This extension may be referenced by the qualified name envoy.transport_sockets.starttls


This extension is intended to be robust against both untrusted downstream and upstream traffic.


This extension extends and can be used with the following extension categories:

StartTls transport socket addresses situations when a protocol starts in clear-text and negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic and requires a network filter which understands protocol exchange and a state machine to signal to the StartTls transport socket when a switch to TLS is required.


[extensions.transport_sockets.starttls.v3.StartTlsConfig proto]

Configuration for StartTls transport socket. StartTls transport socket wraps two sockets: - raw_buffer socket which is used at the beginning of the session - TLS socket used when a protocol negotiates a switch to encrypted traffic.

  "cleartext_socket_config": "{...}",
  "tls_socket_config": "{...}"

(extensions.transport_sockets.raw_buffer.v3.RawBuffer) (optional) Configuration for clear-text socket used at the beginning of the session.


(extensions.transport_sockets.tls.v3.DownstreamTlsContext, REQUIRED) Configuration for TLS socket.