import ballerina/tcp;
import ballerina/io;

public function main() returns error? {
    // The [secureSocket](https://docs.central.ballerina.io/ballerina/tcp/latest/records/ClientSecureSocket) record used to configure the client with TLS
    tcp:Client socketClient = check new ("localhost", 9002, secureSocket = {
        // Provide the trusted certificate path or the truststore path 
        // along with the truststore password.
        cert: "../resource/path/to/public.crt",
        protocol: {
            name: tcp:TLS,
            versions: ["TLSv1.2", "TLSv1.1"]
        },
        ciphers: ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
    });

    string msg = "Hello Ballerina Echo from secure client";
    byte[] msgByteArray = msg.toBytes();
    check socketClient->writeBytes(msgByteArray);

    readonly & byte[] receivedData = check socketClient->readBytes();
    io:print('string:fromBytes(receivedData));

    check socketClient->close();
}
import ballerina/tcp;
import ballerina/io;

// A TCP listener can be configured to communicate through SSL/TLS as well.
// The [secureSocket](https://docs.central.ballerina.io/ballerina/tcp/latest/records/ListenerSecureSocket) record provides the SSL related configurations,
// which will configure a listener to accept new connections that
// are secured via SSL.
tcp:ListenerSecureSocket listenerSecureSocket = {
    // Provide the server certificate path and the private key path 
    // or the keystore path along with keystore password.
    key: {
        certFile: "../resource/path/to/public.crt",
        keyFile: "../resource/path/to/private.key"
    },
    // Enable the preferred SSL protocol and its versions.
    protocol: {
        name: tcp:TLS,
        versions: ["TLSv1.2", "TLSv1.1"]
    },
    // Configure the preferred ciphers.
    ciphers: ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
};

service on new tcp:Listener(9002, secureSocket = listenerSecureSocket) {

    isolated remote function onConnect(tcp:Caller caller) 
        returns tcp:ConnectionService {
        io:println("Client connected to server: ", caller.remotePort);
        return new EchoService();
    }
}

service class EchoService {

    remote function onBytes(readonly & byte[] data) returns byte[] {
        io:println("Received: ", 'string:fromBytes(data));
        return data;
    }
}

TCP Transport Security

This example demonstrates how the Ballerina TCP client can be configured to connect to an SSL/TLS listener through a one-way SSL/TLS connection (i.e., the server is verified by the client). This example uses the Ballerina TCP listener to host a service and the TCP client sends requests to that listener.

For more information on the underlying module, see the TCP module.

import ballerina/tcp;
import ballerina/io;
public function main() returns error? {
    tcp:Client socketClient = check new ("localhost", 9002, secureSocket = {

The secureSocket record used to configure the client with TLS

        cert: "../resource/path/to/public.crt",
        protocol: {
            name: tcp:TLS,
            versions: ["TLSv1.2", "TLSv1.1"]
        },
        ciphers: ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
    });

Provide the trusted certificate path or the truststore path along with the truststore password.

    string msg = "Hello Ballerina Echo from secure client";
    byte[] msgByteArray = msg.toBytes();
    check socketClient->writeBytes(msgByteArray);
    readonly & byte[] receivedData = check socketClient->readBytes();
    io:print('string:fromBytes(receivedData));
    check socketClient->close();
}
# You may need to change the trusted certificate file path.
bal run tcp_transport_security_client.bal
Hello Ballerina Echo from secure client
import ballerina/tcp;
import ballerina/io;
tcp:ListenerSecureSocket listenerSecureSocket = {

A TCP listener can be configured to communicate through SSL/TLS as well. The secureSocket record provides the SSL related configurations, which will configure a listener to accept new connections that are secured via SSL.

    key: {
        certFile: "../resource/path/to/public.crt",
        keyFile: "../resource/path/to/private.key"
    },

Provide the server certificate path and the private key path or the keystore path along with keystore password.

    protocol: {
        name: tcp:TLS,
        versions: ["TLSv1.2", "TLSv1.1"]
    },

Enable the preferred SSL protocol and its versions.

    ciphers: ["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
};

Configure the preferred ciphers.

service on new tcp:Listener(9002, secureSocket = listenerSecureSocket) {
    isolated remote function onConnect(tcp:Caller caller) 
        returns tcp:ConnectionService {
        io:println("Client connected to server: ", caller.remotePort);
        return new EchoService();
    }
}
service class EchoService {
    remote function onBytes(readonly & byte[] data) returns byte[] {
        io:println("Received: ", 'string:fromBytes(data));
        return data;
    }
}
# You may need to change the certificate file path and private key file path.
bal run tcp_transport_security_listener.bal
Client connected to server: 5639
Received: Hello Ballerina Echo from secure client