Learn where TLS belongs in modern Clojure deployments, how keystores and truststores differ on the JVM, and which operational mistakes still break secure transport in production.
TLS (Transport Layer Security): The protocol used to protect data in transit by providing confidentiality, integrity, and endpoint authentication.
For Clojure applications on the JVM, TLS is usually mediated by Java’s JSSE stack and whatever server, client, ingress, or load balancer sits around it. That means the real design question is not just “how do I turn on HTTPS?” It is “where does TLS terminate, who validates whom, and how are keys and certificates rotated without outages?”
A modern Clojure service may terminate TLS in several places:
Each option has trade-offs:
The important point is to document the actual boundary. Many outages happen because one team assumes TLS ends at the load balancer while another assumes the application is still responsible for certificate policy.
These terms get blurred constantly:
If your service presents a certificate to browsers or clients, you need the key material in a keystore. If your service makes outbound TLS calls and must verify remote peers, you need an appropriate truststore or platform trust configuration.
When the application itself terminates TLS, a Jetty-backed Ring service can be configured explicitly:
1(ns myapp.core
2 (:require [ring.adapter.jetty :refer [run-jetty]]))
3
4(defn handler [_request]
5 {:status 200
6 :headers {"content-type" "text/plain"}
7 :body "secure response"})
8
9(defn -main []
10 (run-jetty handler
11 {:port 8443
12 :ssl? true
13 :ssl-port 8443
14 :keystore (System/getenv "APP_KEYSTORE_PATH")
15 :key-password (System/getenv "APP_KEYSTORE_PASSWORD")}))
The details vary by server adapter, but the operational concerns do not:
The safest posture is usually:
Oracle’s current JSSE guidance still treats certificate validation, hostname verification, and correct trust configuration as core controls. The most dangerous TLS bugs in real systems are not exotic cryptographic failures. They are developers disabling validation to “make the integration work.”
Outbound calls from a Clojure service are part of the same trust model. A service that accepts strong inbound TLS but makes insecure outbound requests still leaks data or trusts impostors.
For JVM-based clients, review:
If the system uses mutual TLS, client identity becomes part of authorization architecture, not just transport configuration.
Secure transport is not only the handshake:
The strongest TLS setup on paper still fails if renewal depends on a manual step someone forgets on a holiday weekend.
When TLS fails, make the failure concrete:
On the JVM, javax.net.debug=ssl,handshake is still one of the fastest ways to turn an opaque failure into a readable handshake trace during focused debugging.
That shortcut tends to survive longer than intended and turns impersonation into a configuration choice.
Teams often fix one boundary and assume the other inherited the same guarantees.
They solve different halves of the trust problem.
If certificate renewal is invisible until production traffic fails, the system is missing a basic operational control.
Document where TLS terminates, keep certificate material out of source control, automate renewal and expiry visibility, and leave certificate and hostname verification enabled by default. Use app-level TLS only when the service truly owns that boundary; otherwise make the reverse proxy or ingress contract explicit and auditable. In Clojure, the key point is not clever SSL code. It is disciplined ownership of transport trust from edge to client callout.