Configuring TLS for Outgoing Policy Requests

Some Flex Gateway policies make outgoing requests to HTTP and gRPC upstream services. For example, the OAuth 2.0 Token Introspection Policy sends token validation requests to an OAuth 2.0 service, and the External Authorization Policy forwards incoming client requests to an authorization service.

By default, Managed and Self-Managed Flex Gateways protect these connections with a default TLS Context. The default TLS context is not mTLS and uses the default ciphers listed in TLS Cipher Support on Flex Gateway.

To override the default TLS context, configure a custom default TLS context for all outgoing requests from policies. You can’t configure a custom default TLS context for Managed Flex Gateway.

Configure a TLS Context for Self-Managed Gateways

For both local and connected mode, use a YAML configuration file to configure TLS between a policy and an upstream service:

apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
 name: default-tls
spec:
 defaultTLS:
   outboundPolicyCalls:
       skipValidation: <boolean> // OPTIONAL
       trustedCA: <string> # OPTIONAL, defaults to the CA of operating systems
       certificate: // OPTIONAL
           key: <string> // OPTIONAL
           crt: <string> // OPTIONAL
       alpn: <array> // OPTIONAL
       minversion: <string> // OPTIONAL
       maxversion: <string> // OPTIONAL
       ciphers: <array> // OPTIONAL

Not including optional parameters in your configuration file applies the parameters default values to your TLS context.

When configuring the ciphers parameter, ensure that your API upstream supports the listed ciphers. For the supported ciphers, see TLS Cipher Support on Flex Gateway.

Parameter Required or Optional Default Value Description

Parameter	Required or Optional	Default Value	Description
`skipValidation`	Optional	false	If true, the upstream certificate is not validated.
`trustedCA`	Optional	N/A	The CA used to validate the upstream server certificate. If no trusted CA is provided, the policy uses the default OS CA.
`certificate`	Optional	N/A	The client certificate to present for mTLS. To comply with security standards, all certificates must be 2048 bits or longer.
`certificate.key`	Optional	N/A	The private key part of the certificate.
`certificate.crt`	Optional	N/A	The public key part of the certificate.
`alpn`	Optional	`h2` and `http/1.1`	A prioritized list of supported application level protocols; for example, h2, http/1.1, and so forth.
`minversion`	Optional	`1.2`	The minimum TLS version allowed.
`maxversion`	Optional	`1.3`	The maximum TLS version allowed.
`ciphers`	Optional	For the default and other supported ciphers, see TLS Cipher Support on Flex Gateway.	A list of supported TLS ciphers (IANA format).

skipValidation

Optional

false

If true, the upstream certificate is not validated.

trustedCA

Optional

N/A

The CA used to validate the upstream server certificate. If no trusted CA is provided, the policy uses the default OS CA.

certificate

Optional

N/A

The client certificate to present for mTLS. To comply with security standards, all certificates must be 2048 bits or longer.

certificate.key

Optional

N/A

The private key part of the certificate.

certificate.crt

Optional

N/A

The public key part of the certificate.

alpn

Optional

h2 and http/1.1

A prioritized list of supported application level protocols; for example, h2, http/1.1, and so forth.

minversion

Optional

1.2

The minimum TLS version allowed.

maxversion

Optional

1.3

The maximum TLS version allowed.

ciphers

Optional

For the default and other supported ciphers, see TLS Cipher Support on Flex Gateway.

A list of supported TLS ciphers (IANA format).

TLS Cipher Support on Flex Gateway

Flex can support a range of TLS Versions from TLS 1.2 to TLS 1.3, and you can also customize some of the ciphers to support.

You cannot customize the list of TLS 1.3 Ciphers. If you support TLS 1.3, the TLS 1.3 default ciphers are all supported regardless of the ciphers listed in the configuration file. If you don’t support TLS 1.3, these ciphers are not included.

For TLS 1.2, listing any ciphers overides the TLS 1.2 default ciphers. If you want to list ciphers besides the default TLS 1.2 Ciphers, you must list every cipher to support including the default ciphers you want to support. Excluding default ciphers from your list of supported ciphers means you do not support those ciphers. If you wish to only support the default ciphers, you can leave the cipher list blank. Listing ciphers does not affect the default TLS 1.3 cipher.

For outbound TLS Context, ensure that your upstream service supports the selected ciphers and versions.

Flex Gateway Supported Ciphers

Flex Gateway supports the following TLS Ciphers in Connected Mode and Local Mode:

Cipher	TLS Version	Default	Advice
TLS_AES_128_GCM_SHA256	1.3	Yes	Secure
TLS_AES_256_GCM_SHA384	1.3	Yes	Secure
TLS_CHACHA20_POLY1305_SHA256	1.3	Yes	Secure
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	1.2	Yes	Recommended
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	1.2	Yes	Recommended
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	1.2	Yes	Recommended
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256	1.2	No	Recommended
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	1.2	Yes	Secure
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	1.2	Yes	Secure
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	1.2	Yes	Secure
TLS_RSA_WITH_AES_128_GCM_SHA256	1.2	No	Weak
TLS_RSA_WITH_AES_256_GCM_SHA384	1.2	No	Weak
TLS_RSA_WITH_AES_128_CBC_SHA	1.2	No	Weak
TLS_RSA_WITH_AES_256_CBC_SHA	1.2	No	Weak
TLS_PSK_WITH_AES_128_CBC_SHA	1.2	No	Weak
TLS_PSK_WITH_AES_256_CBC_SHA	1.2	No	Weak
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	1.2	No	Weak
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	1.2	No	Weak
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	1.2	No	Weak
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	1.2	No	Weak
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA	1.2	No	Weak
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA	1.2	No	Weak

Cipher

TLS Version

Default

Advice

TLS_AES_128_GCM_SHA256

1.3

Yes

Secure

TLS_AES_256_GCM_SHA384

1.3

Yes

Secure

TLS_CHACHA20_POLY1305_SHA256

1.3

Yes

Secure

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

1.2

Yes

Recommended

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

1.2

Yes

Recommended

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

1.2

Yes

Recommended

TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256

1.2

Recommended

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

1.2

Yes

Secure

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

1.2

Yes

Secure

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

1.2

Yes

Secure

TLS_RSA_WITH_AES_128_GCM_SHA256

1.2

Weak

TLS_RSA_WITH_AES_256_GCM_SHA384

1.2

Weak

TLS_RSA_WITH_AES_128_CBC_SHA

1.2

Weak

TLS_RSA_WITH_AES_256_CBC_SHA

1.2

Weak

TLS_PSK_WITH_AES_128_CBC_SHA

1.2

Weak

TLS_PSK_WITH_AES_256_CBC_SHA

1.2

Weak

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

1.2

Weak

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

1.2

Weak

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

1.2

Weak

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

1.2

Weak

TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA

1.2

Weak

TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA

1.2

Weak