1tlshd.conf(5) File Formats Manual tlshd.conf(5)
2
3
4
6 tlshd.conf - tlshd configuration file
7
9 /etc/tlshd.conf
10
12 The tlshd program implements a user agent that services TLS handshake
13 requests on behalf of kernel TLS consumers. Its configuration file
14 contains information that the program reads when it starts up. The
15 file is designed to be human readable and contains a list of keywords
16 with values that provide various types of information. The configura‐
17 tion file is considered a trusted source of information.
18
19 The tlshd program reads this file once when it is launched. Thus
20 changes made in this file take effect only when the tlshd program is
21 restarted. If this file does not exist, the tlshd program exits imme‐
22 diately.
23
25 The configuration file is split into sections.
26
27 The [debug] section specifies debugging settings for the tlshd program.
28 In this section, there are three available options:
29
30 loglevel
31 This option specifies an integer which indicates the debug mes‐
32 sage level. Zero, the quietest setting, is the default.
33
34 tls This option specifies an integer which indicates the debug mes‐
35 sage level for TLS library calls. Zero, the quietest setting,
36 is the default.
37
38 nl This option specifies an integer which indicates the debug mes‐
39 sage level for netlink library calls. Zero, the quietest set‐
40 ting, is the default.
41
42 The [authentication] section specifies default authentication material
43 when establishing TLS sessions. In this section, there is one avail‐
44 able option:
45
46 keyrings
47 This option specifies a semicolon-separated list of auxiliary
48 keyrings that contain handshake authentication tokens. tlshd
49 links these keyrings into its session keyring. The configura‐
50 tion file may specify either a keyring's name or serial number.
51 The default is to provide no keyring.
52
53 And, in this section, there are two subsections: [client] and [server].
54 The tlshd program consults the settings in the [client] subsection when
55 handling the client end of a handshake, and it consults the settings in
56 the [server] subsection when handling the server end of a handshake.
57
58 In each of these two subsections, there are three available options:
59
60 x509.truststore
61 This option specifies the pathname of a file containing a PEM-
62 encoded trust store that is to be used to verify a certificate
63 during a handshake. If this option is not specified, tlshd uses
64 the system's trust store.
65
66 x509.certificate
67 This option specifies the pathname of a file containing a PEM-
68 encoded x.509 certificate that is to be presented during a hand‐
69 shake request when no other certificate is available.
70
71 x509.private_key
72 This option specifies the pathname of a file containing a PEM-
73 encoded private key associated with the above certificate.
74
76 This software is a prototype. It's purpose is for demonstration and as
77 a proof-of-concept. USE THIS SOFTWARE AT YOUR OWN RISK.
78
80 tlshd(8)
81
83 Chuck Lever
84
85
86
87 20 Oct 2022 tlshd.conf(5)