tls: add options to validate SANs and send SNI for upstream hostname (#36903)

These options are related, but do not have to be used together. The existing `auto_sni` and `auto_san_validation` make Envoy set upstream TLS SNI and validate SANs based on the downstream requests's `:authority` (or override header). The new `auto_host_sni` option causes Envoy to set the upstream TLS SNI to the hostname in the cluster for the host being connected to. For example, in a DNS cluster with server1.example.com and server2.example as the cluster members, connections would have SNI of server1.example.com and server2.example.com, respectively. The new `auto_sni_san_validation` option causes Envoy to validate that the peer's server certificate has a DNS SAN that matches whatever SNI value was sent (regardless of how it's configured). This is appropriate to set in many/most configurations for normally-behaving upstream servers without special certificate validation requirements. Signed-off-by: Greg Greenway <ggreenway@apple.com> Mirrored from https://github.com/envoyproxy/envoy @ 8ef1ecc4fae1699b8fcea839a510a8a760ddecd8
3 months ago · a1e6b53d7e
parent 6ac3cd177b
commit a1e6b53d7e
2 changed files with 27 additions and 1 deletions
--- a/envoy/config/core/v3/protocol.proto
+++ b/envoy/config/core/v3/protocol.proto
@ -123,6 +123,9 @@ message UpstreamHttpProtocolOptions {
  // header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>`
  // is set, as seen by the :ref:`router filter <config_http_filters_router>`.
  // Does nothing if a filter before the http router filter sets the corresponding metadata.
+  //
+  // See :ref:`SNI configuration <start_quick_start_securing_sni_client>` for details on how this
+  // interacts with other validation options.
  bool auto_sni = 1;

  // Automatic validate upstream presented certificate for new upstream connections based on the
@ -130,6 +133,9 @@ message UpstreamHttpProtocolOptions {
  // is set, as seen by the :ref:`router filter <config_http_filters_router>`.
  // This field is intended to be set with ``auto_sni`` field.
  // Does nothing if a filter before the http router filter sets the corresponding metadata.
+  //
+  // See :ref:`validation configuration <start_quick_start_securing_validation>` for how this interacts with
+  // other validation options.
  bool auto_san_validation = 2;

  // An optional alternative to the host/authority header to be used for setting the SNI value.
--- a/envoy/extensions/transport_sockets/tls/v3/tls.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/tls.proto
@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.transport_sockets.tls]
 // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.

-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message UpstreamTlsContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.UpstreamTlsContext";
@ -42,6 +42,26 @@ message UpstreamTlsContext {
  // SNI string to use when creating TLS backend connections.
  string sni = 2 [(validate.rules).string = {max_bytes: 255}];

+  // If true, replaces the SNI for the connection with the hostname of the upstream host, if
+  // the hostname is known due to either a DNS cluster type or the
+  // :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` is set on
+  // the host.
+  //
+  // See :ref:`SNI configuration <start_quick_start_securing_sni_client>` for details on how this
+  // interacts with other validation options.
+  bool auto_host_sni = 6;
+
+  // If true, replace any Subject Alternative Name validations with a validation for a DNS SAN matching
+  // the SNI value sent. Note that the validation will be against the actual requested SNI, regardless of how it
+  // is configured.
+  //
+  // For the common case where an SNI value is sent and it is expected that the server certificate contains a SAN
+  // matching that SNI value, this option will do the correct SAN validation.
+  //
+  // See :ref:`validation configuration <start_quick_start_securing_validation>` for how this interacts with
+  // other validation options.
+  bool auto_sni_san_validation = 7;
+
  // If true, server-initiated TLS renegotiation will be allowed.
  //
  // .. attention::