Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

tls: add option to set signature algorithms (#26167)

Browse Source 
Add a new optional field to TlsParameters to configure signature algorithms.
The value is used during TLS handshake in TLS Signature Algorithms extension.
It indicates which signature algorithms may be used for digital signatures.
The value can be used for both DownstreamTlsContext and UpstreamTlsContext.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

Mirrored from https://github.com/envoyproxy/envoy @ 084794dd06c36edbcb27e05dc06c9d56a72b403f
pull/626/head
data-plane-api(Azure Pipelines) 2 years ago
parent 2d0a93568a
commit db51b44245
1 changed files with 37 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 37
      envoy/extensions/transport_sockets/tls/v3/common.proto

37
envoy/extensions/transport_sockets/tls/v3/common.proto
Unescape View File

@ -24,6 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Common TLS configuration]
// [#next-free-field: 6]
message TlsParameters {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters";
@ -120,6 +121,42 @@ message TlsParameters {
//
// P-256
repeated string ecdh_curves = 4;
// If specified, the TLS connection will only support the specified signature algorithms.
// The list is ordered by preference.
// If not specified, the default signature algorithms defined by BoringSSL will be used.
//
// Default signature algorithms selected by BoringSSL (may be out of date):
//
// .. code-block:: none
//
// ecdsa_secp256r1_sha256
// rsa_pss_rsae_sha256
// rsa_pkcs1_sha256
// ecdsa_secp384r1_sha384
// rsa_pss_rsae_sha384
// rsa_pkcs1_sha384
// rsa_pss_rsae_sha512
// rsa_pkcs1_sha512
// rsa_pkcs1_sha1
//
// Signature algorithms supported by BoringSSL (may be out of date):
//
// .. code-block:: none
//
// rsa_pkcs1_sha256
// rsa_pkcs1_sha384
// rsa_pkcs1_sha512
// ecdsa_secp256r1_sha256
// ecdsa_secp384r1_sha384
// ecdsa_secp521r1_sha512
// rsa_pss_rsae_sha256
// rsa_pss_rsae_sha384
// rsa_pss_rsae_sha512
// ed25519
// rsa_pkcs1_sha1
// ecdsa_sha1
repeated string signature_algorithms = 5;
}
// BoringSSL private key method configuration. The private key methods are used for external

Write Preview
Loading…
Cancel
Save