NAME

       tlshd.conf - tlshd configuration file

SYNOPSIS

       /etc/tlshd.conf

DESCRIPTION

       The  tlshd  program  implements a user agent that services TLS handshake requests on behalf of kernel TLS
       consumers.  Its configuration file contains information that the program reads when it  starts  up.   The
       file  is  designed  to be human readable and contains a list of keywords with values that provide various
       types of information.  The configuration file is considered a trusted source of information.

       The tlshd program reads this file once when it is launched.  Thus changes made in this file  take  effect
       only  when  the  tlshd  program  is  restarted.   If  this  file  does not exist, the tlshd program exits
       immediately.

OPTIONS

       The configuration file is split into sections.

       The [debug] section specifies debugging settings for the tlshd program.  In this section, there are three
       available options:

       loglevel
              This  option  specifies  an  integer  which indicates the debug message level.  Zero, the quietest
              setting, is the default.

       tls    This option specifies an integer which indicates the debug message level for  TLS  library  calls.
              Zero, the quietest setting, is the default.

       nl     This  option  specifies  an  integer  which  indicates the debug message level for netlink library
              calls.  Zero, the quietest setting, is the default.

       The [authenticate] section specifies default authentication material when establishing TLS sessions.   In
       this section, there is one available option:

       keyrings
              This  option  specifies  a  semicolon-separated  list of auxiliary keyrings that contain handshake
              authentication tokens.  tlshd links these keyrings into its session  keyring.   The  configuration
              file may specify either a keyring's name or serial number.  The default is to provide no keyring.

       And,  in  this section, there are two subsections: [client] and [server].  The tlshd program consults the
       settings in the [client] subsection when handling the client end of a  handshake,  and  it  consults  the
       settings in the [server] subsection when handling the server end of a handshake.

       In each of these two subsections, there are three available options:

       x509.truststore
              This  option  specifies  the pathname of a file containing a PEM-encoded trust store that is to be
              used to verify a certificate during a handshake.  If this option is not specified, tlshd uses  the
              system's trust store.

       x509.certificate
              This option specifies the pathname of a file containing a PEM-encoded x.509 certificate that is to
              be presented during a handshake request when no other certificate is available.

       x509.private_key
              This option specifies the pathname of a file containing a PEM-encoded private key associated  with
              the above certificate.

NOTES

       This  software  is  a  prototype.  It's purpose is for demonstration and as a proof-of-concept.  USE THIS
       SOFTWARE AT YOUR OWN RISK.

SEE ALSO

       tlshd(8)

AUTHOR

       Chuck Lever

                                                   20 Oct 2022                                     tlshd.conf(5)