akkadotnet · Aaronontheweb · Oct 3, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025
diff --git a/docs/articles/remoting/security.md b/docs/articles/remoting/security.md
diff --git a/docs/cSpell.json b/docs/cSpell.json
@@ -70,6 +70,7 @@
         "Stannard",
         "substream",
         "substreams",
+        "Tailscale",
         "testkit",
         "threadedness",
         "threadpool",
@@ -83,7 +84,8 @@
         "userspace",
         "watchee",
         "Webcrawler",
-        "Xunit"
+        "Xunit",
+        "ZeroTier"
     ],
     "ignoreWords": [
         "Hanselminutes",

diff --git a/src/core/Akka.Docs.Tests/Configuration/TlsConfigurationSample.cs b/src/core/Akka.Docs.Tests/Configuration/TlsConfigurationSample.cs
@@ -0,0 +1,84 @@
+//-----------------------------------------------------------------------
+// <copyright file="TlsConfigurationSample.cs" company="Akka.NET Project">
+//     Copyright (C) 2009-2022 Lightbend Inc. <http://www.lightbend.com>
+//     Copyright (C) 2013-2025 .NET Foundation <https://github.com/akkadotnet/akka.net>
+// </copyright>
+//-----------------------------------------------------------------------
+
+using Akka.Configuration;
+
+namespace Akka.Docs.Tests.Configuration
+{
+    /// <summary>
+    /// TLS configuration examples for Akka.Remote documentation
+    /// </summary>
+    public class TlsConfigurationSample
+    {
+        #region MutualTlsConfig
+        public static Config MutualTlsConfiguration = ConfigurationFactory.ParseString(@"
+            akka.remote.dot-netty.tcp {
+                enable-ssl = true
+                ssl {
+                    suppress-validation = false
+                    require-mutual-authentication = true  # Both client and server authenticate
+                    certificate {
+                        path = ""path/to/certificate.pfx""
+                        password = ""certificate-password""
+                    }
+                }
+            }
+        ");
+        #endregion
+
+        #region StandardTlsConfig
+        public static Config StandardTlsConfiguration = ConfigurationFactory.ParseString(@"
+            akka.remote.dot-netty.tcp {
+                enable-ssl = true
+                ssl {
+                    suppress-validation = false
+                    require-mutual-authentication = false  # Server authentication only
+                    certificate {
+                        path = ""path/to/certificate.pfx""
+                        password = ""certificate-password""
+                    }
+                }
+            }
+        ");
+        #endregion
+
+        #region WindowsCertStoreConfig
+        public static Config WindowsCertificateStoreConfiguration = ConfigurationFactory.ParseString(@"
+            akka.remote.dot-netty.tcp {
+                enable-ssl = true
+                ssl {
+                    suppress-validation = false
+                    require-mutual-authentication = true
+                    certificate {
+                        use-thumbprint-over-file = true
+                        thumbprint = ""2531c78c51e5041d02564697a88af8bc7a7ce3e3""
+                        store-name = ""My""
+                        store-location = ""local-machine""  # or ""current-user""
+                    }
+                }
+            }
+        ");
+        #endregion
+
+        #region DevTlsConfig
+        // WARNING: Development only - never use suppress-validation = true in production!
+        public static Config DevelopmentTlsConfiguration = ConfigurationFactory.ParseString(@"
+            akka.remote.dot-netty.tcp {
+                enable-ssl = true
+                ssl {
+                    suppress-validation = true  # INSECURE: Accepts any certificate
+                    require-mutual-authentication = false
+                    certificate {
+                        path = ""self-signed-dev-cert.pfx""
+                        password = ""password""
+                    }
+                }
+            }
+        ");
+        #endregion
+    }
+}
diff --git a/src/core/Akka.Remote.Tests/Akka.Remote.Tests.csproj b/src/core/Akka.Remote.Tests/Akka.Remote.Tests.csproj
@@ -19,6 +19,10 @@
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
 
+    <None Include="Resources\akka-client-cert.pfx">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+
     <None Update="test-files\SerializedException-Net6.0.bin">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

diff --git a/src/core/Akka.Remote.Tests/RemoteConfigSpec.cs b/src/core/Akka.Remote.Tests/RemoteConfigSpec.cs
@@ -8,6 +8,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using Akka.Configuration;
 using Akka.Remote.Transport.DotNetty;
 using Akka.TestKit;
 using Akka.Util.Internal;
@@ -113,13 +114,37 @@ public void Remoting_should_contain_correct_heliosTCP_values_in_ReferenceConf()
             Assert.False(s.EnableSsl);
         }
 
+        [Fact]
+        public void SSL_should_have_secure_defaults_when_enabled()
+        {
+            // Simple test - just enable SSL and check the defaults from reference.conf
+            var certPath = System.IO.Path.Combine(System.IO.Directory.GetCurrentDirectory(), "Resources", "akka-validcert.pfx");
+            var config = ConfigurationFactory.ParseString($@"
+                akka.remote.dot-netty.tcp.enable-ssl = true
+                akka.remote.dot-netty.tcp.ssl.certificate {{
+                    path = ""{certPath.Replace("\\", "\\\\")}""
+                    password = ""password""
+                }}
+            ").WithFallback(RARP.For(Sys).Provider.RemoteSettings.Config);
+
+            var c = config.GetConfig("akka.remote.dot-netty.tcp");
+            var s = DotNettyTransportSettings.Create(c);
+
+            // Verify SSL is enabled
+            Assert.True(s.EnableSsl);
+
+            // Verify secure defaults
+            Assert.True(s.Ssl.RequireMutualAuthentication, "Mutual TLS should be enabled by default");
+            Assert.False(s.Ssl.SuppressValidation, "Certificate validation should not be suppressed by default");
+        }
+
         [Fact]
         public void When_remoting_works_in_Mono_ip_enforcement_should_be_defaulted_to_true()
         {
             if (!IsMono) return; // skip IF NOT using Mono
             var c = RARP.For(Sys).Provider.RemoteSettings.Config.GetConfig("akka.remote.dot-netty.tcp");
             var s = DotNettyTransportSettings.Create(c);
-            
+
             Assert.True(s.EnforceIpFamily);
         }
 

diff --git a/src/core/Akka.Remote.Tests/Resources/akka-client-cert.pfx b/src/core/Akka.Remote.Tests/Resources/akka-client-cert.pfx