support verify_certificate_hash/verify_subject_alt_name config in routes

[jwfang]

currently verify_certificate_hash/verify_subject_alt_name are in global listener,
if we also support them in route, we may accomplish per-route SSL verify IMHO.

to accomplish, i guess we just can just don't do verify on SSL-handshake by leave listener/verify_* empty,
and somehow pass the SSL context down to route and do the verify there.

[jwfang]

the issue with this approach is how to generate a proper error respone for different request.

this problem doesn’t exist for listener since application level protocol has not started.

[jwfang]

if we consider verify failure in routes is abnormal, may be just close the downstream connection is acceptable ?

[htuch]

Can you elaborate on the use case that would require SSL validation on a per-route basis? In general, SSL validation is a concept that applies somewhere between L4 and L7, but routing is performed at L7.

[jwfang]

thanks for replying.

we are trying to do s2s service authorization via mTLS, and would like to have control at method level.

[mattklein123]

I don't see any particular reason that we couldn't enforce something like this on a per-HTTP route basis and then respond with 403 at HTTP layer. I would prefer this is a discrete filter if there is interest in actually doing this.

[htuch]

In the existing API, I think this makes sense in two scenarios:

1. Some routes you just don't care about doing any validation on, and some subset you do.
2. You share RouteConfiguration objects across listeners, and want to know which SSL cert/listener combo was used when doing the route selection.

In v2, since we'll have multiple certs, I can see this being useful on a per-route basis in general.

[mattklein123]

Note that HTTP filters have access to connection/SSL data so this would be very easy to add in general as a filter.

[jwfang]

@mattklein123 i like the idea of seperate filter, it made the ssl auth config more explicit and seperate.

if we are going to do it in filter, does the tls-verify config still goes to http_connection_manager and we only access selected route config from the filter ?
otherwise (tls-verify config in filter), we may have to reduplicate the virtual-host/route selection logic in the filter.

[mattklein123]

if we are going to do it in filter, does the tls-verify config still goes to http_connection_manager and we only access selected route config from the filter? otherwise (tls-verify config in filter), we may have to reduplicate the virtual-host/route selection logic in the filter.

Yeah I'm not sure. That's a good point. The current stuff that is built just does redirection. It doesn't actually do any 403, etc. so we might be able to split it there. If we want redirection at the route level we should just build that into the existing router.

[PiotrSikora]

Note that in order for clients to send any certificates, server must request them during initial TLS handshake, which means that we'd need to configure listeners with trusted_ca (possibly ignoring result of verification) if any of the routes are going to require client certificates.

[jwfang]

sorry for the late, just back from holidays.

thanks for your help and suggestion, i did a early draft in #1830 which mimic the redirection behaviour in Router::Filter.

@PiotrSikora , from

envoy/source/common/ssl/context_impl.cc

Line 38 in a0adb66

if (!config.caCertFile().empty()) {

it seems as long as there is caCertFile, SSL_VERIFY_PEER will be set, but not necessary SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
i guess this maybe okay as long as we send a client certificate request to the client via SSL_VERIFY_PEER but not verify during handshakes and defer verify later during routing ?
which means the current behaviour don't need to change ?

[PiotrSikora]

SSL_VERIFY_FAIL_IF_NO_PEER_CERT shouldn't be set, because it would mean that at least one of: require_client_certificate, verify_certificate_hash, verify_subject_alt_name is enforced server-wide for all routes, so existing behavior is fine.