TLSConfiguration

Published Sep 22, 2025

Manages configuration of TLS for SwiftNIO programs.

TLSConfiguration.swift:275 TLSConfiguration.md

struct TLSConfiguration

Mangled symbol

s6NIOSSL16TLSConfigurationV What are these?

FNV24 hash: 5JZEO

Creating a TLS configuration

static let clientDefault: TLSConfiguration
A default TLS configuration for client use.
static func makeClientConfiguration() -> TLSConfiguration
Creates a TLS configuration for use with client-side contexts.
static func makeServerConfiguration(certificateChain: [NIOSSLCertificateSource], privateKey: NIOSSLPrivateKeySource) -> TLSConfiguration
Create a TLS configuration for use with server-side contexts.
static func makePreSharedKeyConfiguration() -> TLSConfiguration
Create a TLS configuration for use with server-side or client-side contexts that uses Pre-Shared Keys for TLS 1.2 and below.

Inspecting a configuration

var minimumTLSVersion: TLSVersion
The minimum TLS version to allow in negotiation. Defaults to tlsv1.
var maximumTLSVersion: TLSVersion?
The maximum TLS version to allow in negotiation. If nil, there is no upper limit. Defaults to nil.
var certificateVerification: CertificateVerification
Whether to verify remote certificates.
var trustRoots: NIOSSLTrustRoots?
The trust roots to use to validate certificates. This only needs to be provided if you intend to validate certificates.
var certificateChain: [NIOSSLCertificateSource]
The certificates to offer during negotiation. If not present, no certificates will be offered.
var privateKey: NIOSSLPrivateKeySource?
The private key associated with the leaf certificate.
var applicationProtocols: [String]
The application protocols to use in the connection. Should be an ordered list of ASCII strings representing the ALPN identifiers of the protocols to negotiate. For clients, the protocols will be offered in the order given. For servers, the protocols will be matched against the client’s offered protocols in order.
var shutdownTimeout: TimeAmount
The amount of time to wait after initiating a shutdown before performing an unclean shutdown. Defaults to 5 seconds.
var keyLogCallback: NIOSSLKeyLogCallback?
A callback that can be used to implement SSLKEYLOGFILE support.
var renegotiationSupport: NIORenegotiationSupport
Whether renegotiation is supported.
var sslContextCallback: NIOSSLContextCallback?
SSL Context Callback to provide dynamic context based on server name

Inspecting configuration ciphers

var cipherSuites: String
The pre-TLS1.3 cipher suites supported by this handler. This uses the OpenSSL cipher string format. TLS 1.3 cipher suites cannot be configured.
var verifySignatureAlgorithms: [SignatureAlgorithm]?
Allowed algorithms to verify signatures. Passing nil means that a built-in set of algorithms will be used.
var signingSignatureAlgorithms: [SignatureAlgorithm]?
Allowed algorithms to sign signatures. Passing nil means that a built-in set of algorithms will be used.
var cipherSuiteValues: [NIOTLSCipher]
Public property used to set the internal cipherSuites from NIOTLSCipher.
var curves: [NIOTLSCurve]?
TLS curves supported by this handler. Passing nil means that a built-in set of curves will be used.
var additionalTrustRoots: [NIOSSLAdditionalTrustRoots]
Additional trust roots to use to validate certificates, used in addition to trustRoots.
var sendCANameList: Bool
Send the CA names derived from the trustRoots for client authentication. This instructs the client which identities can be used by evaluating what CA the identity certificate was issued from.

Inspecting pre-shared key configurations

var pskClientProvider: NIOPSKClientIdentityProvider?
PSK Client Callback to get the key based on an optional hint and identity.
var pskHint: String?
Optional PSK hint to be used during SSLContext create.
var pskServerProvider: NIOPSKServerIdentityProvider?
PSK Server Callback to get the key based on an optional hint and identity.
var pskClientCallback: NIOPSKClientIdentityCallback?
PSK Client Callback to get the key based on hint and identity.
var pskServerCallback: NIOPSKServerIdentityCallback?

Comparing and Hashing TLS configurations

func bestEffortEquals(TLSConfiguration) -> Bool
Returns a best effort result of whether two TLSConfiguration objects are equal.
func bestEffortHash(into: inout Hasher)
Returns a best effort hash of this TLS configuration.