Transport Layer Security (TLS) - Inbound
Transport Layer Security Policy - Inbound
Policy Name |
|
Summary |
Enables authentication between a client and the API proxy |
Category |
Security |
First Flex Gateway version available |
v1.0.0 (inbound mTLS: v1.3.0) |
Returned Status Codes |
No return codes exist for this policy. |
The following document applies only to Flex Gateway running in Local Mode. To configure TLS in Connected Mode, see Configuring TLS Context for Flex Gateway in Connected Mode. |
Summary
Flex Gateway supports inbound Transport Layer Security (TLS) and inbound mutual authentication TLS (mTLS) in Local Mode.
To apply inbound TLS in Local Mode, use the Configuring TLS Context for Flex Gateway in Local Mode tutorial and refer to the following configuration files in this documentation.
You can configure an inbound TLS context to enable authentication between a client and the API instance (HTTPS) by binding the TLS policy to your API instance or to all instances in your Flex Gateway.
Flex Gateway implements port-level inbound TLS, meaning if you apply an inbound TLS to an API instance that shares a port with other instances, the same inbound TLS context is applied to all instances sharing the port. Flex Gateway supports multiple TLS certificates on a single gateway, but you must apply the certificates to unique ports. If you apply inbound TLS to one API instance, you do not need to apply the same inbound TLS context to instances that share that port. Consequently, you cannot apply different inbound TLS contexts to API instances that share the same port.
Port sharing is not a concern for outbound TLS. You can apply an outbound TLS context for each individual upstream service.
TLS policies do not support policy ordering. |
Configuring Policy Parameters
To use HTTPS as your schema when creating an API instance using Flex Gateway as your runtime, you must manually configure the TLS context in a YAML configuration file.
Refer to the following policy definition and table of parameters:
- policyRef: name: tls config: requireClientCertificate: <boolean> // OPTIONAL trustedCA: <string> // OPTIONAL certificate: // REQUIRED key: <string> // REQUIRED crt: <string> // REQUIRED alpn: <array> // OPTIONAL minversion: <string> // OPTIONAL maxversion: <string> // OPTIONAL ciphers: <array> // OPTIONAL
Not including optional parameters in your configuration file applies the parameters default values to your TLS context.
When configuring the ciphers
parameter, see TLS Cipher Support on Flex Gateway for the supported ciphers.
Parameter | Required or Optional | Default Value | Description |
---|---|---|---|
|
Optional |
false |
Enables/disables inbound mTLS |
|
Optional, unless |
N/A |
The client certificate used in mTLS |
|
Required |
N/A |
A TLS certificate key pair. To comply with security standards, all certificates must be 2048 bits or longer. |
|
Required |
N/A |
The private key part of the certificate |
|
Required |
N/A |
The public key part of the certificate |
|
Optional |
|
A prioritized list of supported application level protocols; for example, h2, http/1.1, and so forth. |
|
Optional |
|
The minimum TLS version allowed |
|
Optional |
|
The maximum TLS version allowed |
|
Optional |
For the default and other supported ciphers, see TLS Cipher Support on Flex Gateway. |
A list of supported TLS ciphers (IANA format). For the supported ciphers, see TLS Cipher Support on Flex Gateway. |
Resource Configuration Examples
You can format the YAML file to configure TLS or mTLS either for a specific API instance or for all API instances running on your Flex Gateway.
Apply TLS Configuration to All API Instances
Sample configuration for adding inbound TLS context for all API instances running on this Flex Gateway:
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: ingress-https-tls
spec:
targetRef:
kind: Selector
selector:
kind: ApiInstance
policyRef:
name: tls
config:
certificate:
key: |
# -----BEGIN PRIVATE KEY-----
# insert certificate key
# -----END PRIVATE KEY-----
crt: |
# -----BEGIN CERTIFICATE-----
# insert certificate
# -----END CERTIFICATE-----
alpn:
- http/1.1
- h2
minversion: "1.1"
maxversion: "1.3"
ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA
Apply TLS Configuration to a Specific API Instance
Sample configuration for adding inbound TLS context for a specific API instance:
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: ingress-https-tls
spec:
targetRef:
kind: ApiInstance
name: ingress-https
policyRef:
name: tls
config:
certificate:
key: |
# -----BEGIN PRIVATE KEY-----
# insert certificate key
# -----END PRIVATE KEY-----
crt: |
# -----BEGIN CERTIFICATE-----
# insert certificate
# -----END CERTIFICATE-----
alpn:
- http/1.1
- h2
minversion: "1.1"
maxversion: "1.3"
ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA
Apply mTLS Inbound Configuration to a Specific API Instance
Sample configuration for adding an inbound mTLS context for a specific API instance:
apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
name: mtls
spec:
targetRef:
name: ingress-https
policyRef:
name: tls
config:
requireClientCertificate: true
trustedCA: |
# -----BEGIN CERTIFICATE-----
# insert certificate
# -----END CERTIFICATE-----
certificate:
key: |
# -----BEGIN RSA PRIVATE KEY-----
# insert private key
# -----END RSA PRIVATE KEY-----
crt: |
# -----BEGIN CERTIFICATE-----
# insert certificate
# -----END CERTIFICATE-----
This example uses the default values for alpn
, minversion
, maxversion
, and ciphers
.
TLS Cipher Support on Flex Gateway
Flex can support a range of TLS Versions from TLS 1.1 to TLS 1.3, and you can also customize some of the ciphers to support.
You cannot customize the list of TLS 1.3 Ciphers. If you support TLS 1.3, the TLS 1.3 default ciphers are all supported regardless of the ciphers listed in the configuration file. If you don’t support TLS 1.3, these ciphers are not included.
For TLS 1.2, listing any ciphers overides the TLS 1.2 default ciphers. If you want to list ciphers besides the default TLS 1.2 Ciphers, you must list every cipher to support including the default ciphers you want to support. Excluding default ciphers from your list of supported ciphers means you do not support those ciphers. If you wish to only support the default ciphers, you can leave the cipher list blank. Listing ciphers does not affect the default TLS 1.3 cipher.
There are no default ciphers for TLS 1.1. To support TLS 1.1, you must list the ciphers to support. If you support TLS 1.1 and TLS 1.2, listing TLS 1.1 ciphers overides the TLS 1.2 defaults. To support both these versions, list all ciphers you want to support.
Flex Gateway Supported Ciphers
Flex Gateway supports the following TLS Ciphers in Connected Mode and Local Mode:
Cipher | TLS Version | Default | Advice |
---|---|---|---|
TLS_AES_128_GCM_SHA256 |
1.3 |
Yes |
Secure |
TLS_AES_256_GCM_SHA384 |
1.3 |
Yes |
Secure |
TLS_CHACHA20_POLY1305_SHA256 |
1.3 |
Yes |
Secure |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
1.2 |
Yes |
Recommended |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
1.2 |
Yes |
Recommended |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
1.2 |
Yes |
Recommended |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 |
1.2 |
No |
Recommended |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
1.2 |
Yes |
Secure |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
1.2 |
Yes |
Secure |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 |
1.2 |
Yes |
Secure |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
1.2 |
No |
Weak |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
1.2 |
No |
Weak |
TLS_RSA_WITH_NULL_SHA |
1.1, 1.2 |
No |
Insecure |
TLS_RSA_WITH_AES_128_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_RSA_WITH_AES_256_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_PSK_WITH_AES_128_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_PSK_WITH_AES_256_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA |
1.1, 1.2 |
No |
Weak |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
1.1 |
No |
Weak |