TLS

Description Collection of TLS properties.
Synopsis tls: { "Tls-Property": "Tls-Value", ... }
Examples tls: { authority: "ca.crt", certificate: "server.crt", key: "server.key", verify: { client: true, issuer: true, }, }
Notes

TLS properties apply to web server https connections. They do not apply to Ioto MQTT or Ioto client connections.

tls → authority

Description Defines the location of the certificate file for client authentication
Synopsis authority: "path"
Example authority: "/var/ioto/ca.crt"
Notes

The authority property defines the file containing the certificates to use when authenticating client certificates. This property is only necessary if you wish to verify client certificates. If so, you must also define the "verify.client" to be true.

The certificate file contains the concatenated certificates to use in preference order. The path may be an absolute path or it may be relative to the Home directory.

tls → certificate

Description Defines the location of the X.509 file containing the server certificate
Synopsis certificate: "path"
Example certificate: "server.crt"
Notes

The SSLCertificateFile directive defines the file containing the PEM encoded X.509 certificate for the server. The file may also contain the private key for the server in which case you do not need to use the key property.

The path may be an absolute path or it may be relative to the Ioto home directory.

tls → key

Description Defines the location of the server's private key
Synopsis key: "path/to/key"
Example key: "server.key.pem"
Notes

The key property defines the file containing the PEM encoded private key file for the server. This property is not required if the server's private key is combined with the certificate file.

The private key should not be encrypted.

Security There is a dilemma here. If you use an encrypted private key, the server will pause until you enter the pass-phrase which makes headless operation impossible. If you do not encrypt the private key, your private key is more vulnerable should the server be compromised.

tls → verify → client

Description Control the type of client certificate verification.
Synopsis client: true|false
Example verify: { client: true, issuer: true, }
Notes

This property controls whether the client must provide a client certificate for the server to verify the identity of the client. If disabled, no certificate is required. If one is supplied, it will be ignored. The certificate and the certificate's issuer will be verified. Use the "verify.issuer" directive to turn off verification of the issuer if you need to use a self-signed test certificate.

If the property is enabled, the client must provide a valid certificate. The default is disabled.

tls → verify → issuer

Description Defines whether the issuer of the client certificate is verified.
Synopsis issuer: true|false
Example verify: { client: true, issuer: true, }
Notes

This property controls whether the issuer of the client certificate will be verified. If set to off, the certificate issuer will not be verified. This is useful to accept self-signed test certificates.

© Embedthis Software. All rights reserved.