You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
108 lines
3.4 KiB
108 lines
3.4 KiB
syntax = "proto3"; |
|
|
|
package envoy.api.v2; |
|
|
|
import "google/protobuf/wrappers.proto"; |
|
|
|
message DataSource { |
|
oneof specifier { |
|
string filename = 1; |
|
bytes inline = 2; |
|
} |
|
} |
|
|
|
message TlsParameters { |
|
enum TlsProtocol { |
|
TLS_AUTO = 0; |
|
TLSv1_0 = 1; |
|
TLSv1_1 = 2; |
|
TLSv1_2 = 3; |
|
TLSv1_3 = 4; |
|
} |
|
// Allowed TLS protocols. |
|
TlsProtocol tls_minimum_protocol_version = 1; |
|
TlsProtocol tls_maximum_protocol_version = 2; |
|
|
|
// If specified, the TLS listener will only support the specified cipher list. |
|
repeated string cipher_suites = 3; |
|
|
|
// If specified, the TLS connection will only support the specified ECDH |
|
// curves. If not specified, the default curves (X25519, P-256) will be used. |
|
repeated string ecdh_curves = 4; |
|
} |
|
|
|
// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may |
|
// be loaded from either. |
|
message TlsCertificate { |
|
DataSource cert_chain = 1; |
|
DataSource private_key = 2; |
|
DataSource ocsp_staple = 3; |
|
repeated DataSource signed_certificate_timestamp = 4; |
|
} |
|
|
|
message CertificateValidationContext { |
|
// TLS certificate data containing certificate authority certificates to use |
|
// in verifying a presented certificate. If not specified and a certificate is |
|
// presented it will not be verified. |
|
DataSource ca_cert = 1; |
|
|
|
// If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of |
|
// the presented certificate. |
|
repeated string verify_certificate_hash = 2; |
|
|
|
// If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of |
|
// the Subject Public Key Information (SPKI) of the presented certificate. |
|
// This is the same format as used in HTTP Public Key Pinning. |
|
repeated string verify_spki_sha256 = 3; |
|
|
|
// An optional list of subject alt names. If specified, Envoy will verify that |
|
// the certificate’s subject alt name matches one of the specified values. |
|
repeated string verify_subject_alt_name = 4; |
|
|
|
// Must present a signed time-stamped OCSP response. |
|
google.protobuf.BoolValue require_ocsp_staple = 5; |
|
|
|
// Must present signed certificate time-stamp. |
|
google.protobuf.BoolValue require_signed_certificate_timestamp = 6; |
|
} |
|
|
|
// TLS context shared by both client and server TLS contexts. |
|
message CommonTlsContext { |
|
// TLS protocol versions, cipher suites etc. |
|
TlsParameters tls_params = 1; |
|
|
|
// Protocols to negotiate over ALPN |
|
repeated string alpn_protocols = 2; |
|
|
|
// How to validate peer certificates. |
|
CertificateValidationContext validation_context = 3; |
|
|
|
// These fields are deprecated and only are used during the interim v1 -> v2 |
|
// transition period for internal purposes. They should not be used outside of |
|
// the Envoy binary. |
|
message DeprecatedV1 { |
|
string alt_alpn_protocols = 1; |
|
} |
|
DeprecatedV1 deprecated_v1 = 4; |
|
} |
|
|
|
message UpstreamTlsContext { |
|
CommonTlsContext common_tls_context = 1; |
|
|
|
// Client certificate to present to backend. |
|
TlsCertificate client_certificate = 2; |
|
|
|
// SNI string to use when creating TLS backend connections. |
|
string sni = 3; |
|
} |
|
|
|
// [V2-API-DIFF] This has been reworked to support alternative modes of |
|
// certificate/key delivery, for consistency with the upstream TLS context and |
|
// to segregate the client/server aspects of the TLS context. |
|
message DownstreamTlsContext { |
|
CommonTlsContext common_tls_context = 1; |
|
|
|
// Multiple TLS certificates can be associated with the same context, e.g. to |
|
// allow both RSA and ECDSA certificates for the same SNI [V2-API-DIFF]. |
|
repeated TlsCertificate tls_certificates = 2; |
|
}
|
|
|