Manpages

NAME

tlshd.conf - tlshd configuration file

SYNOPSIS

/etc/tlshd.conf

DESCRIPTION

The tlshd program implements a user agent that services TLS handshake requests on behalf of kernel TLS consumers. Its configuration file contains information that the program reads when it starts up. The file is designed to be human readable and contains a list of keywords with values that provide various types of information. The configuration file is considered a trusted source of information.

The tlshd program reads this file once when it is launched. Thus changes made in this file take effect only when the tlshd program is restarted. If this file does not exist, the tlshd program exits immediately.

OPTIONS

The configuration file is split into sections.

The [debug] section specifies debugging settings for the tlshd program. In this section, there are three available options:
loglevel

This option specifies an integer which indicates the debug message level. Zero, the quietest setting, is the default.

tls

This option specifies an integer which indicates the debug message level for TLS library calls. Zero, the quietest setting, is the default.

nl

This option specifies an integer which indicates the debug message level for netlink library calls. Zero, the quietest setting, is the default.

The [authenticate] section specifies default authentication material when establishing TLS sessions. In this section, there is one available option:
keyrings

This option specifies a semicolon-separated list of auxiliary keyrings that contain handshake authentication tokens. tlshd links these keyrings into its session keyring. The configuration file may specify either a keyring’s name or serial number. The default is to provide no keyring.

And, in this section, there are two subsections: [client] and [server]. The tlshd program consults the settings in the [client] subsection when handling the client end of a handshake, and it consults the settings in the [server] subsection when handling the server end of a handshake.

In each of these two subsections, there are three available options:
x509.truststore

This option specifies the pathname of a file containing a PEM-encoded trust store that is to be used to verify a certificate during a handshake. If this option is not specified, tlshd uses the system’s trust store.

x509.certificate

This option specifies the pathname of a file containing a PEM-encoded x.509 certificate that is to be presented during a handshake request when no other certificate is available.

x509.private_key

This option specifies the pathname of a file containing a PEM-encoded private key associated with the above certificate.

NOTES

This software is a prototype. It’s purpose is for demonstration and as a proof-of-concept. USE THIS SOFTWARE AT YOUR OWN RISK.

SEE ALSO

tlshd(8)

AUTHOR

Chuck Lever