TLS is a standalone configuration. The user must configure TLS server profiles with certificates and trust anchors, and then assign the TLS server profiles to the appropriate applications. When a TLS server profile is assigned to an application, the application should not send any clear text PDUs until the TLS handshake has been successfully completed and the encryption ciphers have been negotiated between the TLS server and the TLS client.
After successful negotiation and handshake, the TLS is operationally up, and the TLS notifies the application which begins transmitting PDUs. These PDUs are encrypted using TLS based on the agreed ciphers. If, at any point, the TLS becomes operationally down, the application should stop transmitting PDUs.
For example, a TLS connection with the gRPC application would operate as follows:
A TLS server profile is assigned to the gRPC application.
gRPC stops sending clear text PDUs because a TLS server profile has been assigned and TLS is not ready to encrypt.
The TLS server begins the handshake.
Authentication occurs at the TLS layer.
The TLS server and TLS client negotiate ciphers.
SALTs are negotiated for the symmetric key. A SALT is a seed for creating AES encryption keys.
When negotiations are successfully completed, the handshake finishes and gRPC is notified.
TLS becomes operationally up, and gRPC can resume transmitting PDUs. Until TLS becomes operationally up, gRPC PDUs arriving from the client are dropped on ingress.