSuites();

    /**
     * Sets the ordered list of enabled TLS protocols.
     * 

     * If not set, it defaults to {@code "TLSv1.3, TLSv1.2"}.
     * The following list of protocols are supported: {@code TLSv1, TLSv1.1, TLSv1.2, TLSv1.3}.
     * To only enable {@code TLSv1.3}, set the value to {@code to "TLSv1.3"}.
     * 

     * Note that setting an empty list, and enabling TLS is invalid.
     * You must at least have one protocol.
     * 

     * Also, setting this replaces the default list of protocols.
     */
    @WithDefault("TLSv1.3,TLSv1.2")
    Set protocols();

    /**
     * The timeout for the TLS handshake phase.
     * 

     * If not set, it defaults to 10 seconds.
     */
    @WithDefault("10S")
    Duration handshakeTimeout();

    /**
     * Enables the Application-Layer Protocol Negotiation (ALPN).
     * 

     * Application-Layer Protocol Negotiation is a TLS extension that allows the client and server during the TLS
     * handshake to negotiate which protocol they will use for communication. ALPN enables more efficient communication
     * by allowing the client to indicate its preferred application protocol to the server before the TLS connection is
     * established. This helps in scenarios such as HTTP/2 where multiple protocols may be available, allowing for
     * faster protocol selection.
     */
    @WithDefault("true")
    boolean alpn();

    /**
     * Sets the list of revoked certificates (paths to files).
     * 

     * A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing
     * Certificate Authority (CA) before their scheduled expiration date. When a certificate is compromised, no
     * longer needed, or deemed invalid for any reason, the CA adds it to the CRL to inform relying parties not to
     * trust the certificate anymore.
     * 

     * Two formats are allowed: DER and PKCS#7 (also known as P7B).
     * When using the DER format, you must pass DER-encoded CRLs.
     * When using the PKCS#7 format, you must pass PKCS#7 {@code SignedData} object, with the only significant field
     * being {@code crls}.
     */
    Optional> certificateRevocationList();

    /**
     * If set to {@code true}, the server trusts all certificates.
     * 

     * This is useful for testing, but should not be used in production.
     */
    @WithDefault("false")
    boolean trustAll();

    /**
     * The hostname verification algorithm to use in case the server's identity should be checked.
     * Should be {@code HTTPS} (default), {@code LDAPS} or an {@code NONE}.
     * 

     * If set to {@code NONE}, it does not verify the hostname.
     * 

     * If not set, the configured extension decides the default algorithm to use.
     * For example, for HTTP, it will be "HTTPS". For TCP, it can depend on the protocol.
     * Nevertheless, it is recommended to set it to "HTTPS" or "LDAPS".
     */
    Optional hostnameVerificationAlgorithm();

    /**
     * When configured, the server will reload the certificates (from the file system for example) and fires a
     * {@link CertificateUpdatedEvent} if the reload is successful
     * 

     * This property configures the period to reload the certificates. IF not set, the certificates won't be reloaded
     * automatically.
     * However, the application can still trigger the reload manually using the {@link io.quarkus.tls.TlsConfiguration#reload()}
     * method,
     * and then fire the {@link CertificateUpdatedEvent} manually.
     * 

     * The fired event is used to notify the application that the certificates have been updated, and thus proceed with the
     * actual switch of certificates.
     */
    Optional reloadPeriod();

}