TLS bumping: decrypting communications between internal and external services

[LuyaoZhong]

TLS Bumping in Envoy Design Doc

2022.10.31

PoC: #23192
README and configurations are in tls_bumping subdir

---

2022.07.13
4 work items were worked out.

1. Certificate Provider framework
   Implement CertificateProvider mechanism #19308
   Implement Certificate Provider Framework (#19308) #19582
2. SNI-based cert selection in tls transport socket
   SNI-based cert selection in TLS transport socket #21739
   SNI-based cert selection during TLS handshake #22036
3. A new network filter - BumpingFilter
   Add a bumping filter for cert mimicking #22581
   WiP Add Bumping filter #22582
4. Certificate Provider instance - LocalMimicCertProvider
   WIP: Local cert provider #23063

---

2022.04.24 update

Mimicking certs only based on SNI is probably not enough, we require server real certificate and ensure to copy subject, subject alt name, extensions, knowing about the RSA key strength and many more. Original proposal was to set up client-first secure connection, to meet above requirements we need server-first secure connection.

Therefore, we expect the workflow like this:

1. downstream requires accessing some external websites like "google.com", the traffic is routed to Envoy
2. Envoy receive the CLIENT_HELLO but don't do handshake with downstream until step5
3. Envoy connects "google.com" (upstream) and get real server certificate
4. Envoy copies the subject, subject alt name, extensions, etc from real server certificate and generates mimic certificate
5. Envoy does TLS handshake with downstream using mimic certificate
6. traffic is decrypted and go through Envoy network filters, especially HCM, there are many http filters and user can also expand http filter easily with WASM to plugin in many security functions.
7. traffic is encrypted and sent to upstream.

---

Original Proposal

Title: decrypting communications between internal and external services

Description:

When Envoy works as sidecar or egress gateway in service mesh, Istio takes responsibility of certification generation and pushing the configs to Envoy via xDS. But when it works like typical proxy, the internal services on the edge might access many different external websites such as Google or Bing etc, Envoy does't provide the ability to terminate this kind of TLS traffic.
For this scenario, we propose a method to let Envoy generate certs dynamically and do TLS handshake. Then if the client trusts the root ca that the certs signed from, it can access external services under the control of Envoy.

Changes (straw man)

1. introduce an API to enable this feature and configure ca crt and key for signing
2. get sni from tls inpector (we need sni to generate certs, just utilize tls inspector, probably no changes)
3. generate certs according to sni
4. set the certs to SSL object and then do handshake

Any comments are welcome.

[rojkov]

/cc @lizan @asraa @ggreenway

[ggreenway]

Can you please elaborate on the desired traffic flow (client envoy's possition, server, which connections are TLS vs plaintext)?

[lambdai]

I am curious what kind of cert is needed for the google/bing access.

If the upstream is google/bing, envoy doesn't terminate tls but initiate tls.

The straw man flow confuses me: is the cert applied in downstream connection or upstream connection?

[LuyaoZhong]

@ggreenway @lambdai
The desired traffic flow is like this:
<downstream/internal service> ---- TLS(mimic cert generated by Envoy) ---- < Envoy> ---- TLS ---- <upstream/external service>

I mean envoy needs to terminate downstream TLS first, then we can apply many filters to control internal service accessing external network, and after that envoy initiates TLS to upstream. The mimic cert will be applied to downstream connection. There is no change to upstream connection.
I'm not sure if I was using a proper word "terminate", if not please correct me.

Thanks for your comments.

[ggreenway]

Ok, I think I understand now. Let me paraphrase to make sure I understand: you'd like for envoy to have a CA cert/key, trusted by the downstream client, and for envoy to dynamically generate a TLS cert signed by the CA cert/key for whatever name is in the SNI of a connection?

[LuyaoZhong]

@ggreenway Yes, exactly. Does it make sense for you?

[LuyaoZhong]

I wrote some PoC code for dynamically generating cert, and I tested the downstream TLS handshake using the mimic cert.

For API change, envoy currently requires certs(static or sds) set in config yaml file, and the code path doesn't take the case I mentioned into consideration. To support this feature I need a proper API introduced to indicate we will do TLS handshake using dynamic cert . I would like you could help me on this new API definition, I'm thinking about adding "tls_root_certificates" to CommonTlsContext, and it is only valid when the commonTlsContext is part of DownstreamTlsContext:

[extensions.transport_sockets.tls.v3.CommonTlsContext]

{
"tls_params": "{...}",
"tls_certificates": [],
"tls_root_certificates": [],
"tls_certificate_sds_secret_configs": [],
"validation_context": "{...}",
"validation_context_sds_secret_config": "{...}",
"combined_validation_context": "{...}",
"alpn_protocols": [],
"custom_handshaker": "{...}"
}

[extensions.transport_sockets.tls.v3.TlsRootCertificate]

{
"root_ca_cert": "{...}",
"root_ca_key": "{...}"
}

Do you think it is reasonable?

[ggreenway]

I think a more general approach would be to implement this as a listener filter. It could either run after tls_inspector (which reads the SNI value), or re-implement that part. It can then generate the needed cert, and we can add an API for a listener filter to signal to the TLS transport_socket which certificate to use.

There have been other feature requests to support extremely large numbers of fixed/pre-generated certs and to choose the correct one at runtime, and this implementation could support that use case as well.

Does that sound workable to you?

[LuyaoZhong]

Generating certs in a listener filter sounds workable. But an API for a listener filter might not be enough, the old DownstreamTlsContext still requires user setting tls certificates, we can't avoid touching DownstreamTlsContext or its sub apis.

[ggreenway]

I think we could add a FilterState from the listener filter which contains the cert/key to use, and have SslSocket check for it's presence and set the cert on the SSL* (not SSL_CTX*).

[LuyaoZhong]

Yes, it's SSL*(not SSL_CTX).

Let me list several questions and answers to make the design clear:

1. Where to generate certs?
   After deliberation, I think tls_inspector is not a good place for generating certs, because we don't want dynamically generating certs for all SNI, we want tls_inspector to detect SNI first, then dispatch to different filterchain according to SNI. This will be more flexible, since we can have different certs conifg policy for different filterchain, static, sds or dynamic.
   In my PoC I generate the certs in SslSocket::setTransportSocketCallbacks [1].

[1]

envoy/source/extensions/transport_sockets/tls/ssl_socket.cc

Line 65 in 3da250c

void SslSocket::setTransportSocketCallbacks(Network::TransportSocketCallbacks& callbacks) {

2. Why we can't avoid touching DownstreamTlsContext API.
   [2] shows Envoy requiring user setting tls certificates otherwise it exits during bootstrap. I went through some code, a easy way is to introduce an API to indicate it has the capability to provide certificates[3].

[2]

envoy/source/extensions/transport_sockets/tls/context_config_impl.cc

Line 411 in 9cc7478

throw EnvoyException("No TLS certificates found for server context");

[3]

envoy/source/extensions/transport_sockets/tls/context_config_impl.cc

Line 408 in 9cc7478

if (!capabilities().provides_certificates) {

3. Where to set CA cert/key?
   Since we have to modify DownstreamTlsContext(2nd question), I prefer it's for per transportsocket but not per listener, what do you think?