TLS

Envoy supports both TLS termination in listeners as well as TLS origination

• Configurable ciphers
• Client certificates
• Certificate verification and pinning
• Certificate revocation
• ALPN: whether a client is speaking HTTP/1.1 or HTTP/2
• SNI
• Session resumption
• BoringSSL private key methods
• OCSP Stapling

Underlying implementation

use BoringSSL as the TLS provider.

FIPS 140-2

BoringSSL can be built in a FIPS-compliant mode, it doesn’t support the most recent QUIC APIs.

Enabling certificate verification

not enabled unless the validation context specifies one or more trusted authority certificates.

Custom Certificate Validator

Certificate selection

DownstreamTlsContexts support multiple TLS certificates.