tls: Add certificate compression algorithm configuration (RFC 8879)#1
Closed
bellatoris wants to merge 4 commits intomainfrom
Closed
tls: Add certificate compression algorithm configuration (RFC 8879)#1bellatoris wants to merge 4 commits intomainfrom
bellatoris wants to merge 4 commits intomainfrom
Conversation
5395759 to
2380347
Compare
bellatoris
pushed a commit
that referenced
this pull request
Dec 17, 2025
…voyproxy#42554) ## Description Today, when a filesystem watch callback returns a non-OK status or throws an exception, the error gets propagated to `FileEventImpl` which uses `THROW_IF_NOT_OK`. Since there's no exception handler in the `libevent` loop, this causes `std::terminate` to be called, which crashes Envoy. **Stack Trace:** ``` Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.119][234999][warning][misc] [source/common/protobuf/message_validator_impl.cc:23] Deprecated field: type envoy.config.core.v3.HeaderValueOption Using deprecated option 'envoy.config.core.v3.HeaderValueOption.append' from file base.proto. This configuration will be removed from Envoy soon. Please see https://www.envoyproxy.io/docs/envoy/latest/version_history/version_history for details. If continued use of this field is absolutely necessary, see https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/runtime#using-runtime-overrides-for-deprecated-features for how to apply a temporary and highly discouraged override. Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.120][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '0_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.123][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '1_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.126][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '2_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.127][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '3_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.128][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '4_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.130][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '5_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.132][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener '6_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.134][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener 'mtls_untrusted_regional_transparent_tunnel_listener' Dec 11 00:11:26 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:26.135][234999][info][upstream] [source/common/listener_manager/lds_api.cc:109] lds: add/update listener 'mtls_app_trusted_regional_transparent_tunnel_listener' Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.097][234999][critical][main] [source/exe/terminate_handler.cc:36] std::terminate called! Uncaught unknown exception, see trace. Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.097][234999][critical][backtrace] [./source/server/backtrace.h:113] Backtrace (use tools/stack_decode.py to get line numbers): Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.097][234999][critical][backtrace] [./source/server/backtrace.h:114] Envoy version: 5eaabe0bbaad4612cb85473cd151039d8f1a2760/1.34.2-dev/Clean/RELEASE/BoringSSL Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.097][234999][critical][backtrace] [./source/server/backtrace.h:116] Address mapping: 558d8afcc000-558d8ee2f000 /usr/local/bin/envoy Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.100][234999][critical][backtrace] [./source/server/backtrace.h:123] #0: [0x558d8da5784f] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.102][234999][critical][backtrace] [./source/server/backtrace.h:123] #1: [0x558d8edd8673] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.104][234999][critical][backtrace] [./source/server/backtrace.h:123] #2: [0x558d8e3b120b] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.106][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#3: Envoy::Filesystem::WatcherImpl::onInotifyEvent() [0x558d8e3990c3] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.108][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#4: [0x558d8e3998d2] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.109][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#5: [0x558d8e393de6] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.111][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#6: Envoy::Event::FileEventImpl::mergeInjectedEventsAndRunCb() [0x558d8e394eb5] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.113][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#7: [0x558d8e710823] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.115][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#8: event_base_loop [0x558d8e70d4a1] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.117][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#9: Envoy::Server::InstanceBase::run() [0x558d8daa2b99] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.119][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#10: Envoy::MainCommonBase::run() [0x558d8da4327a] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.121][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#11: Envoy::MainCommon::main() [0x558d8da44234] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.123][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#12: main [0x558d8afcc11c] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.123][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#13: [0x7f1d54073efb] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.123][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#14: __libc_start_main [0x7f1d54073fbb] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#15: _start [0x558d8afcc02e] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:129] Caught Aborted, suspect faulting address 0x395f7 Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:113] Backtrace (use tools/stack_decode.py to get line numbers): Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:114] Envoy version: 5eaabe0bbaad4612cb85473cd151039d8f1a2760/1.34.2-dev/Clean/RELEASE/BoringSSL Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:116] Address mapping: 558d8afcc000-558d8ee2f000 /usr/local/bin/envoy Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:123] #0: [0x7f1d54089c90] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:121] #1: gsignal [0x7f1d54089bde] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.124][234999][critical][backtrace] [./source/server/backtrace.h:121] #2: abort [0x7f1d54072832] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.126][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#3: [0x558d8da5785c] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.128][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#4: [0x558d8edd8673] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.129][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#5: [0x558d8e3b120b] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.129][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#6: Envoy::Filesystem::WatcherImpl::onInotifyEvent() [0x558d8e3990c3] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.131][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#7: [0x558d8e3998d2] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.133][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#8: [0x558d8e393de6] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.133][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#9: Envoy::Event::FileEventImpl::mergeInjectedEventsAndRunCb() [0x558d8e394eb5] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#10: [0x558d8e710823] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#11: event_base_loop [0x558d8e70d4a1] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#12: Envoy::Server::InstanceBase::run() [0x558d8daa2b99] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#13: Envoy::MainCommonBase::run() [0x558d8da4327a] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#14: Envoy::MainCommon::main() [0x558d8da44234] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#15: main [0x558d8afcc11c] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:123] envoyproxy#16: [0x7f1d54073efb] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#17: __libc_start_main [0x7f1d54073fbb] Dec 11 00:11:30 dbletE9433T node-envoy[234999]: [2025-12-11 00:11:30.135][234999][critical][backtrace] [./source/server/backtrace.h:121] envoyproxy#18: _start [0x558d8afcc02e] ``` In this change, we are making the `inotify` and `kqueue` watchers handle callback errors gracefully by catching any exceptions using `TRY_ASSERT_MAIN_THREAD`, logging errors instead of propagating them and always returning the `OkStatus` to the event loop. --- **Commit Message:** filesystem: Fix crash when watch callback returns error or throws **Additional Description:** Make `inotify` and `kqueue` watchers handle callback errors gracefully. **Risk Level:** Low **Testing:** CI **Docs Changes:** N/A **Release Notes:** N/A --------- Signed-off-by: Rohit Agrawal <rohit.agrawal@salesforce.com> Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Add histogram stats to track DER-encoded certificate chain sizes: - peer_certificate_chain_bytes: Size of peer's certificate chain - local_certificate_chain_bytes: Size of local certificate chain Add utility functions to measure certificate sizes: - getCertificateDerSize(): Get DER size of single certificate - getPeerCertificateChainDerSize(): Get total peer chain size - getLocalCertificateChainDerSize(): Get total local chain size These metrics provide visibility into TLS certificate overhead, which is useful for understanding handshake costs and optimizing certificate chains.
Relocate certificate compression implementation from source/common/quic/
to source/common/tls/ to enable compression for both TCP TLS and QUIC:
- Add source/common/tls/cert_compression.{h,cc} with zlib implementation
- Update source/common/tls/context_impl.cc to register zlib compression
- Convert source/common/quic/cert_compression.h to a thin backward-compat
wrapper that delegates to the TLS implementation
- Remove source/common/quic/cert_compression.cc (no longer needed)
- Update BUILD files to reflect new dependencies
This enables TLS certificate compression (RFC 8879) for TCP connections,
which was previously only available for QUIC. Certificate compression
reduces TLS handshake size and bandwidth overhead.
This change adds support for two additional certificate compression algorithms: - Brotli (algorithm ID 2): Better compression ratio, widely supported - Zstd (algorithm ID 3): Fast compression with good compression ratio Changes: - Add registerAll() to register all algorithms in priority order (brotli > zstd > zlib) - Implement compressBrotli/decompressBrotli using libbrotli - Implement compressZstd/decompressZstd using libzstd - Update context_impl.cc to use registerAll() instead of registerZlib() - Update QUIC wrapper to use registerAll() for full algorithm support - Add comprehensive unit tests for all three algorithms The TLS handshake will negotiate the best mutually supported algorithm. Brotli typically provides the best compression for certificates.
This change adds TLS certificate compression support with brotli, zstd, and zlib
algorithms per RFC 8879. Certificate compression reduces TLS handshake size,
especially beneficial for QUIC where the ServerHello needs to fit in the initial
response.
Features:
- Support for brotli (ID 2), zstd (ID 3), and zlib (ID 1) compression algorithms
- Individual registration functions for each algorithm
- Compression stats: certificate_compression.<algo>.{compressed,total_uncompressed_bytes,total_compressed_bytes}
- Runtime feature flag: envoy.reloadable_features.tls_support_certificate_compression (default: false)
Testing:
- Unit tests for compression/decompression round-trips
- Registration tests with real SSL_CTX
- Integration tests for TLS handshake with compression enabled/disabled
Documentation:
- Changelog entry for the new feature
- Stats documentation in ssl_stats.rst
Part of certificate compression implementation (RFC 8879).
2380347 to
8dac618
Compare
bellatoris
pushed a commit
that referenced
this pull request
Mar 6, 2026
…proxy#43667) Commit Message: The LEDS subscription callback lambda captured `used_load_assignment` by value as a raw pointer to the object owned by the `cluster_load_assignment_` unique_ptr. When a subsequent EDS update reassigned `cluster_load_assignment_`, the old object was destroyed but existing LEDS subscriptions (not recreated for unchanged configs) still held the dangling pointer. When the LEDS subscription later fired its callback (e.g. onConfigUpdateFailed), dereferencing this pointer caused a segfault. Stack trace: ``` #0: [0x77b9d6de8330] #1: Envoy::Upstream::EdsClusterImpl::BatchUpdateHelper::batchUpdate() #2: Envoy::Upstream::PrioritySetImpl::batchHostUpdate() envoyproxy#3: std::__1::__function::__func<>::operator()() envoyproxy#4: Envoy::Upstream::LedsSubscription::onConfigUpdateFailed() envoyproxy#5: Envoy::Config::GrpcSubscriptionImpl::onConfigUpdateFailed() envoyproxy#6: event_process_active_single_queue envoyproxy#7: event_base_loop envoyproxy#8: Envoy::Server::InstanceBase::run() ``` Fix by capturing `this` and accessing `cluster_load_assignment_` directly, which always reflects the current valid assignment. Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
bellatoris
added a commit
that referenced
this pull request
Mar 12, 2026
…use-after-free fix Code review fixes: - Use absl::optional<string> for zone parameter (Comment #1) - Skip locality modification when zone is nullopt (Comment #2) - Simplify fetch_sub pattern to fetch_sub(1)==1 (Comment envoyproxy#4) - Fix use-after-free: move zone_callbacks_.erase after all address uses - Add :ref: link in proto doc (Comment envoyproxy#7) - Add const qualifiers (Comments envoyproxy#8, envoyproxy#9) Zone discovery integration tests (redis_cluster_test.cc): - ZoneDiscoveryBasicFlow: both nodes return valid zones - ZoneDiscoveryPartialZones: one node missing availability_zone - ZoneDiscoveryResponseTypeMismatch: Error type instead of BulkString - ZoneDiscoveryAllFailure: both INFO requests fail - ZoneDiscoveryMixedSuccessAndFailure: one succeeds, one fails - ZoneDiscoveryMakeRequestReturnsNull: makeRequest returns nullptr LB tests (redis_cluster_lb_test.cc): - LocalZoneAffinityZoneDiscoveryFailure: hosts without zones - LocalZoneAffinityReplicasAndPrimaryUnhealthyLocalPrimary: unhealthy local primary fallback Signed-off-by: Doogie Min <doogie.min@sendbird.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add user-configurable TLS certificate compression algorithms to CommonTlsContext (RFC 8879).
This allows users to specify which algorithms (BROTLI, ZSTD, ZLIB) to use and their priority order.
Key Changes
CertificateCompressionAlgorithmproto message incommon.protocertificate_compression_algorithmsfield toCommonTlsContextregisterFromConfig()toCertCompressionclassenvoy.reloadable_features.tls_support_certificate_compressionDesign Decisions
CommonTlsContext(shared by client and server)How to Enable
envoy.reloadable_features.tls_support_certificate_compression: trueTest plan
//test/common/tls:cert_compression_test- PASSED🤖 Generated with Claude Code