mTLS

Enforced Behavior

Every relay connection must complete TLS 1.3 mutual-authentication before segment exchange.

Configured files:

• transport.cert_file

• transport.key_file

• transport.ca_file

• optional transport.crl_file

Domain enforcement occurs after handshake via domain-verify message. A certificate-authenticated peer with mismatched domain is rejected.

Certificate and Revocation Checks

Implemented checks include:

• missing client certificate rejection

• expired certificate rejection

• revoked certificate rejection (when CRL configured)

• domain mismatch rejection

Precheck also validates local cert/CA readability and rejects certificates that expire within 7 days (edged precheck, exit code 3).

Reload Semantics

TCPTLSTransport supports runtime reload APIs:

• ReloadCertificate(cert,key)

• ReloadCRL(path)

Bounded statement:

• reload affects subsequent handshakes

• established connections are not forcibly terminated by reload calls

Operator Verification

# Transport tests (local)
GOWORK=off go test ./edge/transport -run 'TestTCPTLS|TestReload' -v

# Precheck cert/CA gating
GOWORK=off go run ./edge/cmd/edged precheck --config ./edge/config/testdata/valid_full.yaml

Runtime logs to confirm rejection path:

journalctl -u edged -n 200 --no-pager | grep -E 'transport:|domain mismatch|revoked|expired'

Evidence

Code:

• edge/transport/tcptls.go

• edge/transport/crl.go

• edge/transport/wire.go

• edge/cmd/edged/main.go (checkCerts, checkCertExpiry)

Tests:

• edge/transport/transport_test.go

• edge/transport/identity_test.go

• edge/fi/fi_transport_test.go

• edge/cmd/edged/precheck_test.go

Captured outputs:

• docs/_generated/test-outputs/demo-output.txt

See Also

• Domain Validation

• Beacon Privacy

• Threat Model