<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-28 -->
<p>Transport Layer Security (TLS) provides encryption for all data transmitted between Geode clients and servers. Geode exclusively uses TLS 1.3, the most secure version of the TLS protocol, integrated with the QUIC transport protocol for optimal performance and security. This combination delivers encrypted, authenticated, and integrity-protected communications with minimal latency.</p>
<h3 id="tls-13-overview" class="position-relative d-flex align-items-center group">
<span>TLS 1.3 Overview</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-13-overview"
aria-haspopup="dialog"
aria-label="Share link: TLS 1.3 Overview">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>TLS 1.3 offers significant improvements over earlier versions:</p>
<ul>
<li><strong>Faster Handshakes</strong>: 1-RTT handshakes (0-RTT for resumption)</li>
<li><strong>Stronger Cryptography</strong>: Only modern, secure cipher suites</li>
<li><strong>Forward Secrecy</strong>: All cipher suites provide forward secrecy</li>
<li><strong>Reduced Attack Surface</strong>: Removed legacy features and algorithms</li>
<li><strong>Simplified Protocol</strong>: Cleaner, more auditable implementation</li>
</ul>
<h4 id="quic--tls-integration" class="position-relative d-flex align-items-center group">
<span>QUIC + TLS Integration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="quic--tls-integration"
aria-haspopup="dialog"
aria-label="Share link: QUIC &#43; TLS Integration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode uses QUIC as its transport protocol, which integrates TLS 1.3 directly:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Client Server
</span></span><span class="line"><span class="cl"> | |
</span></span><span class="line"><span class="cl"> |--- QUIC Initial (Client Hello) --------->|
</span></span><span class="line"><span class="cl"> | |
</span></span><span class="line"><span class="cl"> |<-- QUIC Handshake (Server Hello) --------|
</span></span><span class="line"><span class="cl"> |<-- Certificate, Finished ----------------|
</span></span><span class="line"><span class="cl"> | |
</span></span><span class="line"><span class="cl"> |--- Finished ----------------------------->|
</span></span><span class="line"><span class="cl"> | |
</span></span><span class="line"><span class="cl"> |<======= Encrypted Application Data ======>|
</span></span></code></pre></div><p>Benefits of QUIC + TLS:</p>
<ul>
<li>Single round-trip connection establishment</li>
<li>Encrypted transport from the first packet</li>
<li>Multiplexed streams without head-of-line blocking</li>
<li>Connection migration between networks</li>
<li>Built-in congestion control</li>
</ul>
<h3 id="server-tls-configuration" class="position-relative d-flex align-items-center group">
<span>Server TLS Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="server-tls-configuration"
aria-haspopup="dialog"
aria-label="Share link: Server TLS Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="basic-configuration" class="position-relative d-flex align-items-center group">
<span>Basic Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="basic-configuration"
aria-haspopup="dialog"
aria-label="Share link: Basic Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Minimal TLS configuration</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert<span class="o">=</span>/etc/geode/certs/server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/etc/geode/certs/server.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># With certificate chain</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert<span class="o">=</span>/etc/geode/certs/server-chain.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/etc/geode/certs/server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-ca<span class="o">=</span>/etc/geode/certs/ca.crt
</span></span></code></pre></div>
<h4 id="configuration-file" class="position-relative d-flex align-items-center group">
<span>Configuration File</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="configuration-file"
aria-haspopup="dialog"
aria-label="Share link: Configuration File">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">server</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">listen</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.0.0:3141"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cert_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/server.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/server.key"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ca_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/ca.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># TLS 1.3 is the only supported version</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">min_version</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.3"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_version</span><span class="p">:</span><span class="w"> </span><span class="s2">"1.3"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Cipher suite preferences (TLS 1.3 suites only)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cipher_suites</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_AES_256_GCM_SHA384</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_CHACHA20_POLY1305_SHA256</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">TLS_AES_128_GCM_SHA256</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Certificate verification</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verify_client</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verify_server</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="cipher-suites" class="position-relative d-flex align-items-center group">
<span>Cipher Suites</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="cipher-suites"
aria-haspopup="dialog"
aria-label="Share link: Cipher Suites">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode supports the following TLS 1.3 cipher suites:</p>
<table>
<thead>
<tr>
<th>Cipher Suite</th>
<th>Description</th>
<th>Recommendation</th>
</tr>
</thead>
<tbody>
<tr>
<td>TLS_AES_256_GCM_SHA384</td>
<td>AES-256 with GCM mode</td>
<td>Preferred for high security</td>
</tr>
<tr>
<td>TLS_CHACHA20_POLY1305_SHA256</td>
<td>ChaCha20-Poly1305</td>
<td>Preferred for mobile/ARM</td>
</tr>
<tr>
<td>TLS_AES_128_GCM_SHA256</td>
<td>AES-128 with GCM mode</td>
<td>Good balance of security/performance</td>
</tr>
</tbody>
</table>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Specify cipher suite order</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cipher-suites<span class="o">=</span>TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
</span></span></code></pre></div>
<h3 id="certificate-management" class="position-relative d-flex align-items-center group">
<span>Certificate Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-management"
aria-haspopup="dialog"
aria-label="Share link: Certificate Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="generating-certificates" class="position-relative d-flex align-items-center group">
<span>Generating Certificates</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="generating-certificates"
aria-haspopup="dialog"
aria-label="Share link: Generating Certificates">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4>
<h5 id="self-signed-certificates-development" class="position-relative d-flex align-items-center group">
<span>Self-Signed Certificates (Development)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="self-signed-certificates-development"
aria-haspopup="dialog"
aria-label="Share link: Self-Signed Certificates (Development)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate CA certificate</span>
</span></span><span class="line"><span class="cl">openssl genrsa -out ca.key <span class="m">4096</span>
</span></span><span class="line"><span class="cl">openssl req -new -x509 -days <span class="m">3650</span> -key ca.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -out ca.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -subj <span class="s2">"/CN=Geode Development CA/O=Development"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate server certificate</span>
</span></span><span class="line"><span class="cl">openssl genrsa -out server.key <span class="m">4096</span>
</span></span><span class="line"><span class="cl">openssl req -new -key server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -out server.csr <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -subj <span class="s2">"/CN=geode.local/O=Development"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Sign server certificate</span>
</span></span><span class="line"><span class="cl">openssl x509 -req -days <span class="m">365</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -in server.csr <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -CA ca.crt -CAkey ca.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -CAcreateserial <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -out server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -extfile <<span class="o">(</span><span class="nb">printf</span> <span class="s2">"subjectAltName=DNS:geode.local,DNS:localhost,IP:127.0.0.1"</span><span class="o">)</span>
</span></span></code></pre></div>
<h5 id="using-geodes-certificate-generator" class="position-relative d-flex align-items-center group">
<span>Using Geode&rsquo;s Certificate Generator</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="using-geodes-certificate-generator"
aria-haspopup="dialog"
aria-label="Share link: Using Geodes Certificate Generator">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate self-signed certificate</span>
</span></span><span class="line"><span class="cl">geode cert-gen --output-dir<span class="o">=</span>/etc/geode/certs <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --common-name<span class="o">=</span>geode.example.com <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --san<span class="o">=</span>DNS:geode.example.com,DNS:localhost,IP:127.0.0.1 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --validity-days<span class="o">=</span><span class="m">365</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate CA and server certificates</span>
</span></span><span class="line"><span class="cl">geode cert-gen --mode<span class="o">=</span>ca <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output-dir<span class="o">=</span>/etc/geode/certs <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --common-name<span class="o">=</span><span class="s2">"Geode Internal CA"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl">geode cert-gen --mode<span class="o">=</span>server <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output-dir<span class="o">=</span>/etc/geode/certs <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --ca-cert<span class="o">=</span>/etc/geode/certs/ca.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --ca-key<span class="o">=</span>/etc/geode/certs/ca.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --common-name<span class="o">=</span>geode.example.com <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --san<span class="o">=</span>DNS:geode.example.com,DNS:*.geode.example.com
</span></span></code></pre></div>
<h5 id="certificate-signing-request-production" class="position-relative d-flex align-items-center group">
<span>Certificate Signing Request (Production)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-signing-request-production"
aria-haspopup="dialog"
aria-label="Share link: Certificate Signing Request (Production)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate CSR for external CA</span>
</span></span><span class="line"><span class="cl">geode cert-gen --csr-only <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>/etc/geode/certs/geode.csr <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --key-output<span class="o">=</span>/etc/geode/certs/geode.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --common-name<span class="o">=</span>geode.production.example.com <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --san<span class="o">=</span>DNS:geode.production.example.com <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --organization<span class="o">=</span><span class="s2">"Example Corp"</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --country<span class="o">=</span>US
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Submit CSR to your CA, receive signed certificate</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Place signed certificate as server.crt</span>
</span></span></code></pre></div>
<h4 id="certificate-chain-configuration" class="position-relative d-flex align-items-center group">
<span>Certificate Chain Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-chain-configuration"
aria-haspopup="dialog"
aria-label="Share link: Certificate Chain Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Concatenate certificates in order: server, intermediate, root</span>
</span></span><span class="line"><span class="cl">cat server.crt intermediate.crt root.crt > server-chain.crt
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Configure Geode with chain</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert<span class="o">=</span>/etc/geode/certs/server-chain.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/etc/geode/certs/server.key
</span></span></code></pre></div>
<h4 id="certificate-rotation" class="position-relative d-flex align-items-center group">
<span>Certificate Rotation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-rotation"
aria-haspopup="dialog"
aria-label="Share link: Certificate Rotation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Hot reload certificates without restart</span>
</span></span><span class="line"><span class="cl">geode cert-rotate --new-cert<span class="o">=</span>/etc/geode/certs/new-server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --new-key<span class="o">=</span>/etc/geode/certs/new-server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --graceful<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --overlap-duration<span class="o">=</span>1h
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Verify rotation</span>
</span></span><span class="line"><span class="cl">geode tls-status
</span></span><span class="line"><span class="cl"><span class="c1"># Output:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Current Certificate: /etc/geode/certs/new-server.crt</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Valid Until: 2027-01-28T00:00:00Z</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Cipher: TLS_AES_256_GCM_SHA384</span>
</span></span></code></pre></div>
<h4 id="automatic-certificate-renewal-acmelets-encrypt" class="position-relative d-flex align-items-center group">
<span>Automatic Certificate Renewal (ACME/Let&rsquo;s Encrypt)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="automatic-certificate-renewal-acmelets-encrypt"
aria-haspopup="dialog"
aria-label="Share link: Automatic Certificate Renewal (ACME/Lets Encrypt)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">acme</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">email</span><span class="p">:</span><span class="w"> </span><span class="l">[email protected]</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">domains</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">geode.example.com</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">directory_url</span><span class="p">:</span><span class="w"> </span><span class="l">https://acme-v02.api.letsencrypt.org/directory</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">storage_path</span><span class="p">:</span><span class="w"> </span><span class="l">/etc/geode/acme</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">renewal_days_before</span><span class="p">:</span><span class="w"> </span><span class="m">30</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="mutual-tls-mtls" class="position-relative d-flex align-items-center group">
<span>Mutual TLS (mTLS)</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="mutual-tls-mtls"
aria-haspopup="dialog"
aria-label="Share link: Mutual TLS (mTLS)">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Mutual TLS requires clients to present certificates for authentication, providing strong machine-to-machine authentication.</p>
<h4 id="server-configuration-for-mtls" class="position-relative d-flex align-items-center group">
<span>Server Configuration for mTLS</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="server-configuration-for-mtls"
aria-haspopup="dialog"
aria-label="Share link: Server Configuration for mTLS">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Require client certificates</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert<span class="o">=</span>/etc/geode/certs/server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/etc/geode/certs/server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-client-ca<span class="o">=</span>/etc/geode/certs/client-ca.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --require-client-certificates<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --verify-client-certificates<span class="o">=</span><span class="nb">true</span>
</span></span></code></pre></div>
<h4 id="configuration-file-1" class="position-relative d-flex align-items-center group">
<span>Configuration File</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="configuration-file-1"
aria-haspopup="dialog"
aria-label="Share link: Configuration File">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cert_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/server.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">key_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/server.key"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">client_auth</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">required</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ca_file</span><span class="p">:</span><span class="w"> </span><span class="s2">"/etc/geode/certs/client-ca.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verify</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Optional: Certificate pinning</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_certs</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"/etc/geode/certs/allowed/app1.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"/etc/geode/certs/allowed/app2.crt"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Optional: Subject name requirements</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_subjects</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"CN=app-service,O=Example Corp"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"CN=etl-service,O=Example Corp"</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="generating-client-certificates" class="position-relative d-flex align-items-center group">
<span>Generating Client Certificates</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="generating-client-certificates"
aria-haspopup="dialog"
aria-label="Share link: Generating Client Certificates">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate client key</span>
</span></span><span class="line"><span class="cl">openssl genrsa -out client.key <span class="m">4096</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate CSR</span>
</span></span><span class="line"><span class="cl">openssl req -new -key client.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -out client.csr <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -subj <span class="s2">"/CN=app-service/O=Example Corp"</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Sign with client CA</span>
</span></span><span class="line"><span class="cl">openssl x509 -req -days <span class="m">365</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -in client.csr <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -CA client-ca.crt -CAkey client-ca.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -CAcreateserial <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -out client.crt
</span></span></code></pre></div>
<h4 id="client-connection-with-certificate" class="position-relative d-flex align-items-center group">
<span>Client Connection with Certificate</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="client-connection-with-certificate"
aria-haspopup="dialog"
aria-label="Share link: Client Connection with Certificate">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Shell connection with client certificate</span>
</span></span><span class="line"><span class="cl">geode shell --host<span class="o">=</span>geode.example.com:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-cert<span class="o">=</span>/path/to/client.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/path/to/client.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-ca<span class="o">=</span>/path/to/ca.crt
</span></span></code></pre></div>
<h4 id="client-library-configuration" class="position-relative d-flex align-items-center group">
<span>Client Library Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="client-library-configuration"
aria-haspopup="dialog"
aria-label="Share link: Client Library Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Go Client</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kn">import</span> <span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="s">"crypto/tls"</span>
</span></span><span class="line"><span class="cl"> <span class="s">"geodedb.com/geode"</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1">// Load client certificate
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="nx">cert</span><span class="p">,</span> <span class="nx">err</span> <span class="o">:=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">LoadX509KeyPair</span><span class="p">(</span><span class="s">"client.crt"</span><span class="p">,</span> <span class="s">"client.key"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="nx">err</span> <span class="o">!=</span> <span class="kc">nil</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">log</span><span class="p">.</span><span class="nf">Fatal</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1">// Load CA certificate
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="nx">caCert</span><span class="p">,</span> <span class="nx">err</span> <span class="o">:=</span> <span class="nx">os</span><span class="p">.</span><span class="nf">ReadFile</span><span class="p">(</span><span class="s">"ca.crt"</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="nx">err</span> <span class="o">!=</span> <span class="kc">nil</span> <span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">log</span><span class="p">.</span><span class="nf">Fatal</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl"><span class="nx">caCertPool</span> <span class="o">:=</span> <span class="nx">x509</span><span class="p">.</span><span class="nf">NewCertPool</span><span class="p">()</span>
</span></span><span class="line"><span class="cl"><span class="nx">caCertPool</span><span class="p">.</span><span class="nf">AppendCertsFromPEM</span><span class="p">(</span><span class="nx">caCert</span><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1">// Configure client
</span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="nx">config</span> <span class="o">:=</span> <span class="o">&</span><span class="nx">geode</span><span class="p">.</span><span class="nx">Config</span><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">Host</span><span class="p">:</span> <span class="s">"geode.example.com:3141"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="nx">TLS</span><span class="p">:</span> <span class="o">&</span><span class="nx">geode</span><span class="p">.</span><span class="nx">TLSConfig</span><span class="p">{</span>
</span></span><span class="line"><span class="cl"> <span class="nx">Certificates</span><span class="p">:</span> <span class="p">[]</span><span class="nx">tls</span><span class="p">.</span><span class="nx">Certificate</span><span class="p">{</span><span class="nx">cert</span><span class="p">},</span>
</span></span><span class="line"><span class="cl"> <span class="nx">RootCAs</span><span class="p">:</span> <span class="nx">caCertPool</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="p">},</span>
</span></span><span class="line"><span class="cl"><span class="p">}</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="nx">client</span><span class="p">,</span> <span class="nx">err</span> <span class="o">:=</span> <span class="nx">geode</span><span class="p">.</span><span class="nf">NewClient</span><span class="p">(</span><span class="nx">config</span><span class="p">)</span>
</span></span></code></pre></div><p><strong>Python Client</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">geode_client</span> <span class="kn">import</span> <span class="n">Client</span><span class="p">,</span> <span class="n">TLSConfig</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">tls_config</span> <span class="o">=</span> <span class="n">TLSConfig</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">cert_file</span><span class="o">=</span><span class="s2">"/path/to/client.crt"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">key_file</span><span class="o">=</span><span class="s2">"/path/to/client.key"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">ca_file</span><span class="o">=</span><span class="s2">"/path/to/ca.crt"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">verify</span><span class="o">=</span><span class="kc">True</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="n">client</span> <span class="o">=</span> <span class="n">Client</span><span class="p">(</span>
</span></span><span class="line"><span class="cl"> <span class="n">host</span><span class="o">=</span><span class="s2">"geode.example.com"</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">port</span><span class="o">=</span><span class="mi">3141</span><span class="p">,</span>
</span></span><span class="line"><span class="cl"> <span class="n">tls</span><span class="o">=</span><span class="n">tls_config</span>
</span></span><span class="line"><span class="cl"><span class="p">)</span>
</span></span></code></pre></div><p><strong>Rust Client</strong>:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-rust" data-lang="rust"><span class="line"><span class="cl"><span class="k">use</span><span class="w"> </span><span class="n">geode_client</span>::<span class="p">{</span><span class="n">Client</span><span class="p">,</span><span class="w"> </span><span class="n">TlsConfig</span><span class="p">};</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="k">use</span><span class="w"> </span><span class="n">std</span>::<span class="n">path</span>::<span class="n">PathBuf</span><span class="p">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">let</span><span class="w"> </span><span class="n">tls_config</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">TlsConfig</span>::<span class="n">new</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">with_cert</span><span class="p">(</span><span class="n">PathBuf</span>::<span class="n">from</span><span class="p">(</span><span class="s">"client.crt"</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">with_key</span><span class="p">(</span><span class="n">PathBuf</span>::<span class="n">from</span><span class="p">(</span><span class="s">"client.key"</span><span class="p">))</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">with_ca</span><span class="p">(</span><span class="n">PathBuf</span>::<span class="n">from</span><span class="p">(</span><span class="s">"ca.crt"</span><span class="p">));</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">let</span><span class="w"> </span><span class="n">client</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Client</span>::<span class="n">builder</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">host</span><span class="p">(</span><span class="s">"geode.example.com"</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">port</span><span class="p">(</span><span class="mi">3141</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">tls</span><span class="p">(</span><span class="n">tls_config</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="n">build</span><span class="p">()</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">.</span><span class="k">await</span><span class="o">?</span><span class="p">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="certificate-pinning" class="position-relative d-flex align-items-center group">
<span>Certificate Pinning</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-pinning"
aria-haspopup="dialog"
aria-label="Share link: Certificate Pinning">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Pin specific certificates for additional security:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pinning</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mode</span><span class="p">:</span><span class="w"> </span><span class="s2">"strict"</span><span class="w"> </span><span class="c"># strict, report, or disabled</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Pin by public key hash (SPKI)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pins</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"sha256/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Pin by certificate fingerprint</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fingerprints</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"sha256:AA:BB:CC:DD:..."</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="ocsp-and-certificate-revocation" class="position-relative d-flex align-items-center group">
<span>OCSP and Certificate Revocation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="ocsp-and-certificate-revocation"
aria-haspopup="dialog"
aria-label="Share link: OCSP and Certificate Revocation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="ocsp-stapling" class="position-relative d-flex align-items-center group">
<span>OCSP Stapling</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="ocsp-stapling"
aria-haspopup="dialog"
aria-label="Share link: OCSP Stapling">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ocsp</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">stapling</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">responder_url</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://ocsp.example.com"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_duration</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w"> </span><span class="c"># seconds</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># Fail-open or fail-closed on OCSP failure</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">strict</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="crl-configuration" class="position-relative d-flex align-items-center group">
<span>CRL Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="crl-configuration"
aria-haspopup="dialog"
aria-label="Share link: CRL Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">crl</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">urls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"http://crl.example.com/ca.crl"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">refresh_interval</span><span class="p">:</span><span class="w"> </span><span class="m">3600</span><span class="w"> </span><span class="c"># seconds</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache_path</span><span class="p">:</span><span class="w"> </span><span class="s2">"/var/cache/geode/crl"</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="session-resumption" class="position-relative d-flex align-items-center group">
<span>Session Resumption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="session-resumption"
aria-haspopup="dialog"
aria-label="Share link: Session Resumption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>TLS 1.3 supports efficient session resumption:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># geode.yaml</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">session_resumption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ticket_lifetime</span><span class="p">:</span><span class="w"> </span><span class="m">86400</span><span class="w"> </span><span class="c"># 24 hours</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_early_data</span><span class="p">:</span><span class="w"> </span><span class="m">16384</span><span class="w"> </span><span class="c"># bytes</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 0-RTT early data (use with caution)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_0rtt</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># Vulnerable to replay attacks</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="0-rtt-considerations" class="position-relative d-flex align-items-center group">
<span>0-RTT Considerations</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="0-rtt-considerations"
aria-haspopup="dialog"
aria-label="Share link: 0-RTT Considerations">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Enable 0-RTT only for read-only operations</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">session_resumption</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allow_0rtt</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">0rtt_allowed_operations</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"SELECT"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"MATCH"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">0rtt_replay_protection</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="tls-monitoring-and-debugging" class="position-relative d-flex align-items-center group">
<span>TLS Monitoring and Debugging</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-monitoring-and-debugging"
aria-haspopup="dialog"
aria-label="Share link: TLS Monitoring and Debugging">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="connection-status" class="position-relative d-flex align-items-center group">
<span>Connection Status</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="connection-status"
aria-haspopup="dialog"
aria-label="Share link: Connection Status">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check TLS status</span>
</span></span><span class="line"><span class="cl">geode tls-status
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Output:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># TLS Version: 1.3</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Cipher Suite: TLS_AES_256_GCM_SHA384</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Certificate Subject: CN=geode.example.com</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Certificate Issuer: CN=Example CA</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Certificate Valid: 2025-01-01 to 2026-01-01</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Client Auth: Required</span>
</span></span><span class="line"><span class="cl"><span class="c1"># OCSP Stapling: Enabled</span>
</span></span></code></pre></div>
<h4 id="tls-metrics" class="position-relative d-flex align-items-center group">
<span>TLS Metrics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-metrics"
aria-haspopup="dialog"
aria-label="Share link: TLS Metrics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># View TLS metrics</span>
</span></span><span class="line"><span class="cl">geode metrics <span class="p">|</span> grep tls
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># tls_handshakes_total{version="1.3",cipher="TLS_AES_256_GCM_SHA384"} 15234</span>
</span></span><span class="line"><span class="cl"><span class="c1"># tls_handshake_errors_total{reason="expired_certificate"} 3</span>
</span></span><span class="line"><span class="cl"><span class="c1"># tls_handshake_duration_seconds{quantile="0.99"} 0.045</span>
</span></span><span class="line"><span class="cl"><span class="c1"># tls_client_auth_failures_total 12</span>
</span></span></code></pre></div>
<h4 id="debug-logging" class="position-relative d-flex align-items-center group">
<span>Debug Logging</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="debug-logging"
aria-haspopup="dialog"
aria-label="Share link: Debug Logging">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable TLS debug logging</span>
</span></span><span class="line"><span class="cl">geode serve --log-level<span class="o">=</span>debug --log-components<span class="o">=</span>tls
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Log output includes:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [TLS] ClientHello received from 192.168.1.100</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [TLS] Selected cipher suite: TLS_AES_256_GCM_SHA384</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [TLS] Client certificate verified: CN=app-service</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [TLS] Handshake completed in 23ms</span>
</span></span></code></pre></div>
<h4 id="testing-tls-configuration" class="position-relative d-flex align-items-center group">
<span>Testing TLS Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="testing-tls-configuration"
aria-haspopup="dialog"
aria-label="Share link: Testing TLS Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Test with OpenSSL</span>
</span></span><span class="line"><span class="cl">openssl s_client -connect geode.example.com:3141 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -CAfile ca.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -cert client.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> -key client.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Test cipher suites</span>
</span></span><span class="line"><span class="cl">nmap --script ssl-enum-ciphers -p <span class="m">3141</span> geode.example.com
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Test certificate chain</span>
</span></span><span class="line"><span class="cl">openssl verify -CAfile ca.crt server.crt
</span></span></code></pre></div>
<h3 id="security-best-practices" class="position-relative d-flex align-items-center group">
<span>Security Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="security-best-practices"
aria-haspopup="dialog"
aria-label="Share link: Security Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="1-use-strong-key-sizes" class="position-relative d-flex align-items-center group">
<span>1. Use Strong Key Sizes</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="1-use-strong-key-sizes"
aria-haspopup="dialog"
aria-label="Share link: 1. Use Strong Key Sizes">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># RSA: 4096 bits minimum for long-term keys</span>
</span></span><span class="line"><span class="cl">openssl genrsa -out server.key <span class="m">4096</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># ECDSA: P-384 or P-521 curves</span>
</span></span><span class="line"><span class="cl">openssl ecparam -genkey -name secp384r1 -out server.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Ed25519: Modern, fast, secure</span>
</span></span><span class="line"><span class="cl">openssl genpkey -algorithm ED25519 -out server.key
</span></span></code></pre></div>
<h4 id="2-protect-private-keys" class="position-relative d-flex align-items-center group">
<span>2. Protect Private Keys</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="2-protect-private-keys"
aria-haspopup="dialog"
aria-label="Share link: 2. Protect Private Keys">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Restrict file permissions</span>
</span></span><span class="line"><span class="cl">chmod <span class="m">400</span> /etc/geode/certs/server.key
</span></span><span class="line"><span class="cl">chown geode:geode /etc/geode/certs/server.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Use encrypted key storage</span>
</span></span><span class="line"><span class="cl">geode serve --tls-key-password-file<span class="o">=</span>/etc/geode/secrets/key-password
</span></span></code></pre></div>
<h4 id="3-implement-certificate-monitoring" class="position-relative d-flex align-items-center group">
<span>3. Implement Certificate Monitoring</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="3-implement-certificate-monitoring"
aria-haspopup="dialog"
aria-label="Share link: 3. Implement Certificate Monitoring">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Alert on certificate expiration</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">monitoring</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">alerts</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">cert_expiring_soon</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="l">tls_certificate_expiry_days < 30</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l">notify_ops</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="4-regular-security-audits" class="position-relative d-flex align-items-center group">
<span>4. Regular Security Audits</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="4-regular-security-audits"
aria-haspopup="dialog"
aria-label="Share link: 4. Regular Security Audits">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check for weak configurations</span>
</span></span><span class="line"><span class="cl">geode security-audit --component<span class="o">=</span>tls
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Output:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [PASS] TLS version 1.3 only</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [PASS] Strong cipher suites</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [PASS] Certificate valid for 180 days</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [WARN] OCSP stapling not enabled</span>
</span></span><span class="line"><span class="cl"><span class="c1"># [PASS] Client authentication required</span>
</span></span></code></pre></div>
<h4 id="5-defense-in-depth" class="position-relative d-flex align-items-center group">
<span>5. Defense in Depth</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="5-defense-in-depth"
aria-haspopup="dialog"
aria-label="Share link: 5. Defense in Depth">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Combine TLS with network security</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">security</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">tls</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">require_client_certificates</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">network</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">allowed_ips</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"10.0.0.0/8"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s2">"192.168.1.0/24"</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rate_limiting</span><span class="p">:</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">max_connections_per_ip</span><span class="p">:</span><span class="w"> </span><span class="m">100</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="troubleshooting" class="position-relative d-flex align-items-center group">
<span>Troubleshooting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="certificate-errors" class="position-relative d-flex align-items-center group">
<span>Certificate Errors</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-errors"
aria-haspopup="dialog"
aria-label="Share link: Certificate Errors">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Verify certificate chain</span>
</span></span><span class="line"><span class="cl">openssl verify -CAfile ca.crt -untrusted intermediate.crt server.crt
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Check certificate details</span>
</span></span><span class="line"><span class="cl">openssl x509 -in server.crt -noout -text
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Check for SAN entries</span>
</span></span><span class="line"><span class="cl">openssl x509 -in server.crt -noout -ext subjectAltName
</span></span></code></pre></div>
<h4 id="handshake-failures" class="position-relative d-flex align-items-center group">
<span>Handshake Failures</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="handshake-failures"
aria-haspopup="dialog"
aria-label="Share link: Handshake Failures">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Debug handshake</span>
</span></span><span class="line"><span class="cl"><span class="nv">GEODE_TLS_DEBUG</span><span class="o">=</span><span class="m">1</span> geode shell --host<span class="o">=</span>geode.example.com:3141
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Common issues:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Certificate not trusted: Add CA to trust store</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Hostname mismatch: Check SAN entries</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Expired certificate: Renew certificate</span>
</span></span><span class="line"><span class="cl"><span class="c1"># - Cipher mismatch: Check supported ciphers</span>
</span></span></code></pre></div>
<h4 id="performance-issues" class="position-relative d-flex align-items-center group">
<span>Performance Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-issues"
aria-haspopup="dialog"
aria-label="Share link: Performance Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check handshake latency</span>
</span></span><span class="line"><span class="cl">geode metrics <span class="p">|</span> grep handshake_duration
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Enable session resumption for repeat connections</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Verify 0-RTT is working for allowed operations</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Check for OCSP lookup delays</span>
</span></span></code></pre></div>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/encryption/"
>Encryption</a>
- Data encryption at rest</li>
<li><a
href="/tags/security/"
>Security</a>
- Security overview</li>
<li><a
href="/tags/authentication/"
>Authentication</a>
- Identity verification</li>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory requirements</li>
<li><a
href="/tags/cryptography/"
>Cryptography</a>
- Cryptographic foundations</li>
<li><a
href="/tags/protocol/"
>QUIC Protocol</a>
- Transport protocol details</li>
</ul>
<h3 id="further-reading" class="position-relative d-flex align-items-center group">
<span>Further Reading</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="further-reading"
aria-haspopup="dialog"
aria-label="Share link: Further Reading">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/docs/architecture/security-architecture/"
>Security Architecture</a>
- Security design</li>
<li><a
href="/docs/ops/deployment/"
>Deployment Guide</a>
- Production deployment</li>
<li><a
href="/docs/configuration/"
>Network Configuration</a>
- Network settings</li>
<li>TLS Best Practices Whitepaper - Enterprise TLS guidance</li>
</ul>
Tag
3 articles
TLS Encryption and Transport Security
Complete guide to TLS 1.3 encryption in Geode. Learn about certificate management, cipher suite configuration, mutual TLS authentication, and secure transport over QUIC for protecting data in transit.