Provided by: ktls-utils_1.0.0-1_amd64 bug

NAME
       tlshd.conf - tlshd configuration file


SYNOPSIS
       /etc/tlshd.conf


DESCRIPTION
       The  tlshd  program  implements a user agent that services TLS handshake requests on behalf of kernel TLS
       consumers.  Its configuration file contains information that the program reads when it  starts  up.   The
       file  is  designed  to be human readable and contains a list of keywords with values that provide various
       types of information.  The configuration file is considered a trusted source of information.

       The tlshd program reads this file once when it is launched.  Thus changes made in this file  take  effect
       only  when  the  tlshd  program  is  restarted.   If  this  file  does not exist, the tlshd program exits
       immediately.


OPTIONS
       The configuration file is split into sections.

       The [debug] section specifies debugging settings for the tlshd program.  In this section, there are three
       available options:

       loglevel
              This option specifies an integer which indicates the debug  message  level.   Zero,  the  quietest
              setting, is the default.

       tls    This  option  specifies  an integer which indicates the debug message level for TLS library calls.
              Zero, the quietest setting, is the default.

       nl     This option specifies an integer which indicates the  debug  message  level  for  netlink  library
              calls.  Zero, the quietest setting, is the default.

       The  [authenticate] section specifies default authentication material when establishing TLS sessions.  In
       this section, there is one available option:

       keyrings
              This option specifies a semicolon-separated list of  auxiliary  keyrings  that  contain  handshake
              authentication  tokens.   tlshd  links these keyrings into its session keyring.  The configuration
              file may specify either a keyring's name or serial number.  The default is to provide no keyring.

       And, in this section, there are two subsections: [client] and [server].  The tlshd program  consults  the
       settings  in  the  [client]  subsection  when handling the client end of a handshake, and it consults the
       settings in the [server] subsection when handling the server end of a handshake.

       In each of these two subsections, there are three available options:

       x509.truststore
              This option specifies the pathname of a file containing a PEM-encoded trust store that  is  to  be
              used  to verify a certificate during a handshake.  If this option is not specified, tlshd uses the
              system's trust store.

       x509.certificate
              This option specifies the pathname of a file containing a PEM-encoded x.509 certificate that is to
              be presented during a handshake request when no other certificate is available.

       x509.private_key
              This option specifies the pathname of a file containing a PEM-encoded private key associated  with
              the above certificate.


SEE ALSO
       tlshd(8)


AUTHOR
       Chuck Lever

                                                   20 Oct 2022                                     tlshd.conf(5)