# TLS Feature Configuration - Example Environment # Complete documentation of all SSL/TLS security options [features] tls = true [tls] enabled = true force_https = true # Force HTTPS redirects cert_file = "/etc/ssl/certs/example.crt" # TLS certificate file path key_file = "/etc/ssl/private/example.key" # TLS private key file path ca_file = "/etc/ssl/certs/ca-bundle.crt" # CA certificate bundle file path cert_chain_file = "" # Certificate chain file (optional) dhparam_file = "/etc/ssl/dhparam.pem" # Diffie-Hellman parameters file protocols = ["TLSv1.2", "TLSv1.3"] # Supported TLS protocol versions prefer_server_ciphers = true # Prefer server cipher order session_timeout = 300 # TLS session timeout in seconds session_cache_size = 20480 # TLS session cache size session_tickets = false # Disable session tickets for security renegotiation = false # Disable TLS renegotiation compression = false # Disable TLS compression (CRIME attack) [tls.ciphers] # Modern cipher suites for TLS 1.2 and 1.3 cipher_suites = [ # TLS 1.3 ciphers (most secure) "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", # TLS 1.2 ciphers (secure) "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256" ] # Cipher suite selection order cipher_order = "server" # Use server cipher order preference ecdh_curves = [ # Supported ECDH curves "X25519", "prime256v1", "secp384r1" ] signature_algorithms = [ # Supported signature algorithms "rsa_pss_rsae_sha256", "rsa_pss_rsae_sha384", "rsa_pss_rsae_sha512", "ecdsa_secp256r1_sha256", "ecdsa_secp384r1_sha384", "ecdsa_secp521r1_sha512", "rsa_pkcs1_sha256", "rsa_pkcs1_sha384", "rsa_pkcs1_sha512" ] [tls.security] # HTTP Strict Transport Security (HSTS) hsts_enabled = true # Enable HSTS hsts_max_age = 31536000 # HSTS max age (1 year) hsts_include_subdomains = true # Include subdomains in HSTS hsts_preload = true # Enable HSTS preload hsts_header = "Strict-Transport-Security" # HSTS header name # Perfect Forward Secrecy pfs_enabled = true # Enable Perfect Forward Secrecy ephemeral_keys = true # Use ephemeral keys key_exchange_algorithms = [ # Supported key exchange algorithms "ECDHE", "DHE" ] # OCSP (Online Certificate Status Protocol) ocsp_enabled = true # Enable OCSP ocsp_stapling = true # Enable OCSP stapling ocsp_must_staple = true # Require OCSP must-staple ocsp_responder_url = "" # OCSP responder URL (auto-detect if empty) ocsp_cache_timeout = 3600 # OCSP response cache timeout # Certificate Transparency ct_enabled = true # Enable Certificate Transparency ct_logs = [ # Certificate Transparency log URLs "https://ct.googleapis.com/logs/argon2020/", "https://ct.googleapis.com/logs/argon2021/", "https://ct.googleapis.com/logs/argon2022/" ] ct_sct_required = true # Require SCT (Signed Certificate Timestamp) [tls.certificates] # Certificate management and validation cert_validation = true # Enable certificate validation verify_hostname = true # Verify hostname in certificate verify_expiration = true # Verify certificate expiration expiration_warning_days = 30 # Warn when certificate expires in N days check_revocation = true # Check certificate revocation status allow_self_signed = false # Allow self-signed certificates (dev only) cert_store_path = "/etc/ssl/certs" # Certificate store path trusted_ca_file = "/etc/ssl/certs/ca-certificates.crt" # Trusted CA file # Multi-domain certificates sni_enabled = true # Enable Server Name Indication (SNI) sni_strict = true # Strict SNI checking default_cert = "/etc/ssl/certs/default.crt" # Default certificate sni_certificates = [ { hostname = "api.example.com", cert_file = "/etc/ssl/certs/api.example.com.crt", key_file = "/etc/ssl/private/api.example.com.key" }, { hostname = "admin.example.com", cert_file = "/etc/ssl/certs/admin.example.com.crt", key_file = "/etc/ssl/private/admin.example.com.key" } ] # SNI certificate mappings [tls.auto_renewal] enabled = true # Enable automatic certificate renewal provider = "lets_encrypt" # Certificate provider: lets_encrypt, internal_ca acme_enabled = true # Enable ACME protocol acme_directory = "https://acme-v02.api.letsencrypt.org/directory" # ACME directory URL acme_email = "admin@example.com" # ACME account email acme_key_type = "ec256" # ACME key type: rsa2048, rsa4096, ec256, ec384 acme_challenge = "http-01" # ACME challenge type: http-01, dns-01, tls-alpn-01 renewal_threshold = 2592000 # Renewal threshold in seconds (30 days) renewal_schedule = "0 2 * * *" # Renewal check schedule (daily at 2 AM) backup_old_certs = true # Backup old certificates before renewal post_renewal_hooks = [ # Commands to run after renewal "systemctl reload nginx", "curl -X POST https://example.com/webhook/cert-renewed" ] # DNS challenge configuration (for wildcard certificates) dns_provider = "cloudflare" # DNS provider for DNS-01 challenge dns_credentials = { api_token = "${CLOUDFLARE_API_TOKEN}", zone_id = "${CLOUDFLARE_ZONE_ID}" } dns_propagation_timeout = 300 # DNS propagation timeout in seconds [tls.client_auth] enabled = false # Enable client certificate authentication require_client_cert = false # Require client certificates verify_client_cert = true # Verify client certificates client_ca_file = "/etc/ssl/certs/client-ca.crt" # Client CA certificate file client_cert_store = "/etc/ssl/client-certs" # Client certificate store revocation_check = true # Check client certificate revocation crl_file = "/etc/ssl/crl/client-crl.pem" # Certificate Revocation List file ocsp_client_check = true # OCSP check for client certificates # Client certificate policies client_cert_policies = [ { path = "/api/admin/*", require_cert = true, allowed_cas = ["internal-ca", "partner-ca"] }, { path = "/api/public/*", require_cert = false, allowed_cas = [] } ] [tls.monitoring] enabled = true # Enable TLS monitoring health_checks = true # Enable TLS health checks cert_expiry_monitoring = true # Monitor certificate expiry cipher_monitoring = true # Monitor cipher usage protocol_monitoring = true # Monitor protocol usage handshake_monitoring = true # Monitor TLS handshakes error_monitoring = true # Monitor TLS errors performance_monitoring = true # Monitor TLS performance # Monitoring thresholds and alerts # Monitoring thresholds and alerts alert_thresholds = [ { metric = "cert_expiry_days", value = 30, description = "Alert when certificate expires in N days" }, { metric = "handshake_errors", value = 5.0, description = "Alert when handshake error rate > N%" }, { metric = "weak_cipher_usage", value = 1.0, description = "Alert when weak cipher usage > N%" }, { metric = "tls_version_compliance", value = 95.0, description = "Alert when modern TLS usage < N%" } ] # Monitoring endpoints metrics_endpoint = "/metrics/tls" # TLS metrics endpoint health_endpoint = "/health/tls" # TLS health check endpoint status_endpoint = "/status/tls" # TLS status endpoint [tls.logging] enabled = true # Enable TLS logging log_level = "info" # Log level: error, warn, info, debug log_file = "/var/log/rustelo/tls.log" # TLS log file path log_format = "json" # Log format: json, plain log_rotation = true # Enable log rotation max_log_size = 104857600 # Maximum log file size (100MB) max_log_files = 10 # Maximum log files to keep # What to log log_handshakes = true # Log TLS handshakes log_certificate_events = true # Log certificate events log_errors = true # Log TLS errors log_cipher_usage = false # Log cipher usage (verbose) log_client_certs = true # Log client certificate events log_performance = false # Log performance metrics (verbose) log_security_events = true # Log security-related events [tls.performance] enabled = true # Enable performance optimizations session_resumption = true # Enable session resumption session_cache = "shared" # Session cache type: off, builtin, shared cache_size = 1048576 # Session cache size in bytes cache_timeout = 300 # Session cache timeout in seconds early_data = false # Enable TLS 1.3 early data (0-RTT) max_early_data = 16384 # Maximum early data size async_handshakes = true # Enable async TLS handshakes handshake_timeout = 10 # Handshake timeout in seconds buffer_size = 16384 # TLS buffer size tcp_nodelay = true # Disable Nagle's algorithm for TLS keepalive = true # Enable TCP keepalive for TLS connections [tls.compatibility] # Compatibility settings for older clients legacy_support = false # Enable legacy TLS support (not recommended) min_tls_version = "1.2" # Minimum TLS version max_tls_version = "1.3" # Maximum TLS version fallback_scsv = true # Enable Fallback SCSV (RFC 7507) secure_renegotiation = true # Enable secure renegotiation client_renegotiation = false # Allow client-initiated renegotiation compression_disabled = true # Disable TLS compression rc4_disabled = true # Disable RC4 ciphers weak_dh_disabled = true # Disable weak DH parameters export_ciphers_disabled = true # Disable export ciphers null_ciphers_disabled = true # Disable NULL ciphers anonymous_ciphers_disabled = true # Disable anonymous ciphers [tls.testing] enabled = false # Enable TLS testing (development only) test_certificates = true # Use test certificates self_signed_allowed = true # Allow self-signed certificates weak_ciphers_allowed = false # Allow weak ciphers for testing insecure_protocols_allowed = false # Allow insecure protocols for testing certificate_validation_disabled = false # Disable certificate validation hostname_verification_disabled = false # Disable hostname verification test_client_certs = false # Use test client certificates mock_ocsp_responses = false # Mock OCSP responses ssl_labs_testing = false # Enable SSL Labs API testing [tls.compliance] # Compliance with security standards pci_dss_compliance = true # Enable PCI DSS compliance fips_mode = false # Enable FIPS mode common_criteria = false # Enable Common Criteria compliance fedramp_compliance = false # Enable FedRAMP compliance hipaa_compliance = false # Enable HIPAA compliance gdpr_compliance = true # Enable GDPR compliance # Security policy enforcement security_policy = "modern" # Security policy: modern, intermediate, legacy policy_enforcement = "strict" # Policy enforcement: strict, moderate, relaxed audit_mode = false # Enable audit mode (log violations only) block_violations = true # Block policy violations violation_logging = true # Log policy violations [tls.advanced] # Advanced TLS configuration options custom_extensions = [] # Custom TLS extensions alpn_protocols = ["h2", "http/1.1"] # ALPN protocol list npn_protocols = [] # NPN protocol list (deprecated) key_update_enabled = true # Enable TLS 1.3 key updates post_handshake_auth = false # Enable post-handshake authentication record_size_limit = 16384 # TLS record size limit max_fragment_length = 16384 # Maximum fragment length heartbeat_enabled = false # Enable heartbeat extension (disabled for security) ticket_keys_rotation = true # Enable ticket key rotation psk_enabled = false # Enable pre-shared keys external_psk = false # Enable external PSK hybrid_encryption = false # Enable hybrid encryption (quantum-resistant) # Custom cipher suites for specific use cases custom_cipher_suites = [] # Custom cipher suite configurations cipher_suite_preferences = [] # Cipher suite preference overrides protocol_preferences = [] # Protocol preference overrides