SNI-based cert selection in TLS transport socket

[LuyaoZhong]

Title: SNI-based cert selection in TLS transport socket

Description:

Current Envoy selects cert by selecting filter chain based on SNI, it doesn’t support cert selection based on SNI inside one tls transport socket. But it is possible that we access different services via one filter chain, bumping is such a case since we will attach multiple mimic certs to one tls transport socket. Therefore，we need to implement SNI-based cert selection in transport socket.

cc @ggreenway @mattklein123

[LuyaoZhong]

Continuing discussion from #1984 and #18928:
As you know,

message CommonTlsContext {
......
  // Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
  // and *tls_certificate_provider_instance* may be used.
  repeated TlsCertificate tls_certificates = 2;

  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
      [(validate.rules).repeated = {max_items: 2}];

  // [#not-implemented-hide:]
  CertificateProviderPluginInstance tls_certificate_provider_instance = 14;
......
}

If we get certificates via one of these three provider, we need to modify existing cert selection logic to support different SNI.
If anyone use custom handshaker to provide certificates, then custom handshaker should define the selection logic and set SSL_CTX_set_select_certificate_cb() .

So I propose to modify current cert selection logic directly, not sure if we need to introduce some flag to indicate we need do cert selection based on SNI in transport socket.

What do you think about it?

[mattklein123]

I would definitely want to hear from @ggreenway here, but I think this comes up often enough that having an in-tree handshake provider that can do cert selection would I think be useful. I'm not sure if this would be implemented as a cert provider or something else.

[soulxu]

It doesn't seems like the cert selection logic is part of handshaker

envoy/source/extensions/transport_sockets/tls/context_impl.cc

Lines 710 to 718 in 2aa40dc

	if (!config.capabilities().provides_certificates) {
	SSL_CTX_set_select_certificate_cb(
	tls_contexts_[0].ssl_ctx_.get(),
	[](const SSL_CLIENT_HELLO* client_hello) -> ssl_select_cert_result_t {
	return static_cast<ServerContextImpl*>(
	SSL_CTX_get_app_data(SSL_get_SSL_CTX(client_hello->ssl)))
	->selectTlsContext(client_hello);
	});
	}

Even if we have a custom handshaker for selection, but I guess that custom handshaker most of parts same with the default handshaker except the selection logic.

[mattklein123]

Even if we have a custom handshaker for selection, but I guess that custom handshaker most of parts same with the default handshaker except the selection logic.

Yeah I don't know the right answer here without digging in myself. There will need to be either a new extension point or significant code sharing. I'm not sure the right solution, it will need to be investigated.

[soulxu]

So I propose to modify current cert selection logic directly, not sure if we need to introduce some flag to indicate we need do cert selection based on SNI in transport socket.

If the only usecase of multiple certs is about support both RSA and ECDSA, then I think it is fine without a flag for me

And the selection of RSA and ECDSA should be keep with SNI selection behavior
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#extensions-transport-sockets-tls-v3-commontlscontext

Only a single TLS certificate is supported in client contexts. In server contexts, the first RSA certificate is used for clients that only support RSA and the first ECDSA certificate is used for clients that support ECDSA.

But I don't know how custom validator use the multiple certs, at least there is link for it https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#arch-overview-ssl-cert-select

[ggreenway]

In general, I'd be fine with adding support for multiple certs and selecting the correct one based on SNI. There are a few questions we'd need to sort out:

• What happens if the SNI value doesn't match the names in any of the certs, or there is no SNI? Which cert do we choose?
• What if certs have overlapping names? Is that a config-load error, or do we allow it and have some criteria for which cert to use?
• What if there's a cert with the correct name but incorrect type (RSA vs EC), but not a complete match (name and type)?

[LuyaoZhong]

And the selection of RSA and ECDSA should be keep with SNI selection behavior

sure

But I don't know how custom validator use the multiple certs, at least there is link for it https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#arch-overview-ssl-cert-select

custom validator does not have multiple certs issue, multiple certs in this feature is indentity certs used for TLS handshake, validator is to use a trusted ca to validate peer certificate.

[LuyaoZhong]

In general, I'd be fine with adding support for multiple certs and selecting the correct one based on SNI. There are a few questions we'd need to sort out:

• What happens if the SNI value doesn't match the names in any of the certs, or there is no SNI? Which cert do we choose?

If there is no SNI, we can fallback to only RSA/ECDSA selection, this will not break existing logic.
If no certs match the SNI, we should let the selection fail.

• What if certs have overlapping names? Is that a config-load error, or do we allow it and have some criteria for which cert to use?

I think it should be a config-load error. It sounds weird that multiple certs have the same SNI.

• What if there's a cert with the correct name but incorrect type (RSA vs EC), but not a complete match (name and type)?

envoy/source/extensions/transport_sockets/tls/context_impl.cc

Lines 1072 to 1093 in 8259b33

	ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) {
	const bool client_ecdsa_capable = isClientEcdsaCapable(ssl_client_hello);
	const bool client_ocsp_capable = isClientOcspCapable(ssl_client_hello);
	// Fallback on first certificate.
	const TlsContext* selected_ctx = &tls_contexts_[0];
	auto ocsp_staple_action = ocspStapleAction(*selected_ctx, client_ocsp_capable);
	for (const auto& ctx : tls_contexts_) {
	if (client_ecdsa_capable != ctx.is_ecdsa_) {
	continue;
	}
	auto action = ocspStapleAction(ctx, client_ocsp_capable);
	if (action == OcspStapleAction::Fail) {
	continue;
	}
	selected_ctx = &ctx;
	ocsp_staple_action = action;
	break;
	}

Only a single TLS certificate is supported in client contexts. In server contexts, the first RSA certificate is used for clients that only support RSA and the first ECDSA certificate is used for clients that support ECDSA.
According to the code and comment, it assumes that there is always a RSA cert existing, and fallback to RSA cert when client supports EC but no EC cert is found. We can keep this logic when matching the SNI.

What's your suggestion? @ggreenway

[ggreenway]

In general, I'd be fine with adding support for multiple certs and selecting the correct one based on SNI. There are a few questions we'd need to sort out:

• What happens if the SNI value doesn't match the names in any of the certs, or there is no SNI? Which cert do we choose?

If there is no SNI, we can fallback to only RSA/ECDSA selection, this will not break existing logic. If no certs match the SNI, we should let the selection fail.

But if there are many certs, and no SNI (or no matching SNI), which of the many certs should be used? We'd probably need to specify which one, maybe the first in the list of configured certs.

• What if certs have overlapping names? Is that a config-load error, or do we allow it and have some criteria for which cert to use?

I think it should be a config-load error. It sounds weird that multiple certs have the same SNI.

Sounds good to me. You'll also need to account for wildcards, and make sure to use a more-specific cert before considering a wildcard.

• What if there's a cert with the correct name but incorrect type (RSA vs EC), but not a complete match (name and type)?

envoy/source/extensions/transport_sockets/tls/context_impl.cc

Lines 1072 to 1093 in 8259b33

	ServerContextImpl::selectTlsContext(const SSL_CLIENT_HELLO* ssl_client_hello) {
	const bool client_ecdsa_capable = isClientEcdsaCapable(ssl_client_hello);
	const bool client_ocsp_capable = isClientOcspCapable(ssl_client_hello);
	// Fallback on first certificate.
	const TlsContext* selected_ctx = &tls_contexts_[0];
	auto ocsp_staple_action = ocspStapleAction(*selected_ctx, client_ocsp_capable);
	for (const auto& ctx : tls_contexts_) {
	if (client_ecdsa_capable != ctx.is_ecdsa_) {
	continue;
	}
	auto action = ocspStapleAction(ctx, client_ocsp_capable);
	if (action == OcspStapleAction::Fail) {
	continue;
	}
	selected_ctx = &ctx;
	ocsp_staple_action = action;
	break;
	}

Only a single TLS certificate is supported in client contexts. In server contexts, the first RSA certificate is used for clients that only support RSA and the first ECDSA certificate is used for clients that support ECDSA.
According to the code and comment, it assumes that there is always a RSA cert existing, and fallback to RSA cert when client supports EC but no EC cert is found. We can keep this logic when matching the SNI.
What's your suggestion? @ggreenway

No, it is not safe to assume there is always an RSA cert. But currently, there will be at most one RSA cert and one EC cert. You'll need to decide on and clearly document the matching criteria/algorithm, including both SNI and type.

[LuyaoZhong]

But if there are many certs, and no SNI (or no matching SNI), which of the many certs should be used? We'd probably need to specify which one, maybe the first in the list of configured certs.

I'm ok with that selecting first cert as default.

I think it should be a config-load error. It sounds weird that multiple certs have the same SNI.

Sounds good to me. You'll also need to account for wildcards, and make sure to use a more-specific cert before considering a wildcard.

After thinking about this for a while, It should be possible that multiple certs has the same SNI, e.g. EC and RSA certs, they both serves for the same SNI.
For wildcard, do you mean SAN(subjectAltName) certificate? In server certificate, we might have subject common name and subjectAltName. We need to use subject common name for exact SNI matching first, if no matching then we use subjectAltName for wildcard matching, is that correct?

No, it is not safe to assume there is always an RSA cert. But currently, there will be at most one RSA cert and one EC cert. You'll need to decide on and clearly document the matching criteria/algorithm, including both SNI and type.

I mean current code assume there is always a RSA cert. Because the comment says "the first RSA certificate is used...", but code always fallback to the first certificate without looking up RSA keyword.

   // Fallback on first certificate. 
   const TlsContext* selected_ctx = &tls_contexts_[0]; 

So I just propose to keep this logic when do type matching.

Based on your suggestion, criteria v1 should be:
If there is SNI in CLIENT_HELLO, we should do SNI matching to get a cert list. Then if the list is not empty, we do type matching based on this list further.
Otherwise(if no SNI in CLIENT_HELLO or SNI matching return emplty), we do type matching based on whole cert list.
(We fallback to the first cert in the list when do type matching)

@ggreenway