Add a bumping filter for cert mimicking #22581
Description
Title: A new bumping filter for cert mimicking
Description:
As discussed in #18928, a bumping filter is needed for TLS bumping scenario. It's a network filter which does the following works:
- Prefetch upstream server cert(perhaps Envoy::Ssl::ConnectionInfo is enough) before downstream handshake.
- Interact with cert provider instance to generate mimic cert.
- Refresh(recreate) downstream transport socket to use mimic cert.
I created some experiment code to solve cert prefetch. The idea is to reuse tcp proxy code to do handshake with upstream in onNewConnection and I could call cert provider instance to generate mimic cert in onGenericPoolReady callback. However I met some issues about this approach:
I have to disable both read and write operation of downstream connection to stalled downstream handshake, otherwise handshake will be triggerd and the client will receive cert from ServerHello before cert mimicking happens.
Also I'm trying to figure out the behavior of tcp connection pool of tcp proxy.
From https://github.com/envoyproxy/envoy/blob/main/source/common/upstream/cluster_manager_impl.cc#L947, it seems 3 preconnect connection will be created. In my case I don't want preconnect connections, because server cert of these connections may not be latest. Is there any way to disable the preconnect behavior?
When upstream server cert is got, how could I release the connection back to pool without waiting for connection time out?
Any comment and suggestion is welcome, thanks