Skip to content

[PoC][Draft] TLS Bumping integration #23192

Closed
LuyaoZhong wants to merge 53 commits intoenvoyproxy:mainfrom
LuyaoZhong:bumping-integ
Closed

[PoC][Draft] TLS Bumping integration #23192
LuyaoZhong wants to merge 53 commits intoenvoyproxy:mainfrom
LuyaoZhong:bumping-integ

Conversation

@LuyaoZhong
Copy link
Copy Markdown

@LuyaoZhong LuyaoZhong commented Sep 21, 2022
edited
Loading

NOT READY FOR REVIEW

This PR is to merge following parts, and do integration test.

Certificate Provider framework #19582
SNI-based cert selection in tls transport socket #22036
A new network filter - BumpingFilter #22582
Certificate Provider instance - LocalMimicCertProvider #23063

Signed-off-by: Luyao Zhong luyao.zhong@intel.com
Signed-off-by: LeiZhang lei.a.zhang@intel.com

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Sep 21, 2022

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #23192 was opened by LuyaoZhong.

see: more, trace.

@repokitteh-read-only repokitteh-read-only bot added api deps Approval required for changes to Envoy's external dependencies labels Sep 21, 2022
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Sep 21, 2022

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @moderation

🐱

Caused by: #23192 was opened by LuyaoZhong.

see: more, trace.

TLS bumping integration
14af58d 
Merge following components for integration PoC
- Certificate Provider framework
- SNI-based cert selection in tls transport socket
- A new network filter - BumpingFilter
- Certificate Provider instance - LocalMimicCertProvider

Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
Luyao Zhong added 7 commits September 26, 2022 05:08
Add docs for building TLS bumping
80af398 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Add docs for testing TLS bumping without CONNECT
a5e1eae 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Add config for bumping with http connect case (#308)
3220a4a 
Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
Add config for TLS splicing without HTTP CONNECT case
57516e9 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Add config for TLS splicing with HTTP CONNECT case
7cce455 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Add config for TLS splicing/bumping w/wo HTTP CONNECT
3193b15 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Improve doc with testing details (#309)
943ec27 
Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
@ipuustin ipuustin mentioned this pull request Sep 30, 2022
Merged
lei zhang and others added 2 commits October 12, 2022 15:54
Expiration time check (#320)
83604db 
Add config for setting cert expiration time
Bumping filter refactor

Signed-off-by: LeiZhang <lei.a.zhang@intel.com>

Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
Update splicing/bumping config to cover more test cases
b226bf6 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
@LuyaoZhong LuyaoZhong mentioned this pull request Oct 12, 2022
Closed
lei zhang and others added 7 commits October 13, 2022 20:40
Fix issues of subject and expiration time (#322)
cf12527 
Fix issue of incorrectly copy cert subject to mimic cert. Use cert expiration time when expiration_time config is absent.

Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
Update config to cover http2 test case
0d44583 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
skip duplicate certs check
3148d12 
Current local cert provider might generates multiple certs with
the same SANs/CN and pkey type which is not our expectation,
we need to fix the bug in cert provider and then restore this check

Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Fix doc (#325)
f1d6b6c 
Add more detail on how to import CA.

Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
@wrowe
repo: Dev 1.24.1-dev (envoyproxy#23573)
9b83bb5 
Signed-off-by: William A Rowe Jr <wrowe@vmware.com>
@dio
backport: tools, github: Add current SOURCE_VERSION writer (envoyprox…
d9707e2 
…y#23638)

Cherry-picked from:

- 9dcd806
- 8e73e50

Signed-off-by: Dhi Aurrahman <dio@rockybars.com>
Fix lacking sni of tls handshake in bumping filter (#329)
204bf24 
Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
This was referenced Oct 28, 2022
Closed
Closed
@LuyaoZhong LuyaoZhong mentioned this pull request Oct 31, 2022
Open
@phlax
backport: ocsp: rotate certs of test data to fix flaky tests (envoypr…
e02d9f9 
…oxy#23635)

Signed-off-by: wbpcode <wangbaiping@corp.netease.com>
Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: code <wangbaiping@corp.netease.com>
Luyao Zhong and others added 6 commits December 20, 2022 08:43
fix format
5fa1686 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
fix test case
f5ab367 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
Fix active tcp listener test (#351)
0c1f07c 
Signed-off-by: LeiZhang <lei.a.zhang@intel.com>
fix code format and fix spelling format
ec6e7fb 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
fix clang_tidy warning
c035b55 
fix clang_tidy warnings and fix format

Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
add tests for certificate provider manager
8a81c11 
Signed-off-by: Luyao Zhong <luyao.zhong@intel.com>
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Jan 6, 2023

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #23192 was synchronize by LuyaoZhong.

see: more, trace.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 5, 2023

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label Feb 5, 2023
@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 12, 2023

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot closed this Feb 12, 2023
@LuyaoZhong
Copy link
Copy Markdown
Author

LuyaoZhong commented Mar 8, 2023

@mattklein123 Could you help reopen this draft PR?

@mattklein123 mattklein123 reopened this Mar 8, 2023
@github-actions github-actions bot removed the stale stalebot believes this issue/PR has not been touched recently label Mar 8, 2023
@ohadvano
Copy link
Copy Markdown
Contributor

ohadvano commented Mar 13, 2023

@LuyaoZhong in your design and implementation, is it expected that the TCP proxy/HCM would re-use the connection that was opened for fetching the certificate? Or would Envoy end up with 2 upstream connections per 1 downstream request that includes mimicking?

@LuyaoZhong
Copy link
Copy Markdown
Author

LuyaoZhong commented Mar 14, 2023
edited
Loading

n your design and implementation, is it expected that the TCP proxy/HCM would re-use the connection that was opened for fetching the certificate? Or would Envoy end up with 2 upstream connections per 1 downstream request that includes mimicking?

We will not re-use the connection. So envoy would have 2 upstream connections per 1 downstream request if mimicking is required. And when corresponding mimic cert is ready, we don't need addition upstream connection, then it will be 1 upstream connection per 1 downstream request. But we hope it can re-use if it doesn't need dramatic change, do you have any suggestions?

Would you mind share your use case?

@ohadvano
Copy link
Copy Markdown
Contributor

ohadvano commented Mar 14, 2023

My use case is somewhat similar, but instead of having Envoy do the mimicking, I would like to query an external service that would do the mimicking and respond with a certificate. The problem I had in mind was that if an external service does this, then there would be no re-use of connections, and we'll end up with 2 TCP streams per 1 downstream request. However, seems like there's no better option at this time and supporting this on Envoy would be very expensive.

In my case I'm investigating the option to integrate this as part of the SDS. Meaning that if a secret is unknown at TLS handshake time, Envoy will pause the handshake and call SDS to fetch the certificate on-demand. Then, since SDS is external service, it can do whatever it wants at the time the request for fetch was invoked. It can either respond with yet-provided secret (that is known to SDS), or it can have logic to do mimicking on the fly.
Since you were doing some work on this, I was hoping to get your ideas on this method and has this been looked into.

Current problem with SDS is that it does not support "Give me all you have" or "Fetch on-demand" features. You have to subscribe to a named resource statically and SDS will only provide secrets for these subscriptions.
Further context: #25958

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 13, 2023

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label Apr 13, 2023
@LuyaoZhong
Copy link
Copy Markdown
Author

LuyaoZhong commented Apr 13, 2023

wip

@github-actions github-actions bot removed the stale stalebot believes this issue/PR has not been touched recently label Apr 13, 2023
@github-actions
Copy link
Copy Markdown

github-actions bot commented May 13, 2023

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label May 13, 2023
@LuyaoZhong
Copy link
Copy Markdown
Author

LuyaoZhong commented May 15, 2023

wip

@github-actions github-actions bot removed the stale stalebot believes this issue/PR has not been touched recently label May 15, 2023
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jun 14, 2023

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label Jun 14, 2023
@github-actions
Copy link
Copy Markdown

github-actions bot commented Jun 21, 2023

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@github-actions github-actions bot closed this Jun 21, 2023
@MarkRx
Copy link
Copy Markdown

MarkRx commented May 9, 2025

What ever happened to this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov will be requested when the pull request is marked ready for review yanavlasov is a code owner

@mattklein123 mattklein123 Awaiting requested review from mattklein123 mattklein123 will be requested when the pull request is marked ready for review mattklein123 is a code owner

@kyessenov kyessenov Awaiting requested review from kyessenov kyessenov will be requested when the pull request is marked ready for review kyessenov is a code owner

@adisuissa adisuissa Awaiting requested review from adisuissa adisuissa will be requested when the pull request is marked ready for review adisuissa is a code owner

@RyanTheOptimist RyanTheOptimist Awaiting requested review from RyanTheOptimist RyanTheOptimist will be requested when the pull request is marked ready for review RyanTheOptimist is a code owner

@ggreenway ggreenway Awaiting requested review from ggreenway ggreenway will be requested when the pull request is marked ready for review ggreenway is a code owner

@botengyao botengyao Awaiting requested review from botengyao botengyao will be requested when the pull request is marked ready for review botengyao is a code owner

@agrawroh agrawroh Awaiting requested review from agrawroh agrawroh will be requested when the pull request is marked ready for review agrawroh is a code owner

@phlax phlax Awaiting requested review from phlax phlax will be requested when the pull request is marked ready for review phlax is a code owner

@jwendell jwendell Awaiting requested review from jwendell jwendell will be requested when the pull request is marked ready for review jwendell is a code owner

Assignees

@moderation moderation

@mattklein123 mattklein123

Labels

api deps Approval required for changes to Envoy's external dependencies stale stalebot believes this issue/PR has not been touched recently

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.