TLS/mTLS Transport Plugin

Module

Router

Status

IMPLEMENTED

Description

TLS transport wrapping TCP with SslStream, supporting mutual TLS (mTLS) with client certificate validation, certificate hot-reload without connection drops, and configurable cipher suites.

Implementation Details

Modules: src/Router/__Libraries/StellaOps.Router.Transport.Tls/
Key Classes:
- TlsTransportPlugin (src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportPlugin.cs) - plugin registration for TLS/mTLS transport
- TlsTransportServer (src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportServer.cs) - TLS-wrapped transport server with mTLS support
- TlsTransportClient (src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsTransportClient.cs) - TLS-wrapped transport client with client certificate
- CertificateLoader (src/Router/__Libraries/StellaOps.Router.Transport.Tls/CertificateLoader.cs) - loads certificates from file/store
- CertificateWatcher (src/Router/__Libraries/StellaOps.Router.Transport.Tls/CertificateWatcher.cs) - watches certificate files for hot-reload without connection drops
- TlsConnection (src/Router/__Libraries/StellaOps.Router.Transport.Tls/TlsConnection.cs) - TLS connection wrapper
Interfaces: IRouterTransportPlugin, ITransportServer, ITransportClient, IMicroserviceTransport
Source: batch_52/file_04.md

E2E Test Plan

Register TlsTransportPlugin and verify TLS-encrypted communication between gateway and microservice
Enable mTLS and verify client certificate validation rejects connections without valid client certs
Replace a server certificate and verify CertificateWatcher hot-reloads without dropping active connections
Verify cipher suite configuration: restrict to specific ciphers and confirm they are enforced
Verify connection fails with expired or self-signed certificates when validation is strict

1.9 KiB Raw Blame History