+
+

Transport Layer Security Policy

Policy Name

Transport Layer Security (TLS)

Summary

Enables HTTPS

Category

Security

First Mule version available

Returned Status Codes

Summary

In order to use HTTPS, the Transport Layer Security policy must be bound to your API instance.

Configuring Policy Parameters

Flex Gateway Local Mode

In Local Mode, you apply the TLS policy to your API via declarative configuration files. Refer to the following policy definition and table of parameters:

- policyRef:
    name: tls
  config:
    certificate: // REQUIRED
        key: <string> // REQUIRED
        crt: <string> // REQUIRED
    alpn: <array> // OPTIONAL
    minversion: <string> // OPTIONAL
    maxversion: <string> // OPTIONAL
    ciphers: <array> // OPTIONAL
Parameter Required or Optional Default Value Description

certificate

Required

N/A

certificate.key

Required

N/A

certificate.crt

Required

N/A

alpn

Optional

minversion

Optional

maxversion

Optional

ciphers

Optional

Resource Configuration Example

apiVersion: gateway.mulesoft.com/v1alpha1
kind: PolicyBinding
metadata:
  name: ingress-http-tls
spec:
  targetRef:
    kind: ApiInstance
    name: ingress-http
  policyRef:
    name: tls
  config:
    certificate:
      key: |
        -----BEGIN PRIVATE KEY-----
        -----END PRIVATE KEY-----

      crt: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----

    alpn:
      - http/1.1
      - h2
    minversion: "1.1"
    maxversion: "1.3"
    ciphers:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      - TLS_RSA_WITH_AES_128_GCM_SHA256
      - TLS_RSA_WITH_AES_128_CBC_SHA
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      - TLS_RSA_WITH_AES_256_GCM_SHA384
      - TLS_RSA_WITH_AES_256_CBC_SHA

After adding your private key and certificate information, verify that the policy was correctly applied. The following curl command tests an HTTPS endpoint with an example certificate that matches the certificate specified in the policy binding configuration resource.

curl https://localhost/api/httpbin/get -v --cacert ./tls-certs/test.crt

The command should return information on the TLS handshake, as well as an HTTP status of 200 for the endpoint:

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server did not agree to a protocol
...
> HTTP/1.1 200 OK

The configuration key and crt values must be correctly indented, otherwise curl returns the following error when attempting to test the endpoint:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Was this article helpful?

💙 Thanks for your feedback!

Submit your feedback!
Share your thoughts to help us build the best documentation experience for you!
Take our latest survey!