Appearance
SSL / TLS
Configure TLS for encrypted communication between nodes and clients.
TLS Configuration
Set the certificate chain, private key, and optional CA bundle for peer verification.
cpp
using namespace framework;
configuration config;
config.tls_.cert_chain_file_.store(
std::make_shared<const std::string>("/etc/ssl/certs/server.crt"));
config.tls_.private_key_file_.store(
std::make_shared<const std::string>("/etc/ssl/private/server.key"));
config.tls_.ca_file_.store(
std::make_shared<const std::string>("/etc/ssl/certs/ca.crt"));| Field | Required | Description |
|---|---|---|
cert_chain_file_ | Yes | Path to the PEM-encoded certificate chain. |
private_key_file_ | Yes | Path to the PEM-encoded private key. |
ca_file_ | No | Path to the CA bundle for peer certificate verification. |
SSL Context Access
The framework maintains a std::shared_ptr<boost::asio::ssl::context> used for all TLS connections.
cpp
// Get the current SSL context (returns shared_ptr<boost::asio::ssl::context>)
auto ctx = app.get_state()->get_ssl_context();
// Set a custom SSL context (takes shared_ptr<boost::asio::ssl::context>)
auto custom_ctx = std::make_shared<boost::asio::ssl::context>(
boost::asio::ssl::context::tlsv12);
app.get_state()->set_ssl_context(custom_ctx);The SSL context is initialized automatically from the TLS configuration. Use set_ssl_context() when you need programmatic control over TLS options (e.g., custom cipher suites, session caching).
Certificate Hooks
For dynamic certificate loading (e.g., from a secrets manager), provide a callback instead of file paths. The hook is set directly on config (not under config.tls_):
cpp
config.certificate_hook_ = []() {
return std::make_tuple(
"-----BEGIN CERTIFICATE-----\n...", // cert_chain_pem
"-----BEGIN PRIVATE KEY-----\n...", // private_key_pem
"-----BEGIN DH PARAMETERS-----\n..." // dh_params_pem
);
};The hook is called when the framework needs to set up TLS. It returns a tuple of (cert_chain_pem, private_key_pem, dh_params_pem). When a hook is set, the file-based tls_.* fields are ignored.