SSL input settings
editSSL input settings
editThis documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration. If you’ve already upgraded, please see Secure communication with APM agents instead.
You can specify the following options in the apm-server.ssl
section of the apm-server.yml
config file.
They apply to SSL/TLS communication between the APM Server and APM Agents.
enabled
editThe enabled
setting can be used to enable the SSL configuration by setting
it to true
. The default value is false
.
certificate
editThe path to the file containing the certificate for Server authentication.
Required if apm-server.ssl.enabled
is true
.
key
editThe path to the file containing the Server certificate key.
Required if apm-server.ssl.enabled
is true
.
key_passphrase
editThe passphrase used to decrypt an encrypted key stored in the configured key
file.
We recommend saving the key_passphrase
in the APM Server Secrets keystore.
supported_protocols
editThis setting is a list of allowed protocol versions:
SSLv3
, TLSv1.0
, TLSv1.1
, TLSv1.2
and TLSv1.3
. We do not recommend using SSLv3
or TLSv1.0
.
The default value is [TLSv1.1, TLSv1.2, TLSv1.3]
.
cipher_suites
editThe list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list.
The following cipher suites are available:
Cypher | Notes |
---|---|
ECDHE-ECDSA-AES-128-CBC-SHA |
|
ECDHE-ECDSA-AES-128-CBC-SHA256 |
TLS 1.2 only. Disabled by default. |
ECDHE-ECDSA-AES-128-GCM-SHA256 |
TLS 1.2 only. |
ECDHE-ECDSA-AES-256-CBC-SHA |
|
ECDHE-ECDSA-AES-256-GCM-SHA384 |
TLS 1.2 only. |
ECDHE-ECDSA-CHACHA20-POLY1305 |
TLS 1.2 only. |
ECDHE-ECDSA-RC4-128-SHA |
Disabled by default. RC4 not recommended. |
ECDHE-RSA-3DES-CBC3-SHA |
|
ECDHE-RSA-AES-128-CBC-SHA |
|
ECDHE-RSA-AES-128-CBC-SHA256 |
TLS 1.2 only. Disabled by default. |
ECDHE-RSA-AES-128-GCM-SHA256 |
TLS 1.2 only. |
ECDHE-RSA-AES-256-CBC-SHA |
|
ECDHE-RSA-AES-256-GCM-SHA384 |
TLS 1.2 only. |
ECDHE-RSA-CHACHA20-POLY1205 |
TLS 1.2 only. |
ECDHE-RSA-RC4-128-SHA |
Disabled by default. RC4 not recommended. |
RSA-3DES-CBC3-SHA |
|
RSA-AES-128-CBC-SHA |
|
RSA-AES-128-CBC-SHA256 |
TLS 1.2 only. Disabled by default. |
RSA-AES-128-GCM-SHA256 |
TLS 1.2 only. |
RSA-AES-256-CBC-SHA |
|
RSA-AES-256-GCM-SHA384 |
TLS 1.2 only. |
RSA-RC4-128-SHA |
Disabled by default. RC4 not recommended. |
Here is a list of acronyms used in defining the cipher suites:
- 3DES: Cipher suites using triple DES
- AES-128/256: Cipher suites using AES with 128/256-bit keys.
- CBC: Cipher using Cipher Block Chaining as block cipher mode.
- ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
- ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
- GCM: Galois/Counter mode is used for symmetric key cryptography.
- RC4: Cipher suites using RC4.
- RSA: Cipher suites using RSA.
- SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
curve_types
editThe list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
certificate_authorities
editThe list of root certificates for verifying client certificates.
If certificate_authorities
is empty or not set, the trusted certificate authorities of the host system are used.
If certificate_authorities
is set, client_authentication
will be automatically set to required
.
Sending client certificates is currently only supported by the RUM agent through the browser,
the Java agent (see Agent certificate authentication),
and the Jaeger agent.
client_authentication
editThis configures what types of client authentication are supported. The valid options
are none
, optional
, and required
. The default is none
.
If certificate_authorities
has been specified, this setting will automatically change to required
.
This option only needs to be configured when the agent is expected to provide a client certificate.
Sending client certificates is currently only supported by the RUM agent through the browser,
the Java agent (see Agent certificate authentication),
and the Jaeger agent.
-
none
- Disables client authentication. -
optional
- When a client certificate is given, the server will verify it. -
required
- Requires clients to provide a valid certificate.