tls: allow logging session keys (#19182)

Signed-off-by: zhangbo1882 <zhangbo1882@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ bda2fb9cbf9b6ca9329da0f4c0e65cb3bb23f19e
pull/626/head
data-plane-api(Azure Pipelines) 3 years ago
parent 07653fddfc
commit e67f288b95
  1. 23
      envoy/extensions/transport_sockets/tls/v3/tls.proto

@ -2,6 +2,7 @@ syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3; package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/address.proto";
import "envoy/config/core/v3/extension.proto"; import "envoy/config/core/v3/extension.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto"; import "envoy/extensions/transport_sockets/tls/v3/common.proto";
import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
@ -124,8 +125,25 @@ message DownstreamTlsContext {
OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}];
} }
// TLS key log configuration.
// The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page)
message TlsKeyLog {
// The path to save the TLS key log.
string path = 1 [(validate.rules).string = {min_len: 1}];
// At least one of src or dst must be specified, or the config will be rejected as invalid.
// The local IP address that will be used to filter the connection which should save the TLS key log
// If it is not set, any local IP address will be matched.
repeated config.core.v3.CidrRange local_address_range = 2;
// The remote IP address that will be used to filter the connection which should save the TLS key log
// If it is not set, any remote IP address will be matched.
repeated config.core.v3.CidrRange remote_address_range = 3;
}
// TLS context shared by both client and server TLS contexts. // TLS context shared by both client and server TLS contexts.
// [#next-free-field: 15] // [#next-free-field: 16]
message CommonTlsContext { message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
@ -299,4 +317,7 @@ message CommonTlsContext {
// Custom TLS handshaker. If empty, defaults to native TLS handshaking // Custom TLS handshaker. If empty, defaults to native TLS handshaking
// behavior. // behavior.
config.core.v3.TypedExtensionConfig custom_handshaker = 13; config.core.v3.TypedExtensionConfig custom_handshaker = 13;
// TLS key log configuration
TlsKeyLog key_log = 15;
} }

Loading…
Cancel
Save