data-plane-api/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto

syntax = "proto3";

package envoy.extensions.transport_sockets.tls.v4alpha;

import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto";
import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto";

import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";

import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha";
option java_outer_classname = "TlsProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;

// [#protodoc-title: TLS transport socket]
// [#extension: envoy.transport_sockets.tls]
// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.

message UpstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext";

  // Common TLS context settings.
  //
  // .. attention::
  //
  //   Server certificate verification is not enabled by default. Configure
  //   :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>` to enable
  //   verification.
  CommonTlsContext common_tls_context = 1;

  // SNI string to use when creating TLS backend connections.
  string sni = 2 [(validate.rules).string = {max_bytes: 255}];

  // If true, server-initiated TLS renegotiation will be allowed.
  //
  // .. attention::
  //
  //   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
  bool allow_renegotiation = 3;

  // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
  // for TLSv1.2 and older) to store for the purpose of session resumption.
  //
  // Defaults to 1, setting this to 0 disables session resumption.
  google.protobuf.UInt32Value max_session_keys = 4;
}

// [#next-free-field: 8]
message DownstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext";

  // Common TLS context settings.
  CommonTlsContext common_tls_context = 1;

  // If specified, Envoy will reject connections without a valid client
  // certificate.
  google.protobuf.BoolValue require_client_certificate = 2;

  // If specified, Envoy will reject connections without a valid and matching SNI.
  // [#not-implemented-hide:]
  google.protobuf.BoolValue require_sni = 3;

  oneof session_ticket_keys_type {
    // TLS session ticket key settings.
    TlsSessionTicketKeys session_ticket_keys = 4;

    // Config for fetching TLS session ticket keys via SDS API.
    SdsSecretConfig session_ticket_keys_sds_secret_config = 5;

    // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
    // server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
    // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
    // the keys specified through either :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.session_ticket_keys>`
    // or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
    // If this config is set to false and no keys are explicitly configured, the TLS server will issue
    // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
    // implication that sessions cannot be resumed across hot restarts or on different hosts.
    bool disable_stateless_session_resumption = 7;
  }

  // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
  // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
  // <https://tools.ietf.org/html/rfc5077#section-5.6>`
  // only seconds could be specified (fractional seconds are going to be ignored).
  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
    lt {seconds: 4294967296}
    gte {}
  }];
}

// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 9]
message CommonTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext";

  message CombinedCertificateValidationContext {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext."
        "CombinedCertificateValidationContext";

    // How to validate peer certificates.
    CertificateValidationContext default_validation_context = 1
        [(validate.rules).message = {required: true}];

    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 2
        [(validate.rules).message = {required: true}];
  }

  reserved 5;

  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;

  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
  // same context to allow both RSA and ECDSA certificates.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
  // used for clients that support ECDSA.
  repeated TlsCertificate tls_certificates = 2;

  // Configs for fetching TLS certificates via SDS API.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
      [(validate.rules).repeated = {max_items: 1}];

  oneof validation_context_type {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;

    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 7;

    // Combined certificate validation context holds a default CertificateValidationContext
    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
    // and default CertificateValidationContext are merged into a new CertificateValidationContext
    // for validation. This merge is done by Message::MergeFrom(), so dynamic
    // CertificateValidationContext overwrites singular fields in default
    // CertificateValidationContext, and concatenates repeated fields to default
    // CertificateValidationContext, and logical OR is applied to boolean fields.
    CombinedCertificateValidationContext combined_validation_context = 8;
  }

  // Supplies the list of ALPN protocols that the listener should expose. In
  // practice this is likely to be set to one of two values (see the
  // :ref:`codec_type
  // <envoy_api_field_extensions.filters.network.http_connection_manager.v4alpha.HttpConnectionManager.codec_type>`
  // parameter in the HTTP connection manager for more information):
  //
  // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
  // * "http/1.1" If the listener is only going to support HTTP/1.1.
  //
  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
  repeated string alpn_protocols = 4;
}
tls/api: factor transport socket out of cert.proto. (#10910) This is necessary to provide TLS transport socket docs and to be able to have the TLS transport socket added to the threat model docs (via its security_posture tag). I did both v2/v3, since this is not technically a change to v2, justa file re-org, and the shadowing machinery prefers file consistency across versions. Risk level: Low (refactoring) Testing: Docs generation and manual inspection. Signed-off-by: Harvey Tuch <htuch@google.com> Mirrored from https://github.com/envoyproxy/envoy @ ab32f5fd01ca8b23ee16dcffb55b1276e55bf1fa 5 years ago			`syntax = "proto3";`

			`package envoy.extensions.transport_sockets.tls.v4alpha;`

			`import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto";`
			`import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto";`

			`import "google/protobuf/duration.proto";`
			`import "google/protobuf/wrappers.proto";`

			`import "udpa/annotations/status.proto";`
			`import "udpa/annotations/versioning.proto";`
			`import "validate/validate.proto";`

			`option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha";`
			`option java_outer_classname = "TlsProto";`
			`option java_multiple_files = true;`
			`option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;`

			`// [#protodoc-title: TLS transport socket]`
			`// [#extension: envoy.transport_sockets.tls]`
			`// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.`

			`message UpstreamTlsContext {`
			`option (udpa.annotations.versioning).previous_message_type =`
			`"envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext";`

			`// Common TLS context settings.`
			`//`
			`// .. attention::`
			`//`
			`// Server certificate verification is not enabled by default. Configure`
			// :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.trusted_ca>` to enable
			`// verification.`
			`CommonTlsContext common_tls_context = 1;`

			`// SNI string to use when creating TLS backend connections.`
			`string sni = 2 [(validate.rules).string = {max_bytes: 255}];`

			`// If true, server-initiated TLS renegotiation will be allowed.`
			`//`
			`// .. attention::`
			`//`
			`// TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.`
			`bool allow_renegotiation = 3;`

			`// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets`
			`// for TLSv1.2 and older) to store for the purpose of session resumption.`
			`//`
			`// Defaults to 1, setting this to 0 disables session resumption.`
			`google.protobuf.UInt32Value max_session_keys = 4;`
			`}`

			`// [#next-free-field: 8]`
			`message DownstreamTlsContext {`
			`option (udpa.annotations.versioning).previous_message_type =`
			`"envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext";`

			`// Common TLS context settings.`
			`CommonTlsContext common_tls_context = 1;`

			`// If specified, Envoy will reject connections without a valid client`
			`// certificate.`
			`google.protobuf.BoolValue require_client_certificate = 2;`

			`// If specified, Envoy will reject connections without a valid and matching SNI.`
			`// [#not-implemented-hide:]`
			`google.protobuf.BoolValue require_sni = 3;`

			`oneof session_ticket_keys_type {`
			`// TLS session ticket key settings.`
			`TlsSessionTicketKeys session_ticket_keys = 4;`

			`// Config for fetching TLS session ticket keys via SDS API.`
			`SdsSecretConfig session_ticket_keys_sds_secret_config = 5;`

			`// Config for controlling stateless TLS session resumption: setting this to true will cause the TLS`
			`// server to not issue TLS session tickets for the purposes of stateless TLS session resumption.`
			`// If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using`
			// the keys specified through either :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.session_ticket_keys>`
			// or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_extensions.transport_sockets.tls.v4alpha.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
			`// If this config is set to false and no keys are explicitly configured, the TLS server will issue`
			`// TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the`
			`// implication that sessions cannot be resumed across hot restarts or on different hosts.`
			`bool disable_stateless_session_resumption = 7;`
			`}`

			`// If specified, session_timeout will change maximum lifetime (in seconds) of TLS session`
			// Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
			// <https://tools.ietf.org/html/rfc5077#section-5.6>`
			`// only seconds could be specified (fractional seconds are going to be ignored).`
			`google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {`
			`lt {seconds: 4294967296}`
			`gte {}`
			`}];`
			`}`

			`// TLS context shared by both client and server TLS contexts.`
			`// [#next-free-field: 9]`
			`message CommonTlsContext {`
			`option (udpa.annotations.versioning).previous_message_type =`
			`"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext";`

			`message CombinedCertificateValidationContext {`
			`option (udpa.annotations.versioning).previous_message_type =`
			`"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext."`
			`"CombinedCertificateValidationContext";`

			`// How to validate peer certificates.`
			`CertificateValidationContext default_validation_context = 1`
			`[(validate.rules).message = {required: true}];`

			`// Config for fetching validation context via SDS API.`
			`SdsSecretConfig validation_context_sds_secret_config = 2`
			`[(validate.rules).message = {required: true}];`
			`}`

			`reserved 5;`

			`// TLS protocol versions, cipher suites etc.`
			`TlsParameters tls_params = 1;`

			// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
			`// same context to allow both RSA and ECDSA certificates.`
			`//`
			`// Only a single TLS certificate is supported in client contexts. In server contexts, the first`
			`// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is`
			`// used for clients that support ECDSA.`
			`repeated TlsCertificate tls_certificates = 2;`

			`// Configs for fetching TLS certificates via SDS API.`
			`repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6`
			`[(validate.rules).repeated = {max_items: 1}];`

			`oneof validation_context_type {`
			`// How to validate peer certificates.`
			`CertificateValidationContext validation_context = 3;`

			`// Config for fetching validation context via SDS API.`
			`SdsSecretConfig validation_context_sds_secret_config = 7;`

			`// Combined certificate validation context holds a default CertificateValidationContext`
			`// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic`
			`// and default CertificateValidationContext are merged into a new CertificateValidationContext`
			`// for validation. This merge is done by Message::MergeFrom(), so dynamic`
			`// CertificateValidationContext overwrites singular fields in default`
			`// CertificateValidationContext, and concatenates repeated fields to default`
			`// CertificateValidationContext, and logical OR is applied to boolean fields.`
			`CombinedCertificateValidationContext combined_validation_context = 8;`
			`}`

			`// Supplies the list of ALPN protocols that the listener should expose. In`
			`// practice this is likely to be set to one of two values (see the`
			// :ref:`codec_type
			// <envoy_api_field_extensions.filters.network.http_connection_manager.v4alpha.HttpConnectionManager.codec_type>`
			`// parameter in the HTTP connection manager for more information):`
			`//`
			`// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.`
			`// * "http/1.1" If the listener is only going to support HTTP/1.1.`
			`//`
			`// There is no default for this parameter. If empty, Envoy will not expose ALPN.`
			`repeated string alpn_protocols = 4;`
			`}`