Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

tls: Control enforce_rsa_key_usage (#24923)

Browse Source 
Boring SSL team is going to set `enforce_rsa_key_usage` to true very soon. If it is true, the handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. However, the backend services/VMs might not be ready for this change and it had caused outage. I think this is also applicable to OSS Envoy customer since their certificate may not be ready as well.

Change:
- Add the config field to control `enforce_rsa_key_usage`. It is false by default now but can be changed to true (which is aligned with Boring SSL's request) later once the customers are ready.
- Set it when ClientContext's SSL object is created. This ssl object will be used later in ssl handshake.
- It is added in `upstreamTlsContext` proto and set in `ClientContext` because this change in Boring SSL only affects Envoy->Backend (Upstream TLS) but not Client-> Envoy (Downstream TLS)
- Add stats to track/report the invalid use case by leveraging SSL_was_key_usage_invalid API introduced [here](a614d46d40)
- Improve the error handling/report for `SSL_ERROR_SYSCALL`

Signed-off-by: tyxia <tyxia@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ c5d578bdf109b90c1b93e888dae6cb45de6309f7
main
update-envoy[bot] 1 year ago
parent 50b5cf1c11
commit e5790e7785
1 changed files with 8 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      envoy/extensions/transport_sockets/tls/v3/tls.proto

8
envoy/extensions/transport_sockets/tls/v3/tls.proto
Unescape View File

@ -25,6 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#extension: envoy.transport_sockets.tls]
// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.
// [#next-free-field: 6]
message UpstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.UpstreamTlsContext";
@ -53,6 +54,13 @@ message UpstreamTlsContext {
//
// Defaults to 1, setting this to 0 disables session resumption.
google.protobuf.UInt32Value max_session_keys = 4;
// This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension
// is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off)
// but it is expected to be changed to true by default in a future release.
// ``ssl.was_key_usage_invalid`` in :ref:`listener metrics <config_listener_stats>` will be set for certificate
// configurations that would fail if this option were set to true.
google.protobuf.BoolValue enforce_rsa_key_usage = 5;
}
// [#next-free-field: 10]

Write Preview
Loading…
Cancel
Save