These flags default to true.Įnvoy.reloadable_features.require_ocsp_response_for_must_staple_certs: Disabling this allows The following runtime flags are provided to adjust the requirements of OCSP responses and override OCSP responses are never stapled to TLS requests that do not indicate support for OCSP stapling In practice, a must-staple certificate causesĬEnvoy to behave as if the OCSP staple policy is MUST_STAPLE.Įnvoy will not use a must-staple certificate for new connections after its OCSP response expires. Valid OCSP response regardless of the OCSP staple policy. Support an ocsp_staple_policy field to control whether Envoy should stop using a certificate orĬontinue without stapling when its associated OCSP response is missing or expired.Ĭertificates marked as must-staple require a
Expired OCSP responses are accepted, but may cause downstreamĬonnection errors depending on the OCSP staple policy. If provided, OCSP responses must be valid andĪffirm the certificate has not been revoked. Ocsp_staple field allows the operator to supply a pre-computed OCSP response per-certificate in the context.Ī single response may not pertain to multiple certificates. Stapling an Online Certificate Status Protocol (OCSP) response to a TLS certificate during the handshake. Only a single TLS certificate is supported today for UpstreamTlsContexts. Such certificate is found, the connection is refused. The selected certificate must adhere to the OCSP policy. Static and SDS certificates may not be mixed in a given DownstreamTlsContext. This will result in a failed handshake if theĬlient only supports RSA certificates and the server only has ECDSA certificates. Otherwise, the first certificate listed is used. If the client only supports RSA certificates, a RSA certificate will be selected if present in the If the client supports P-256 ECDSA, a P-256 ECDSA certificate will be selected if one is present in theĪnd it is in compliance with the OCSP policy. Non-P-256 server ECDSA certificates are rejected. Only one certificate of a particular type (RSA or ECDSA) may be specified. These may be a mix of RSA and P-256 ECDSA certificates. See the reference for UpstreamTlsContexts andĭownstreamTlsContexts for other TLS options.ĭownstreamTlsContexts support multiple TLSĬertificates. etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6) etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7) etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo etc.) Common paths for system CA bundles on Linux and BSD are: cURLĭoes on standard Debian installations. Makes Envoy verify the server identity of 127.0.0.1:1234 as “foo” in the same way as e.g. etc/ssl/certs/ca-certificates.crt is the default path for the system CA bundle on Debian systems. Static_resources : listeners : - name : listener_0 address : validation_context : match_typed_subject_alt_names : - san_type : DNS matcher : exact : "foo" trusted_ca : filename : /etc/ssl/certs/ca-certificates.crt OCSP Stapling: Online Certificate Stapling Protocol responses may be stapled to certificates. Management schemes (such as TPM) and TLS acceleration. This allows extending Envoy to support various key Performed asynchronously from an extension. Resumption can be performedĪcross hot restarts and between parallel Envoy instances (typically useful in a front proxyīoringSSL private key methods: TLS private key operations (signing and decrypting) can be Session resumption: Server connections support resuming previous sessions via TLS session SNI: SNI is supported for both server (listener) and client (upstream) connections. The HTTP connection manager uses this information (inĪddition to protocol inference) to determine whether a client is speaking HTTP/1.1 or HTTP/2. Verification, subject name verification, and hash pinning.Ĭertificate revocation: Envoy can check peer certificates against a certificate revocation listĪLPN: TLS listeners support ALPN.
Envoy supports the following TLS features:Ĭonfigurable ciphers: Each TLS listener and client can specify the ciphers that it supports.Ĭlient certificates: Upstream/client connections can present a client certificate in additionĬertificate verification and pinning: Certificate verification options include basic chain Services as well as to initiate connections with external services that have advanced TLS Support is sufficient for Envoy to perform standard edge proxy duties for modern web TLS origination when making connections to upstreamĬlusters. Google Vulnerability Reward Program (VRP)Įnvoy supports both TLS termination in listeners as well as.External dependencies: observability_ext.External dependencies: observability_core.Extension security: requires_trusted_downstream_and_upstream.Extension security: robust_to_untrusted_downstream.Extension security: data_plane_agnostic.Extension security: robust_to_untrusted_downstream_and_upstream.
0 kommentar(er)
