From 3f29101ae5d3449711f2e892f78f0c1dea6580ec Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Wed, 14 Dec 2022 22:31:37 +0000 Subject: [PATCH] tls: SNI-based cert selection during TLS handshake (#24483) Envoy supports selecting certs by selecting filter chain based on SNI. But it is possible that we access different services via one filter chain, which requires SNI-based cert selection in one single filter chain during handshake. This change is merged by #22036 and reverted by #24475. Signed-off-by: Luyao Zhong Mirrored from https://github.com/envoyproxy/envoy @ ffa7295273834e2c777b1464896397bb05c0f68a --- .../extensions/transport_sockets/tls/v3/tls.proto | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/envoy/extensions/transport_sockets/tls/v3/tls.proto b/envoy/extensions/transport_sockets/tls/v3/tls.proto index 6f976380..8b6087a9 100644 --- a/envoy/extensions/transport_sockets/tls/v3/tls.proto +++ b/envoy/extensions/transport_sockets/tls/v3/tls.proto @@ -55,7 +55,7 @@ message UpstreamTlsContext { google.protobuf.UInt32Value max_session_keys = 4; } -// [#next-free-field: 9] +// [#next-free-field: 10] message DownstreamTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.DownstreamTlsContext"; @@ -123,6 +123,11 @@ message DownstreamTlsContext { // an accompanying OCSP response or if the response expires at runtime. // Defaults to LENIENT_STAPLING OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; + + // Multiple certificates are allowed in Downstream transport socket to serve different SNI. + // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. + // Defaults to false. See more details in :ref:`Multiple TLS certificates `. + google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9; } // TLS key log configuration. @@ -227,12 +232,9 @@ message CommonTlsContext { // TLS protocol versions, cipher suites etc. TlsParameters tls_params = 1; + // Only a single TLS certificate is supported in client contexts. In server contexts, // :ref:`Multiple TLS certificates ` can be associated with the - // same context to allow both RSA and ECDSA certificates. - // - // Only a single TLS certificate is supported in client contexts. In server contexts, the first - // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is - // used for clients that support ECDSA. + // same context to allow both RSA and ECDSA certificates and support SNI-based selection. // // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``, // and ``tls_certificate_provider_instance`` may be used.