andrewkroh · June 12, 2024 23:25 · andrewkroh · Jun 12, 2024
diff --git a/beats.tls.cue b/beats.tls.cue
 // Beats TLS configuration options.
 package tls

 $version: "v8.14.0"

 #base64String: =~"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$"

 #hexSHA256: =~"^[a-fA-F0-9]{64}$"

 #pemCerts: =~"^(?:(?:-+BEGIN CERTIFICATE-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END CERTIFICATE-+\\s*))+$"

 #pemKey: =~"^(?:(?:-+BEGIN .*KEY-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END .*KEY-+\\s*))$"

 #tlsConfig: {
 	// Enable TLS.
 	enabled?: bool

 	// Verification mode.
 	//
 	//  * full - Verifies that the provided certificate is signed by a trusted
 	//    authority (CA) and also verifies that the server’s hostname (or IP
 	//    address) matches the names identified within the certificate.
 	//  * strict - Verifies that the provided certificate is signed by a trusted
 	//    authority (CA) and also verifies that the server’s hostname (or IP
 	//    address) matches the names identified within the certificate. If the
 	//    Subject Alternative Name is empty, it returns an error.
 	//  * certificate - Verifies that the provided certificate is signed by a
 	//    trusted authority (CA), but does not perform any hostname verification.
 	//  * none - Performs no verification of the server’s certificate. This mode
 	//    disables many of the security benefits of SSL/TLS and should only be
 	//    used after cautious consideration. It is primarily intended as a
 	//    temporary diagnostic mechanism when attempting to resolve TLS errors;
 	//    its use in production environments is strongly discouraged.
 	verification_mode?: *"full" | "strict" | "certificate" | "none"

 	// Supported TLS versions.
 	versions?: *["TLSv1.1", "TLSv1.2", "TLSv1.3"] | [..."TLSv1" | "TLSv1.0" | "TLSv1.1" | "TLSv1.2" | "TLSv1.3"]

 	// List of cipher suites to accept. This list is given in descending order of
 	// priority. If this option is omitted, the Go crypto library’s default suites
 	// are used.
 	cipher_suites?: [
 		..."ECDHE-ECDSA-AES-128-CBC-SHA" |
 		"ECDHE-ECDSA-AES-128-CBC-SHA256" |
 		"ECDHE-ECDSA-AES-128-GCM-SHA256" |
 		"ECDHE-ECDSA-AES-256-CBC-SHA" |
 		"ECDHE-ECDSA-AES-256-GCM-SHA384" |
 		"ECDHE-ECDSA-CHACHA20-POLY1305" |
 		"ECDHE-ECDSA-RC4-128-SHA" |
 		"ECDHE-RSA-3DES-CBC3-SHA" |
 		"ECDHE-RSA-AES-128-CBC-SHA" |
 		"ECDHE-RSA-AES-128-CBC-SHA256" |
 		"ECDHE-RSA-AES-128-GCM-SHA256" |
 		"ECDHE-RSA-AES-256-CBC-SHA" |
 		"ECDHE-RSA-AES-256-GCM-SHA384" |
 		"ECDHE-RSA-CHACHA20-POLY1205" |
 		"ECDHE-RSA-RC4-128-SHA" |
 		"RSA-RC4-128-SHA" |
 		"RSA-3DES-CBC3-SHA" |
 		"RSA-AES-128-CBC-SHA" |
 		"RSA-AES-128-CBC-SHA256" |
 		"RSA-AES-128-GCM-SHA256" |
 		"RSA-AES-256-CBC-SHA" |
 		"RSA-AES-256-GCM-SHA384" |
 		"TLS-AES-128-GCM-SHA256" |
 		"TLS-AES-256-GCM-SHA384" |
 		"TLS-CHACHA20-POLY1305-SHA256",
 	]

 	// List of certificate authorities to trust. If empty or not set, then the
 	// host's keystore is used. Each entry in the list may be either a file path
 	// or PEM encoded certificate.
 	certificate_authorities?: [...string]

 	// The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral
 	// key exchange).
 	curve_types?: [..."P-256" | "P-384" | "P-521" | "X25519"]

 	// List of base64 encoded SHA-256 certificate fingerprints. One of the listed
 	// fingerprints must match a certificate in the peer's chain.
 	//
 	// This check is not a replacement for the normal SSL validation, but it adds
 	// additional validation. If this option is used with verification_mode set to
 	// none, the check will always fail because it will not receive any verified
 	// chains.
 	ca_sha256?: [...#base64String]

 	// A hex encoded SHA-256 fingerprint of a certificate. If any certificate
 	// matching this fingerprint is found in the peer's chain then peer is
 	// trusted.
 	ca_trusted_fingerprint?: #hexSHA256

 	{
 		// The key passphrase used to decrypt an encrypted key.
 		//
 		// NOTE: This is a secret.
 		key_passphrase?: string
 	} |
 	{
 		// Path to a file containing the key passphrase used to decrypt an encrpyted key.
 		key_passphrase_path?: string
 	}
 }

 // TLS client config.
 #TLSClientConfig: {
 	#tlsConfig

 	{
 		// PEM encoded client certificate that is used to authenticate this client
 		// when the server requests client authentication.
 		certificate: #pemCerts

 		// PEM encoded certificate private key.
 		//
 		// NOTE: This is a secret.
 		key: #pemKey
 	} | {}
 }

 // TLS server config.
 #TLSServerConfig: {
 	#tlsConfig

 	// Type of allowed TLS renegotiations.
 	//
 	//   * never - Disables renegotiation.
 	//   * once - Allows a remote server to request renegotiation once per connection.
 	//   * freely - Allows a remote server to request renegotiation repeatedly.
 	renegotiation?: *"never" | "once" | "freely"

 	// The type of client authentication mode. When certificate_authorities is
 	// set, it defaults to required. Otherwise, it defaults to none.
 	client_authentication?: "none" | "optional" | "required"

 	// The end-entity (leaf) certificate that the server uses to identify itself.
 	// If the certificate is signed by a certificate authority (CA), then it
 	// should include intermediate CA certificates, sorted from leaf to root.
 	certificate: #pemCerts

 	// PEM encoded certificate private key.
 	//
 	// NOTE: This is a secret.
 	key: #pemKey
 }
diff --git a/openapi.tls.yaml b/openapi.tls.yaml
 openapi: 3.0.0
 info:
  title: Beats TLS configuration options.
  version: v8.14.0
 paths: {}
 components:
  schemas:
    TLSClientConfig:
      description: TLS client config.
      type: object
      allOf:
        - $ref: '#/components/schemas/tlsConfig'
        - oneOf:
            - required:
                - certificate
                - key
              properties:
                certificate:
                  $ref: '#/components/schemas/pemCerts'
                key:
                  $ref: '#/components/schemas/pemKey'
            - not:
                anyOf:
                  - required:
                      - certificate
                      - key
                    properties:
                      certificate:
                        $ref: '#/components/schemas/pemCerts'
                      key:
                        $ref: '#/components/schemas/pemKey'
    TLSServerConfig:
      description: TLS server config.
      type: object
      properties:
        renegotiation:
          description: |-
            Type of allowed TLS renegotiations.

              * never - Disables renegotiation.
              * once - Allows a remote server to request renegotiation once per connection.
              * freely - Allows a remote server to request renegotiation repeatedly.
          type: string
          enum:
            - never
            - once
            - freely
          default: never
        client_authentication:
          description: |-
            The type of client authentication mode. When certificate_authorities is
            set, it defaults to required. Otherwise, it defaults to none.
          type: string
          enum:
            - none
            - optional
            - required
        certificate:
          $ref: '#/components/schemas/pemCerts'
        key:
          $ref: '#/components/schemas/pemKey'
      allOf:
        - $ref: '#/components/schemas/tlsConfig'
        - required:
            - certificate
            - key
    base64String:
      type: string
      pattern: ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$
    hexSHA256:
      type: string
      pattern: ^[a-fA-F0-9]{64}$
    pemCerts:
      type: string
      pattern: ^(?:(?:-+BEGIN CERTIFICATE-+\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\s+)+(?:-+END CERTIFICATE-+\s*))+$
    pemKey:
      type: string
      pattern: ^(?:(?:-+BEGIN .*KEY-+\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\s+)+(?:-+END .*KEY-+\s*))$
    tlsConfig:
      type: object
      properties:
        enabled:
          description: Enable TLS.
          type: boolean
        verification_mode:
          description: |-
            Verification mode.

             * full - Verifies that the provided certificate is signed by a trusted
               authority (CA) and also verifies that the server’s hostname (or IP
               address) matches the names identified within the certificate.
             * strict - Verifies that the provided certificate is signed by a trusted
               authority (CA) and also verifies that the server’s hostname (or IP
               address) matches the names identified within the certificate. If the
               Subject Alternative Name is empty, it returns an error.
             * certificate - Verifies that the provided certificate is signed by a
               trusted authority (CA), but does not perform any hostname verification.
             * none - Performs no verification of the server’s certificate. This mode
               disables many of the security benefits of SSL/TLS and should only be
               used after cautious consideration. It is primarily intended as a
               temporary diagnostic mechanism when attempting to resolve TLS errors;
               its use in production environments is strongly discouraged.
          type: string
          enum:
            - full
            - strict
            - certificate
            - none
          default: full
        versions:
          description: Supported TLS versions.
          type: array
          items:
            type: string
            enum:
              - TLSv1
              - TLSv1.0
              - TLSv1.1
              - TLSv1.2
              - TLSv1.3
          default:
            - TLSv1.1
            - TLSv1.2
            - TLSv1.3
        cipher_suites:
          description: |-
            List of cipher suites to accept. This list is given in descending order of
            priority. If this option is omitted, the Go crypto library’s default suites
            are used.
          type: array
          items:
            type: string
            enum:
              - ECDHE-ECDSA-AES-128-CBC-SHA
              - ECDHE-ECDSA-AES-128-CBC-SHA256
              - ECDHE-ECDSA-AES-128-GCM-SHA256
              - ECDHE-ECDSA-AES-256-CBC-SHA
              - ECDHE-ECDSA-AES-256-GCM-SHA384
              - ECDHE-ECDSA-CHACHA20-POLY1305
              - ECDHE-ECDSA-RC4-128-SHA
              - ECDHE-RSA-3DES-CBC3-SHA
              - ECDHE-RSA-AES-128-CBC-SHA
              - ECDHE-RSA-AES-128-CBC-SHA256
              - ECDHE-RSA-AES-128-GCM-SHA256
              - ECDHE-RSA-AES-256-CBC-SHA
              - ECDHE-RSA-AES-256-GCM-SHA384
              - ECDHE-RSA-CHACHA20-POLY1205
              - ECDHE-RSA-RC4-128-SHA
              - RSA-RC4-128-SHA
              - RSA-3DES-CBC3-SHA
              - RSA-AES-128-CBC-SHA
              - RSA-AES-128-CBC-SHA256
              - RSA-AES-128-GCM-SHA256
              - RSA-AES-256-CBC-SHA
              - RSA-AES-256-GCM-SHA384
              - TLS-AES-128-GCM-SHA256
              - TLS-AES-256-GCM-SHA384
              - TLS-CHACHA20-POLY1305-SHA256
        certificate_authorities:
          description: |-
            List of certificate authorities to trust. If empty or not set, then the
            host's keystore is used. Each entry in the list may be either a file path
            or PEM encoded certificate.
          type: array
          items:
            type: string
        curve_types:
          description: |-
            The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral
            key exchange).
          type: array
          items:
            type: string
            enum:
              - P-256
              - P-384
              - P-521
              - X25519
        ca_sha256:
          description: |-
            List of base64 encoded SHA-256 certificate fingerprints. One of the listed
            fingerprints must match a certificate in the peer's chain.

            This check is not a replacement for the normal SSL validation, but it adds
            additional validation. If this option is used with verification_mode set to
            none, the check will always fail because it will not receive any verified
            chains.
          type: array
          items:
            $ref: '#/components/schemas/base64String'
        ca_trusted_fingerprint:
          $ref: '#/components/schemas/hexSHA256'
      oneOf:
        - allOf:
            - properties:
                key_passphrase:
                  description: |-
                    The key passphrase used to decrypt an encrypted key.

                    NOTE: This is a secret.
                  type: string
            - not:
                anyOf:
                  - properties:
                      key_passphrase_path:
                        description: Path to a file containing the key passphrase used to decrypt an encrpyted key.
                        type: string
        - allOf:
            - properties:
                key_passphrase_path:
                  description: Path to a file containing the key passphrase used to decrypt an encrpyted key.
                  type: string
            - not:
                anyOf:
                  - properties:
                      key_passphrase:
                        description: |-
                          The key passphrase used to decrypt an encrypted key.

                          NOTE: This is a secret.
                        type: string
	// Beats TLS configuration options.
	package tls

	$version: "v8.14.0"

	#base64String: =~"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{2}==)?$"

	#hexSHA256: =~"^[a-fA-F0-9]{64}$"

	#pemCerts: =~"^(?:(?:-+BEGIN CERTIFICATE-+\\s+)(?:([A-Za-z0-9+/]{4})([A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END CERTIFICATE-+\\s))+$"

	#pemKey: =~"^(?:(?:-+BEGIN .KEY-+\\s+)(?:([A-Za-z0-9+/]{4})([A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END .KEY-+\\s))$"

	#tlsConfig: {
	// Enable TLS.
	enabled?: bool

	// Verification mode.
	//
	// * full - Verifies that the provided certificate is signed by a trusted
	// authority (CA) and also verifies that the server’s hostname (or IP
	// address) matches the names identified within the certificate.
	// * strict - Verifies that the provided certificate is signed by a trusted
	// authority (CA) and also verifies that the server’s hostname (or IP
	// address) matches the names identified within the certificate. If the
	// Subject Alternative Name is empty, it returns an error.
	// * certificate - Verifies that the provided certificate is signed by a
	// trusted authority (CA), but does not perform any hostname verification.
	// * none - Performs no verification of the server’s certificate. This mode
	// disables many of the security benefits of SSL/TLS and should only be
	// used after cautious consideration. It is primarily intended as a
	// temporary diagnostic mechanism when attempting to resolve TLS errors;
	// its use in production environments is strongly discouraged.
	verification_mode?: *"full" \| "strict" \| "certificate" \| "none"

	// Supported TLS versions.
	versions?: *["TLSv1.1", "TLSv1.2", "TLSv1.3"] \| [..."TLSv1" \| "TLSv1.0" \| "TLSv1.1" \| "TLSv1.2" \| "TLSv1.3"]

	// List of cipher suites to accept. This list is given in descending order of
	// priority. If this option is omitted, the Go crypto library’s default suites
	// are used.
	cipher_suites?: [
	..."ECDHE-ECDSA-AES-128-CBC-SHA" \|
	"ECDHE-ECDSA-AES-128-CBC-SHA256" \|
	"ECDHE-ECDSA-AES-128-GCM-SHA256" \|
	"ECDHE-ECDSA-AES-256-CBC-SHA" \|
	"ECDHE-ECDSA-AES-256-GCM-SHA384" \|
	"ECDHE-ECDSA-CHACHA20-POLY1305" \|
	"ECDHE-ECDSA-RC4-128-SHA" \|
	"ECDHE-RSA-3DES-CBC3-SHA" \|
	"ECDHE-RSA-AES-128-CBC-SHA" \|
	"ECDHE-RSA-AES-128-CBC-SHA256" \|
	"ECDHE-RSA-AES-128-GCM-SHA256" \|
	"ECDHE-RSA-AES-256-CBC-SHA" \|
	"ECDHE-RSA-AES-256-GCM-SHA384" \|
	"ECDHE-RSA-CHACHA20-POLY1205" \|
	"ECDHE-RSA-RC4-128-SHA" \|
	"RSA-RC4-128-SHA" \|
	"RSA-3DES-CBC3-SHA" \|
	"RSA-AES-128-CBC-SHA" \|
	"RSA-AES-128-CBC-SHA256" \|
	"RSA-AES-128-GCM-SHA256" \|
	"RSA-AES-256-CBC-SHA" \|
	"RSA-AES-256-GCM-SHA384" \|
	"TLS-AES-128-GCM-SHA256" \|
	"TLS-AES-256-GCM-SHA384" \|
	"TLS-CHACHA20-POLY1305-SHA256",
	]

	// List of certificate authorities to trust. If empty or not set, then the
	// host's keystore is used. Each entry in the list may be either a file path
	// or PEM encoded certificate.
	certificate_authorities?: [...string]

	// The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral
	// key exchange).
	curve_types?: [..."P-256" \| "P-384" \| "P-521" \| "X25519"]

	// List of base64 encoded SHA-256 certificate fingerprints. One of the listed
	// fingerprints must match a certificate in the peer's chain.
	//
	// This check is not a replacement for the normal SSL validation, but it adds
	// additional validation. If this option is used with verification_mode set to
	// none, the check will always fail because it will not receive any verified
	// chains.
	ca_sha256?: [...#base64String]

	// A hex encoded SHA-256 fingerprint of a certificate. If any certificate
	// matching this fingerprint is found in the peer's chain then peer is
	// trusted.
	ca_trusted_fingerprint?: #hexSHA256

	{
	// The key passphrase used to decrypt an encrypted key.
	//
	// NOTE: This is a secret.
	key_passphrase?: string
	} \|
	{
	// Path to a file containing the key passphrase used to decrypt an encrpyted key.
	key_passphrase_path?: string
	}
	}

	// TLS client config.
	#TLSClientConfig: {
	#tlsConfig

	{
	// PEM encoded client certificate that is used to authenticate this client
	// when the server requests client authentication.
	certificate: #pemCerts

	// PEM encoded certificate private key.
	//
	// NOTE: This is a secret.
	key: #pemKey
	} \| {}
	}

	// TLS server config.
	#TLSServerConfig: {
	#tlsConfig

	// Type of allowed TLS renegotiations.
	//
	// * never - Disables renegotiation.
	// * once - Allows a remote server to request renegotiation once per connection.
	// * freely - Allows a remote server to request renegotiation repeatedly.
	renegotiation?: *"never" \| "once" \| "freely"

	// The type of client authentication mode. When certificate_authorities is
	// set, it defaults to required. Otherwise, it defaults to none.
	client_authentication?: "none" \| "optional" \| "required"

	// The end-entity (leaf) certificate that the server uses to identify itself.
	// If the certificate is signed by a certificate authority (CA), then it
	// should include intermediate CA certificates, sorted from leaf to root.
	certificate: #pemCerts

	// PEM encoded certificate private key.
	//
	// NOTE: This is a secret.
	key: #pemKey
	}
	openapi: 3.0.0
	info:
	title: Beats TLS configuration options.
	version: v8.14.0
	paths: {}
	components:
	schemas:
	TLSClientConfig:
	description: TLS client config.
	type: object
	allOf:
	- $ref: '#/components/schemas/tlsConfig'
	- oneOf:
	- required:
	- certificate
	- key
	properties:
	certificate:
	$ref: '#/components/schemas/pemCerts'
	key:
	$ref: '#/components/schemas/pemKey'
	- not:
	anyOf:
	- required:
	- certificate
	- key
	properties:
	certificate:
	$ref: '#/components/schemas/pemCerts'
	key:
	$ref: '#/components/schemas/pemKey'
	TLSServerConfig:
	description: TLS server config.
	type: object
	properties:
	renegotiation:
	description: \|-
	Type of allowed TLS renegotiations.

	* never - Disables renegotiation.
	* once - Allows a remote server to request renegotiation once per connection.
	* freely - Allows a remote server to request renegotiation repeatedly.
	type: string
	enum:
	- never
	- once
	- freely
	default: never
	client_authentication:
	description: \|-
	The type of client authentication mode. When certificate_authorities is
	set, it defaults to required. Otherwise, it defaults to none.
	type: string
	enum:
	- none
	- optional
	- required
	certificate:
	$ref: '#/components/schemas/pemCerts'
	key:
	$ref: '#/components/schemas/pemKey'
	allOf:
	- $ref: '#/components/schemas/tlsConfig'
	- required:
	- certificate
	- key
	base64String:
	type: string
	pattern: ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{2}==)?$
	hexSHA256:
	type: string
	pattern: ^[a-fA-F0-9]{64}$
	pemCerts:
	type: string
	pattern: ^(?:(?:-+BEGIN CERTIFICATE-+\s+)(?:([A-Za-z0-9+/]{4})([A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{2}==)?\s+)+(?:-+END CERTIFICATE-+\s))+$
	pemKey:
	type: string
	pattern: ^(?:(?:-+BEGIN .KEY-+\s+)(?:([A-Za-z0-9+/]{4})([A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{2}==)?\s+)+(?:-+END .KEY-+\s))$
	tlsConfig:
	type: object
	properties:
	enabled:
	description: Enable TLS.
	type: boolean
	verification_mode:
	description: \|-
	Verification mode.

	* full - Verifies that the provided certificate is signed by a trusted
	authority (CA) and also verifies that the server’s hostname (or IP
	address) matches the names identified within the certificate.
	* strict - Verifies that the provided certificate is signed by a trusted
	authority (CA) and also verifies that the server’s hostname (or IP
	address) matches the names identified within the certificate. If the
	Subject Alternative Name is empty, it returns an error.
	* certificate - Verifies that the provided certificate is signed by a
	trusted authority (CA), but does not perform any hostname verification.
	* none - Performs no verification of the server’s certificate. This mode
	disables many of the security benefits of SSL/TLS and should only be
	used after cautious consideration. It is primarily intended as a
	temporary diagnostic mechanism when attempting to resolve TLS errors;
	its use in production environments is strongly discouraged.
	type: string
	enum:
	- full
	- strict
	- certificate
	- none
	default: full
	versions:
	description: Supported TLS versions.
	type: array
	items:
	type: string
	enum:
	- TLSv1
	- TLSv1.0
	- TLSv1.1
	- TLSv1.2
	- TLSv1.3
	default:
	- TLSv1.1
	- TLSv1.2
	- TLSv1.3
	cipher_suites:
	description: \|-
	List of cipher suites to accept. This list is given in descending order of
	priority. If this option is omitted, the Go crypto library’s default suites
	are used.
	type: array
	items:
	type: string
	enum:
	- ECDHE-ECDSA-AES-128-CBC-SHA
	- ECDHE-ECDSA-AES-128-CBC-SHA256
	- ECDHE-ECDSA-AES-128-GCM-SHA256
	- ECDHE-ECDSA-AES-256-CBC-SHA
	- ECDHE-ECDSA-AES-256-GCM-SHA384
	- ECDHE-ECDSA-CHACHA20-POLY1305
	- ECDHE-ECDSA-RC4-128-SHA
	- ECDHE-RSA-3DES-CBC3-SHA
	- ECDHE-RSA-AES-128-CBC-SHA
	- ECDHE-RSA-AES-128-CBC-SHA256
	- ECDHE-RSA-AES-128-GCM-SHA256
	- ECDHE-RSA-AES-256-CBC-SHA
	- ECDHE-RSA-AES-256-GCM-SHA384
	- ECDHE-RSA-CHACHA20-POLY1205
	- ECDHE-RSA-RC4-128-SHA
	- RSA-RC4-128-SHA
	- RSA-3DES-CBC3-SHA
	- RSA-AES-128-CBC-SHA
	- RSA-AES-128-CBC-SHA256
	- RSA-AES-128-GCM-SHA256
	- RSA-AES-256-CBC-SHA
	- RSA-AES-256-GCM-SHA384
	- TLS-AES-128-GCM-SHA256
	- TLS-AES-256-GCM-SHA384
	- TLS-CHACHA20-POLY1305-SHA256
	certificate_authorities:
	description: \|-
	List of certificate authorities to trust. If empty or not set, then the
	host's keystore is used. Each entry in the list may be either a file path
	or PEM encoded certificate.
	type: array
	items:
	type: string
	curve_types:
	description: \|-
	The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral
	key exchange).
	type: array
	items:
	type: string
	enum:
	- P-256
	- P-384
	- P-521
	- X25519
	ca_sha256:
	description: \|-
	List of base64 encoded SHA-256 certificate fingerprints. One of the listed
	fingerprints must match a certificate in the peer's chain.

	This check is not a replacement for the normal SSL validation, but it adds
	additional validation. If this option is used with verification_mode set to
	none, the check will always fail because it will not receive any verified
	chains.
	type: array
	items:
	$ref: '#/components/schemas/base64String'
	ca_trusted_fingerprint:
	$ref: '#/components/schemas/hexSHA256'
	oneOf:
	- allOf:
	- properties:
	key_passphrase:
	description: \|-
	The key passphrase used to decrypt an encrypted key.

	NOTE: This is a secret.
	type: string
	- not:
	anyOf:
	- properties:
	key_passphrase_path:
	description: Path to a file containing the key passphrase used to decrypt an encrpyted key.
	type: string
	- allOf:
	- properties:
	key_passphrase_path:
	description: Path to a file containing the key passphrase used to decrypt an encrpyted key.
	type: string
	- not:
	anyOf:
	- properties:
	key_passphrase:
	description: \|-
	The key passphrase used to decrypt an encrypted key.

	NOTE: This is a secret.
	type: string