data-plane-api/api/tls_context.proto

syntax = "proto3";

package envoy.api.v2;

import "google/protobuf/wrappers.proto";

message DataSource {
  oneof specifier {
    string filename = 1;
    bytes inline = 2;
  }
}

message TlsParameters {
  enum TlsProtocol {
    TLS_AUTO = 0;
    TLSv1_0 = 1;
    TLSv1_1 = 2;
    TLSv1_2 = 3;
    TLSv1_3 = 4;
  }
  // Allowed TLS protocols.
  TlsProtocol tls_minimum_protocol_version = 1;
  TlsProtocol tls_maximum_protocol_version = 2;

  // If specified, the TLS listener will only support the specified cipher list.
  repeated string cipher_suites = 3;

  // If specified, the TLS connection will only support the specified ECDH
  // curves. If not specified, the default curves (X25519, P-256) will be used.
  repeated string ecdh_curves = 4;
}

// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may
// be loaded from either.
message TlsCertificate {
  DataSource cert_chain = 1;
  DataSource private_key = 2;
  DataSource ocsp_staple = 3;
  repeated DataSource signed_certificate_timestamp = 4;
}

message CertificateValidationContext {
  // TLS certificate data containing certificate authority certificates to use
  // in verifying a presented certificate. If not specified and a certificate is
  // presented it will not be verified.
  DataSource ca_cert = 1;

  // If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of
  // the presented certificate.
  repeated string verify_certificate_hash = 2;

  // If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
  // the Subject Public Key Information (SPKI) of the presented certificate.
  // This is the same format as used in HTTP Public Key Pinning.
  repeated string verify_spki_sha256 = 3;

  // An optional list of subject alt names. If specified, Envoy will verify that
  // the certificate’s subject alt name matches one of the specified values.
  repeated string verify_subject_alt_name = 4;

  // Must present a signed time-stamped OCSP response.
  google.protobuf.BoolValue require_ocsp_staple = 5;

  // Must present signed certificate time-stamp.
  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
}

message UpstreamTlsContext {
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;

  // Client certificate to present to backend.
  TlsCertificate client_certificate = 2;

  // SNI string to use when creating TLS backend connections.
  string sni = 3;

  // Protocols to negotiate over ALPN
  repeated string alpn_protocols = 4;

  // How to validate the backend certificate.
  CertificateValidationContext server_validation_context = 5;
}

// [V2-API-DIFF] This has been reworked to support alternative modes of
// certificate/key delivery, for consistency with the upstream TLS context and
// to segregate the client/server aspects of the TLS context.
message DownstreamTlsContext {
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;

  // Multiple TLS certificates can be associated with the same context, e.g. to
  // allow both RSA and ECDSA certificates for the same SNI [V2-API-DIFF].
  repeated TlsCertificate tls_certificates = 2;

  // Supplies the list of ALPN protocols that the listener should expose.
  repeated string alpn_protocols = 3;

  // How to validate the client certificate.
  CertificateValidationContext client_validation_context = 4;
}