Ubuntu Manpages

tlshd.conf

tlshd configuration file

/etc/tlshd/config
/etc/tlshd.conf (deprecated)

The tlshd program implements a user agent that services TLS handshake requests on behalf of kernel TLS consumers. Its configuration file contains information that the program reads when it starts up. The file is designed to be human readable and contains a list of keywords with values that provide various types of information. The configuration file is considered a trusted source of information.

The tlshd program reads this file once when it is launched. Thus changes made in this file take effect only when the tlshd program is restarted. If this file does not exist, the tlshd program exits immediately.

The configuration file is split into sections.

The [debug] section specifies debugging settings for the tlshd program. In this section, there are three available options:

This option specifies an integer which indicates the debug message level. Zero, the quietest setting, is the default.
This option specifies an integer which indicates the debug message level for TLS library calls. Zero, the quietest setting, is the default.
This option specifies an integer which indicates the debug message level for netlink library calls. Zero, the quietest setting, is the default.

The [authenticate] section specifies default authentication material when establishing TLS sessions. In this section, there is one available option:

This option specifies a semicolon-separated list of auxiliary keyrings that contain handshake authentication tokens. tlshd links these keyrings into its session keyring. The configuration file may specify either a keyring's name or serial number. tlshd always includes the .nvme, .nfs, and .nfsd keyrings on its session keyring.

And, in this section, there are two subsections: [client] and [server]. The tlshd program consults the settings in the [client] subsection when handling the client end of a handshake, and it consults the settings in the [server] subsection when handling the server end of a handshake.

In each of these two subsections, there are four available options:

This option specifies the pathname of a file containing a PEM-encoded trust store that is to be used to verify a certificate during a handshake. If this option is not specified, tlshd uses the system's trust store.
This option specifies the pathname of a file containing PEM-encoded certificate revocation lists (CRL) that are to be used to verify the revocation status of certificates during each handshake. If this option is not specified, CRL checking is skipped.
This option specifies the pathname of a file containing a PEM-encoded x.509 certificate that is to be presented during a handshake request when no other certificate is available.
This option specifies the pathname of a file containing a PEM-encoded private key associated with the above certificate.
This option specifies the pathname of a file containing a PEM-encoded x.509 certificate that is to be presented during a handshake request if the peer supports post-quantum cryptography. This certificate must be using a post-quantum public-key algorithm (ML-DSA-44, ML-DSA-65, or ML-DSA-87). If the peer does not support post-quantum cryptography, the certificate configured in the x509.certificate option will be presented instead.
This option specifies the pathname of a file containing a PEM-encoded private key associated with the above certificate.

tlshd(8)

Chuck Lever