Stowage/godot
2
0
Fork 0
mirror of https://github.com/godotengine/godot.git synced 2025-10-31 13:41:03 +00:00
Code Issues Projects Releases Packages Wiki Activity
godot/doc/classes/TLSOptions.xml

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

54 lines
3.1 KiB
XML
Raw Normal View History

[NET] Refactor TLS configuration. Use a TLSOptions configuration object which is created via static functions. - "TLSOptions.client": uses the standard CA and common name verification. - "TLSOptions.client_unsafe": uses optional CA verification (i.e. if specified) - "TLSOptions.server": is the standard server configuration (chain + key) This will allow us to expand the TLS configuration options to include e.g. mutual authentication without bloating the classes that uses StreamPeerTLS and PacketPeerDTLS as underlying peers.
2023-01-20 01:51:35 +01:00
<?xml version="1.0" encoding="UTF-8" ?>
<class name="TLSOptions" inherits="RefCounted" version="4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../class.xsd">
<brief_description>
TLS configuration for clients and servers.
</brief_description>
<description>
TLSOptions abstracts the configuration options for the [StreamPeerTLS] and [PacketPeerDTLS] classes.
Objects of this class cannot be instantiated directly, and one of the static methods [method client], [method client_unsafe], or [method server] should be used instead.
[codeblocks]
[gdscript]
# Create a TLS client configuration which uses our custom trusted CA chain.
var client_trusted_cas = load("res://my_trusted_cas.crt")
var client_tls_options = TLSOptions.client(client_trusted_cas)
# Create a TLS server configuration.
var server_certs = load("res://my_server_cas.crt")
var server_key = load("res://my_server_key.key")
var server_tls_options = TLSOptions.server(server_certs, server_key)
[/gdscript]
[/codeblocks]
</description>
<tutorials>
</tutorials>
<methods>
<method name="client" qualifiers="static">
<return type="TLSOptions" />
<param index="0" name="trusted_chain" type="X509Certificate" default="null" />
<param index="1" name="common_name_override" type="String" default="&quot;&quot;" />
<description>
Creates a TLS client configuration which validates certificates and their common names (fully qualified domain names).
You can specify a custom [param trusted_chain] of certification authorities (the default CA list will be used if [code]null[/code]), and optionally provide a [param common_name_override] if you expect the certificate to have a common name other then the server FQDN.
Note: On the Web plafrom, TLS verification is always enforced against the CA list of the web browser. This is considered a security feature.
</description>
</method>
<method name="client_unsafe" qualifiers="static">
<return type="TLSOptions" />
<param index="0" name="trusted_chain" type="X509Certificate" default="null" />
<description>
Creates an [b]unsafe[/b] TLS client configuration where certificate validation is optional. You can optionally provide a valid [param trusted_chain], but the common name of the certififcates will never be checked. Using this configuration for purposes other than testing [b]is not recommended[/b].
Note: On the Web plafrom, TLS verification is always enforced against the CA list of the web browser. This is considered a security feature.
</description>
</method>
<method name="server" qualifiers="static">
<return type="TLSOptions" />
<param index="0" name="key" type="CryptoKey" />
<param index="1" name="certificate" type="X509Certificate" />
<description>
Creates a TLS server configuration using the provided [param key] and [param certificate].
Note: The [param certificate] should include the full certificate chain up to the signing CA (certificates file can be concatenated using a general purpose text editor).
</description>
</method>
</methods>
</class>
Reference in a new issue Copy permalink