Chiebot-Mirror
/
data-plane-api
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add support to pass through and route untrusted certificates (#9172)

Browse Source 
Signed-off-by: Michael Hargreaves <mik.hargreaves@gmail.com>
Co-authored-by: owlbreeze <mik.hargreaves@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ abb1f969fe131c7a47da5c1ad1577be142e1ea8a
master-ci-test
data-plane-api(CircleCI) 5 years ago
parent 14ffd9e1ee
commit 5f6f4e6107
4 changed files with 42 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 17
      envoy/api/v2/auth/cert.proto
  2. 5
      envoy/api/v2/route/route_components.proto
  3. 5
      envoy/config/route/v3/route_components.proto
  4. 17
      envoy/extensions/transport_sockets/tls/v3/cert.proto

17
envoy/api/v2/auth/cert.proto
Unescape View File

@ -180,8 +180,19 @@ message TlsSessionTicketKeys {
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}
// [#next-free-field: 10]
// [#next-free-field: 11]
message CertificateValidationContext {
// Peer certificate verification mode.
enum TrustChainVerification {
// Perform default certificate verification (e.g., against CA / verification lists)
VERIFY_TRUST_CHAIN = 0;
// Connections where the certificate fails verification will be permitted.
// For HTTP connections, the result of certificate verification can be used in route matching. (
// see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
ACCEPT_UNTRUSTED = 1;
}
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
// for listeners). If not specified and a peer certificate is presented it will not be
@ -300,6 +311,10 @@ message CertificateValidationContext {
// If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];
}
// TLS context shared by both client and server TLS contexts.

5
envoy/api/v2/route/route_components.proto
Unescape View File

@ -352,7 +352,12 @@ message RouteMatch {
message TlsContextMatchOptions {
// If specified, the route will match against whether or not a certificate is presented.
// If not specified, certificate presentation status (true or false) will not be considered when route matching.
google.protobuf.BoolValue presented = 1;
// If specified, the route will match against whether or not a certificate is validated.
// If not specified, certificate validation status (true or false) will not be considered when route matching.
google.protobuf.BoolValue validated = 2;
}
reserved 5;

5
envoy/config/route/v3/route_components.proto
Unescape View File

@ -355,7 +355,12 @@ message RouteMatch {
"envoy.api.v2.route.RouteMatch.TlsContextMatchOptions";
// If specified, the route will match against whether or not a certificate is presented.
// If not specified, certificate presentation status (true or false) will not be considered when route matching.
google.protobuf.BoolValue presented = 1;
// If specified, the route will match against whether or not a certificate is validated.
// If not specified, certificate validation status (true or false) will not be considered when route matching.
google.protobuf.BoolValue validated = 2;
}
reserved 5, 3;

17
envoy/extensions/transport_sockets/tls/v3/cert.proto
Unescape View File

@ -190,11 +190,22 @@ message TlsSessionTicketKeys {
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}
// [#next-free-field: 10]
// [#next-free-field: 11]
message CertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CertificateValidationContext";
// Peer certificate verification mode.
enum TrustChainVerification {
// Perform default certificate verification (e.g., against CA / verification lists)
VERIFY_TRUST_CHAIN = 0;
// Connections where the certificate fails verification will be permitted.
// For HTTP connections, the result of certificate verification can be used in route matching. (
// see :ref:`validated <envoy_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ).
ACCEPT_UNTRUSTED = 1;
}
reserved 4;
reserved "verify_subject_alt_name";
@ -307,6 +318,10 @@ message CertificateValidationContext {
// If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];
}
// TLS context shared by both client and server TLS contexts.

Write Preview
Loading…
Cancel
Save