:github_url: hide

.. DO NOT EDIT THIS FILE!!!
.. Generated automatically from Godot engine sources.
.. Generator: https://github.com/godotengine/godot/tree/4.0/doc/tools/make_rst.py.
.. XML source: https://github.com/godotengine/godot/tree/4.0/doc/classes/TLSOptions.xml.

.. _class_TLSOptions:

TLSOptions
==========

**Inherits:** :ref:`RefCounted<class_RefCounted>` **<** :ref:`Object<class_Object>`

TLS configuration for clients and servers.

.. rst-class:: classref-introduction-group

Description
-----------

TLSOptions abstracts the configuration options for the :ref:`StreamPeerTLS<class_StreamPeerTLS>` and :ref:`PacketPeerDTLS<class_PacketPeerDTLS>` classes.

Objects of this class cannot be instantiated directly, and one of the static methods :ref:`client<class_TLSOptions_method_client>`, :ref:`client_unsafe<class_TLSOptions_method_client_unsafe>`, or :ref:`server<class_TLSOptions_method_server>` should be used instead.


.. tabs::

 .. code-tab:: gdscript

    # Create a TLS client configuration which uses our custom trusted CA chain.
    var client_trusted_cas = load("res://my_trusted_cas.crt")
    var client_tls_options = TLSOptions.client(client_trusted_cas)
    
    # Create a TLS server configuration.
    var server_certs = load("res://my_server_cas.crt")
    var server_key = load("res://my_server_key.key")
    var server_tls_options = TLSOptions.server(server_key, server_certs)



.. rst-class:: classref-reftable-group

Methods
-------

.. table::
   :widths: auto

   +-------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
   | :ref:`TLSOptions<class_TLSOptions>` | :ref:`client<class_TLSOptions_method_client>` **(** :ref:`X509Certificate<class_X509Certificate>` trusted_chain=null, :ref:`String<class_String>` common_name_override="" **)** |static| |
   +-------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
   | :ref:`TLSOptions<class_TLSOptions>` | :ref:`client_unsafe<class_TLSOptions_method_client_unsafe>` **(** :ref:`X509Certificate<class_X509Certificate>` trusted_chain=null **)** |static|                                        |
   +-------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
   | :ref:`TLSOptions<class_TLSOptions>` | :ref:`server<class_TLSOptions_method_server>` **(** :ref:`CryptoKey<class_CryptoKey>` key, :ref:`X509Certificate<class_X509Certificate>` certificate **)** |static|                      |
   +-------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

.. rst-class:: classref-section-separator

----

.. rst-class:: classref-descriptions-group

Method Descriptions
-------------------

.. _class_TLSOptions_method_client:

.. rst-class:: classref-method

:ref:`TLSOptions<class_TLSOptions>` **client** **(** :ref:`X509Certificate<class_X509Certificate>` trusted_chain=null, :ref:`String<class_String>` common_name_override="" **)** |static|

Creates a TLS client configuration which validates certificates and their common names (fully qualified domain names).

You can specify a custom ``trusted_chain`` of certification authorities (the default CA list will be used if ``null``), and optionally provide a ``common_name_override`` if you expect the certificate to have a common name other then the server FQDN.

Note: On the Web plafrom, TLS verification is always enforced against the CA list of the web browser. This is considered a security feature.

.. rst-class:: classref-item-separator

----

.. _class_TLSOptions_method_client_unsafe:

.. rst-class:: classref-method

:ref:`TLSOptions<class_TLSOptions>` **client_unsafe** **(** :ref:`X509Certificate<class_X509Certificate>` trusted_chain=null **)** |static|

Creates an **unsafe** TLS client configuration where certificate validation is optional. You can optionally provide a valid ``trusted_chain``, but the common name of the certififcates will never be checked. Using this configuration for purposes other than testing **is not recommended**.

Note: On the Web plafrom, TLS verification is always enforced against the CA list of the web browser. This is considered a security feature.

.. rst-class:: classref-item-separator

----

.. _class_TLSOptions_method_server:

.. rst-class:: classref-method

:ref:`TLSOptions<class_TLSOptions>` **server** **(** :ref:`CryptoKey<class_CryptoKey>` key, :ref:`X509Certificate<class_X509Certificate>` certificate **)** |static|

Creates a TLS server configuration using the provided ``key`` and ``certificate``.

Note: The ``certificate`` should include the full certificate chain up to the signing CA (certificates file can be concatenated using a general purpose text editor).

.. |virtual| replace:: :abbr:`virtual (This method should typically be overridden by the user to have any effect.)`
.. |const| replace:: :abbr:`const (This method has no side effects. It doesn't modify any of the instance's member variables.)`
.. |vararg| replace:: :abbr:`vararg (This method accepts any number of arguments after the ones described here.)`
.. |constructor| replace:: :abbr:`constructor (This method is used to construct a type.)`
.. |static| replace:: :abbr:`static (This method doesn't need an instance to be called, so it can be called directly using the class name.)`
.. |operator| replace:: :abbr:`operator (This method describes a valid operator to use with this type as left-hand operand.)`