Home / Kong Mesh / Mesh Policies Hub
Edit
Report

Mesh TLS

Overview Examples Configuration reference
Related Documentation
Mesh Documentation
Minimum Version
Kong Mesh - 2.9

TargetRef support matrix

targetRef Allowed kinds
targetRef.kind Mesh, Dataplane, MeshSubset(deprecated)

To learn more about the information in this table, see the matching docs.

Configuration

The following describes the default configuration settings of the MeshTLS policy:

  • tlsVersion: Defines TLS versions to be used by both client and server. Allowed values: TLSAuto, TLS10, TLS11, TLS12, TLS13.
  • tlsCiphers: Defines TLS ciphers to be used by both client and server. Allowed values: ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-CHACHA20-POLY1305.
  • mode: Defines the mTLS mode - Permissive mode encrypts outbound connections the same way as Strict mode, but inbound connections on the server-side accept both TLS and plaintext. Allowed values: Strict, Permissive.

Setting the TLS version and ciphers on both the client and server makes it harder to configure incorrectly. If you want to try out a specific version/cipher combination, we recommend creating a temporary mesh, deploying two applications within it, and testing whether communication is working. If you have a use case for configuring a different set of allowed versions/ciphers on different workloads, we’d love to hear about it. In that case, please open an issue.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support