Skip to content

TLSv13Config

saq.sandwich.proto.api.v1.TLSv13Config

Description

A configuration to constrain Compliance, KEX algorithms and ciphersuite for TLS version 1.3.

message TLSv13Config {
  // Constraints applied on the choice of algorithms in the configuration.
  //
  // See [Compliance](Compliance.md).
  Compliance compliance = 1;

  // The key establishment algorithm (KE) to enforce.
  //
  // If the remote peer does not support at least one KE algorithm specified
  // in this list, the handshake will fail.
  // The order of algorithm in KE is in preference order.
  repeated string ke = 2;

  // Sets TLS 1.3 ciphersuite.
  //
  // Ciphersuite name must follow IANA name.
  //
  // Does not apply to BoringSSL.
  // See
  // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration
  //
  // See [RFC 8447 Appendix
  // B.4](https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4) for the
  // list of supported cipher suites in TLS 1.3.
  //
  // If ciphersuite is **not** set, the default ciphersuites listed here are
  // used in preference order: | Default 256 bits security ciphersuites |
  // |----------------------------------------|
  // | TLS_CHACHA20_POLY1305_SHA256           |
  // | TLS_AES_256_GCM_SHA384                 |
  //
  // | Default 128 bits security ciphersuites |
  // |----------------------------------------|
  // | TLS_AES_128_GCM_SHA256                 |
  repeated string ciphersuite = 3;

  // Next id: 4
}

Fields

compliance

Constraints applied on the choice of algorithms in the configuration.

See Compliance.

Compliance compliance = 1;

ke

The key establishment algorithm (KE) to enforce.

If the remote peer does not support at least one KE algorithm specified in this list, the handshake will fail. The order of algorithm in KE is in preference order.

repeated string ke = 2;

ciphersuite

Sets TLS 1.3 ciphersuite.

Ciphersuite name must follow IANA name.

Does not apply to BoringSSL. See https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration

See RFC 8447 Appendix B.4 for the list of supported cipher suites in TLS 1.3.

If ciphersuite is not set, the default ciphersuites listed here are used in preference order: | Default 256 bits security ciphersuites | |----------------------------------------| | TLS_CHACHA20_POLY1305_SHA256 | | TLS_AES_256_GCM_SHA384 |

Default 128 bits security ciphersuites
TLS_AES_128_GCM_SHA256 
repeated string ciphersuite = 3;