tls
The tls clause configures Transport Layer Security (TLS) for server listeners. This configuration applies to all server types that support TLS:
- HTTP servers - Enables HTTPS with HTTP/1.1 and HTTP/2 support
- RADIUS servers - Enables RadSec (RADIUS over TLS, RFC 6614) on port 2083
- TACACS+ servers - Enables TACACS+ over TLS
Parameters
| Parameter | Description | Required |
|---|---|---|
| certificate | Server certificate name (from certificates block) | Yes |
| certificate_key | Server private key name (from certificates block) | Yes |
| server_ca_certificate | CA certificate chain for server identity verification | Yes |
| require_client_certificate | Whether clients must present a certificate | No |
| client_ca_certificate | CA certificate for validating client certificates | Conditional |
| verification | Custom certificate verification rules | No |
| min_protocol_version | Minimum TLS protocol version (Tlsv12, Tlsv13) | No |
| max_protocol_version | Maximum TLS protocol version (Tlsv12, Tlsv13) | No |
| tls13_session_tickets | Number of TLS 1.3 session tickets to send (0 to disable) | No |
| keylog_filename | File path for TLS key logging (for debugging with Wireshark) | No |
The client_ca_certificate parameter is required when require_client_certificate is set to true.
Example: HTTPS Server
certificates {
x509 "SERVER_CERT" {
filename "/var/lib/radiator/certs/server.pem";
}
key "SERVER_KEY" {
filename "/var/lib/radiator/certs/server-key.pem";
}
x509 "CA_CERT" {
filename "/var/lib/radiator/certs/ca.pem";
}
}
servers {
http "HTTPS_SERVER" {
listen {
protocol tls;
port 8443;
ip 0.0.0.0;
tls {
certificate "SERVER_CERT";
certificate_key "SERVER_KEY";
server_ca_certificate "CA_CERT";
}
}
}
}
Example: RadSec Server (RADIUS over TLS)
RadSec typically requires mutual TLS (mTLS) where both server and client authenticate with certificates:
certificates {
x509 "RADSEC_CERT" {
filename "/var/lib/radiator/certs/radsec-server.pem";
}
key "RADSEC_KEY" {
filename "/var/lib/radiator/certs/radsec-server-key.pem";
}
x509 "RADSEC_SERVER_CA" {
filename "/var/lib/radiator/certs/radsec-ca.pem";
}
x509 "RADSEC_CLIENT_CA" {
filename "/var/lib/radiator/certs/radsec-client-ca.pem";
}
}
servers {
radius "RADSEC" {
listen {
protocol tls;
port 2083;
ip 0.0.0.0;
tls {
certificate "RADSEC_CERT";
certificate_key "RADSEC_KEY";
server_ca_certificate "RADSEC_SERVER_CA";
# RadSec requires client certificates
require_client_certificate true;
client_ca_certificate "RADSEC_CLIENT_CA";
verification {
if any {
cert.valid != true;
# Require certificate issued under network device policy
cert.policy != "1.3.6.1.4.1.99999.1.2.3";
# Require certificate from partner organization
cert.subject.o != "Partner Network Inc";
} then {
reject;
} else {
accept;
}
}
}
}
clients "RADSEC_CLIENTS";
}
}
Example: TACACS+ over TLS
servers {
tacacs-plus "TACACS_TLS" {
listen {
protocol tls;
port 49;
ip 0.0.0.0;
tls {
certificate "SERVER_CERT";
certificate_key "SERVER_KEY";
server_ca_certificate "CA_CERT";
}
}
clients "TACACS_CLIENTS";
}
}
Example: Mutual TLS (mTLS)
When client certificate verification is required:
certificates {
x509 "SERVER_CERT" {
filename "/var/lib/radiator/certs/server.pem";
}
key "SERVER_KEY" {
filename "/var/lib/radiator/certs/server-key.pem";
}
x509 "SERVER_CA" {
filename "/var/lib/radiator/certs/ca.pem";
}
x509 "CLIENT_CA" {
filename "/var/lib/radiator/certs/client-ca.pem";
}
}
servers {
http "MTLS_SERVER" {
listen {
protocol tls;
port 8443;
ip 0.0.0.0;
tls {
certificate "SERVER_CERT";
certificate_key "SERVER_KEY";
server_ca_certificate "SERVER_CA";
# Require and validate client certificates
require_client_certificate true;
client_ca_certificate "CLIENT_CA";
}
}
}
}
See Also
- certificates - Certificate configuration
- tls.verification - Custom certificate verification rules
- servers.http.listen - HTTP listen configuration
- servers.http - HTTP server configuration
- servers.radius.listen - RADIUS listen configuration
- servers.radius - RADIUS server configuration