Class TlsConfig

java.lang.Object
com.loomcache.common.config.TlsConfig
public final class TlsConfig extends Object
Immutable TLS/mTLS configuration for LoomCache nodes and clients.

  • Method Details

    • enabled

      public boolean enabled()
      Get whether TLS is enabled.
      Returns:
      true if TLS is enabled

    • keyStorePath

      public @Nullable Path keyStorePath()
      Get the keystore path.
      Returns:
      the keystore path, or null if not configured

    • keyStorePassword

      public String keyStorePassword()
      Get the keystore password.
      Returns:
      the keystore password

    • keyStoreType

      public String keyStoreType()
      Get the keystore type.
      Returns:
      the keystore type (PKCS12 or JKS)

    • trustStorePath

      public @Nullable Path trustStorePath()
      Get the truststore path.
      Returns:
      the truststore path, or null if not configured

    • trustStorePassword

      public String trustStorePassword()
      Get the truststore password.
      Returns:
      the truststore password

    • trustStoreType

      public String trustStoreType()
      Get the truststore type.
      Returns:
      the truststore type (PKCS12 or JKS)

    • requireClientAuth

      public boolean requireClientAuth()
      Get whether client authentication (mTLS) is required.
      Returns:
      true if client auth is required

    • protocols

      public List<String> protocols()
      Get the TLS protocols to enable.
      Returns:
      list of TLS protocol names

    • cipherSuites

      public List<String> cipherSuites()
      Get the cipher suites to enable.
      Returns:
      list of cipher suite names, or empty if using JVM defaults

    • provider

      public TlsProvider provider()
      Get the TLS provider.
      Returns:
      the configured TLS provider

    • certExpirationWarningDays

      public int certExpirationWarningDays()
      Get the number of days before certificate expiration to emit a warning.
      Returns:
      warning threshold in days (default 30)

    • certExpirationCriticalDays

      public int certExpirationCriticalDays()
      Get the number of days before certificate expiration to emit a critical alert.
      Returns:
      critical threshold in days (default 7)

    • revocationCheckingEnabled

      public boolean revocationCheckingEnabled()
      Whether certificate revocation checking (CRL/OCSP) is enabled. When enabled, the TrustManagerFactory will verify certificates against CRL distribution points and OCSP responders embedded in the certificate.
      Returns:
      true if revocation checking is enabled (default false)

    • revocationSoftFail

      public boolean revocationSoftFail()
      Whether revocation checking uses soft-fail mode. When true, CRL/OCSP fetch failures are silently ignored (a revoked cert may be accepted if the CRL server is unreachable). When false, any CRL/OCSP fetch failure causes the handshake to fail (stricter but may cause outages if CRL infrastructure is down).
      Returns:
      true for soft-fail (default), false for hard-fail

    • acceptTimeoutMs

      public int acceptTimeoutMs()
      Accept timeout applied to TLS server sockets (SO_TIMEOUT). Controls how often the accept loop wakes up to check for shutdown signals.
      Returns:
      accept timeout in milliseconds (default 2000)

    • disabled

      public static TlsConfig disabled()
      Disabled TLS singleton for convenience.
      Returns:
      a disabled TLS configuration

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • builder

      public static TlsConfig.Builder builder()
      Create a new builder for TlsConfig.
      Returns:
      a new Builder instance