tls: SNI-based cert selection during TLS handshake (#24483)

Envoy supports selecting certs by selecting filter chain based on SNI.
But it is possible that we access different services via one filter
chain, which requires SNI-based cert selection in one single filter
chain during handshake.

This change is merged by #22036 and reverted by #24475.

Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>

Mirrored from https://github.com/envoyproxy/envoy @ ffa7295273834e2c777b1464896397bb05c0f68a
pull/626/head
data-plane-api(Azure Pipelines) 2 years ago
parent ec5a3b2c2d
commit 3f29101ae5
  1. 14
      envoy/extensions/transport_sockets/tls/v3/tls.proto

@ -55,7 +55,7 @@ message UpstreamTlsContext {
google.protobuf.UInt32Value max_session_keys = 4; google.protobuf.UInt32Value max_session_keys = 4;
} }
// [#next-free-field: 9] // [#next-free-field: 10]
message DownstreamTlsContext { message DownstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.DownstreamTlsContext"; "envoy.api.v2.auth.DownstreamTlsContext";
@ -123,6 +123,11 @@ message DownstreamTlsContext {
// an accompanying OCSP response or if the response expires at runtime. // an accompanying OCSP response or if the response expires at runtime.
// Defaults to LENIENT_STAPLING // Defaults to LENIENT_STAPLING
OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}];
// Multiple certificates are allowed in Downstream transport socket to serve different SNI.
// If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config.
// Defaults to false. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;
} }
// TLS key log configuration. // TLS key log configuration.
@ -227,12 +232,9 @@ message CommonTlsContext {
// TLS protocol versions, cipher suites etc. // TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1; TlsParameters tls_params = 1;
// Only a single TLS certificate is supported in client contexts. In server contexts,
// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
// same context to allow both RSA and ECDSA certificates. // same context to allow both RSA and ECDSA certificates and support SNI-based selection.
//
// Only a single TLS certificate is supported in client contexts. In server contexts, the first
// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
// used for clients that support ECDSA.
// //
// Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``, // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
// and ``tls_certificate_provider_instance`` may be used. // and ``tls_certificate_provider_instance`` may be used.

Loading…
Cancel
Save