data-plane-api/api/tls_context.proto

syntax = "proto3";

package envoy.api.v2;

import "google/protobuf/wrappers.proto";

message DataSource {
  oneof specifier {
    string filename = 1;
    bytes inline = 2;
  }
}

message TlsParameters {
  enum TlsProtocol {
    TLS_AUTO = 0;
    TLSv1_0 = 1;
    TLSv1_1 = 2;
    TLSv1_2 = 3;
    TLSv1_3 = 4;
  }
  // Allowed TLS protocols.
  TlsProtocol tls_minimum_protocol_version = 1;
  TlsProtocol tls_maximum_protocol_version = 2;

  // If specified, the TLS listener will only support the specified cipher list.
  repeated string cipher_suites = 3;

  // If specified, the TLS connection will only support the specified ECDH
  // curves. If not specified, the default curves (X25519, P-256) will be used.
  repeated string ecdh_curves = 4;
}

// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may
// be loaded from either.
message TlsCertificate {
  DataSource certificate_chain = 1;
  DataSource private_key = 2;
  DataSource password = 3;
  DataSource ocsp_staple = 4;
  repeated DataSource signed_certificate_timestamp = 5;
}

message CertificateValidationContext {
  // TLS certificate data containing certificate authority certificates to use
  // in verifying a presented certificate. If not specified and a certificate is
  // presented it will not be verified.
  DataSource trusted_ca = 1;

  // If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of
  // the presented certificate.
  repeated string verify_certificate_hash = 2;

  // If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of
  // the Subject Public Key Information (SPKI) of the presented certificate.
  // This is the same format as used in HTTP Public Key Pinning.
  repeated string verify_spki_sha256 = 3;

  // An optional list of subject alt names. If specified, Envoy will verify that
  // the certificate’s subject alt name matches one of the specified values.
  repeated string verify_subject_alt_name = 4;

  // Must present a signed time-stamped OCSP response.
  google.protobuf.BoolValue require_ocsp_staple = 5;

  // Must present signed certificate time-stamp.
  google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
}

// TLS context shared by both client and server TLS contexts.
message CommonTlsContext {
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;

  // Multiple TLS certificates can be associated with the same context,
  // e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF].
  repeated TlsCertificate tls_certificates = 2;

  // How to validate peer certificates.
  CertificateValidationContext validation_context = 3;

  // Protocols to negotiate over ALPN
  repeated string alpn_protocols = 4;

  // These fields are deprecated and only are used during the interim v1 -> v2
  // transition period for internal purposes. They should not be used outside of
  // the Envoy binary.
  message DeprecatedV1 {
    string alt_alpn_protocols = 1;
  }
  DeprecatedV1 deprecated_v1 = 5;
}

message UpstreamTlsContext {
  CommonTlsContext common_tls_context = 1;

  // SNI string to use when creating TLS backend connections.
  string sni = 2;
}

// [V2-API-DIFF] This has been reworked to support alternative modes of
// certificate/key delivery, for consistency with the upstream TLS context and
// to segregate the client/server aspects of the TLS context.
message DownstreamTlsContext {
  CommonTlsContext common_tls_context = 1;

  // If specified, Envoy will reject connections without a valid client
  // certificate.
  google.protobuf.BoolValue require_client_certificate = 2;

  // If specified, Envoy will reject connections without a valid and matching SNI.
  google.protobuf.BoolValue require_sni = 3;
}