stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
docs/features/checked/router/tls-mtls-transport-plugin.md Normal file
View File

@@ -0,0 +1,29 @@
# TLS/mTLS Transport Plugin
## Module
Router
## Status
IMPLEMENTED
## Description
TLS transport wrapping TCP with SslStream, supporting mutual TLS (mTLS) with client certificate validation, certificate hot-reload without connection drops, and configurable cipher suites.
## Implementation Details
- **Modules**: `src/Router/__Libraries/StellaOps.Router.Transport.Tls/`
- **Key Classes**:
- `TlsTransportPlugin` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportPlugin.cs`) - plugin registration for TLS/mTLS transport
- `TlsTransportServer` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportServer.cs`) - TLS-wrapped transport server with mTLS support
- `TlsTransportClient` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportClient.cs`) - TLS-wrapped transport client with client certificate
- `CertificateLoader` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/CertificateLoader.cs`) - loads certificates from file/store
- `CertificateWatcher` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/CertificateWatcher.cs`) - watches certificate files for hot-reload without connection drops
- `TlsConnection` (`src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsConnection.cs`) - TLS connection wrapper
- **Interfaces**: `IRouterTransportPlugin`, `ITransportServer`, `ITransportClient`, `IMicroserviceTransport`
- **Source**: batch_52/file_04.md
## E2E Test Plan
- [ ] Register `TlsTransportPlugin` and verify TLS-encrypted communication between gateway and microservice
- [ ] Enable mTLS and verify client certificate validation rejects connections without valid client certs
- [ ] Replace a server certificate and verify `CertificateWatcher` hot-reloads without dropping active connections
- [ ] Verify cipher suite configuration: restrict to specific ciphers and confirm they are enforced
- [ ] Verify connection fails with expired or self-signed certificates when validation is strict