Tenzir supports Transport Layer Security (TLS) for encrypting network
connections. You can configure TLS settings centrally in tenzir.yaml so they
apply to all compatible operators, or override them per-operator as needed.
Node-level TLS configuration
Section titled “Node-level TLS configuration”Instead of passing TLS options to each operator individually, configure them
once under tenzir.tls in your tenzir.yaml:
tenzir: tls: tls-min-version: "1.2" tls-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256" cacert: "/etc/ssl/certs/ca-certificates.crt"These settings apply automatically to operators like from_http,
load_tcp, save_tcp,
to_opensearch, from_opensearch,
to_splunk, save_email,
and to_fluent_bit.
Available options
Section titled “Available options”| Option | Description |
|---|---|
enable | Enable TLS on all operators that support it |
skip-peer-verification | Disable certificate verification (not recommended for production) |
cacert | Path to a CA certificate bundle for server verification |
certfile | Path to a client certificate file |
keyfile | Path to a client private key file |
tls-min-version | Minimum TLS protocol version: "1.0", "1.1", "1.2", or "1.3" |
tls-ciphers | OpenSSL cipher list string |
Precedence
Section titled “Precedence”Arguments passed directly to operators always take precedence over node-level settings. This lets you override specific connections when needed:
// Uses node-level TLS settingsfrom_http "https://api.example.com/data"
// Overrides with a custom certificatefrom_http "https://internal.example.com/data", tls={cacert: "/path/to/internal-ca.crt"}Mutual TLS (mTLS)
Section titled “Mutual TLS (mTLS)”For server-mode operators, you can require clients to present valid certificates. This enables mutual TLS authentication where both sides verify each other’s identity.
tenzir: tls: certfile: "/etc/tenzir/server.crt" keyfile: "/etc/tenzir/server.key" tls-client-ca: "/etc/tenzir/client-ca.crt" tls-require-client-cert: true| Option | Description |
|---|---|
tls-client-ca | Path to a CA certificate for validating client certificates |
tls-require-client-cert | Require clients to present valid certificates signed by the client CA |
When tls-require-client-cert is enabled, connections from clients without
valid certificates are rejected.
Platform connection TLS
Section titled “Platform connection TLS”When connecting a node to the Tenzir Platform, you can configure TLS settings specifically for this connection:
plugins: platform: tls-min-version: "1.2" tls-ciphers: "HIGH:!aNULL:!MD5"If not specified, these settings fall back to the node-level tenzir.tls
settings.
Generate test certificates
Section titled “Generate test certificates”For testing purposes, generate a certificate from a local CA:
uv run --with trustme python -m trustmeVerify TLS connections
Section titled “Verify TLS connections”Test a TLS connection using OpenSSL:
openssl s_client -connect 127.0.0.1:443This shows the certificate chain and connection details, helping you diagnose TLS configuration issues.