Provided by: ktls-utils_0.11-1_amd64 bug

NAME

       tlshd.conf - tlshd configuration file

SYNOPSIS

       /etc/tlshd.conf

DESCRIPTION

       The  tlshd  program implements a user agent that services TLS handshake requests on behalf
       of kernel TLS consumers.  Its configuration file contains  information  that  the  program
       reads when it starts up.  The file is designed to be human readable and contains a list of
       keywords with values that provide various types of information.  The configuration file is
       considered a trusted source of information.

       The  tlshd  program  reads  this file once when it is launched.  Thus changes made in this
       file take effect only when the tlshd program is restarted.  If this file does  not  exist,
       the tlshd program exits immediately.

OPTIONS

       The configuration file is split into sections.

       The  [debug] section specifies debugging settings for the tlshd program.  In this section,
       there are three available options:

       loglevel
              This option specifies an integer which indicates the debug  message  level.   Zero,
              the quietest setting, is the default.

       tls    This  option  specifies  an integer which indicates the debug message level for TLS
              library calls.  Zero, the quietest setting, is the default.

       nl     This option specifies an integer  which  indicates  the  debug  message  level  for
              netlink library calls.  Zero, the quietest setting, is the default.

       The [authenticate] section specifies default authentication material when establishing TLS
       sessions.  In this section, there is one available option:

       keyrings
              This option specifies a semicolon-separated list of auxiliary keyrings that contain
              handshake  authentication  tokens.   tlshd  links  these  keyrings into its session
              keyring.  The configuration file may specify either  a  keyring's  name  or  serial
              number.  The default is to provide no keyring.

       And, in this section, there are two subsections: [client] and [server].  The tlshd program
       consults the settings in the [client]  subsection  when  handling  the  client  end  of  a
       handshake,  and  it  consults  the  settings  in the [server] subsection when handling the
       server end of a handshake.

       In each of these two subsections, there are three available options:

       x509.truststore
              This option specifies the pathname of a file containing a PEM-encoded  trust  store
              that  is  to be used to verify a certificate during a handshake.  If this option is
              not specified, tlshd uses the system's trust store.

       x509.certificate
              This option specifies the  pathname  of  a  file  containing  a  PEM-encoded  x.509
              certificate  that  is  to  be  presented  during  a handshake request when no other
              certificate is available.

       x509.private_key
              This option specifies the pathname of a file containing a PEM-encoded  private  key
              associated with the above certificate.

NOTES

       This  software  is  a  prototype.   It's  purpose  is for demonstration and as a proof-of-
       concept.  USE THIS SOFTWARE AT YOUR OWN RISK.

SEE ALSO

       tlshd(8)

AUTHOR

       Chuck Lever

                                           20 Oct 2022                              tlshd.conf(5)