Skip to content

Add configuration for TLS session ticket encryption key, to allow #178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
htuch merged 6 commits into from
Oct 3, 2017
Merged

Add configuration for TLS session ticket encryption key, to allow #178

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4add0b2
Add configuration for TLS session ticket encryption key, to allow
ggreenway Aug 14, 2017
139f85f
Move keys to their own message so the message can be used by KDS.
ggreenway Sep 27, 2017
16a3adf
Add documentation of the requirements of each key.
ggreenway Sep 28, 2017
c03538e
Merge remote-tracking branch 'upstream/master' into tls-ticket-key
ggreenway Oct 3, 2017
0dffb5e
Merging with SDS changes
ggreenway Oct 3, 2017
1e3afed
Make session_ticket_keys be oneof inline keys or SdsSecretConfig
ggreenway Oct 3, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions api/sds.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,16 @@ message TlsCertificate {
repeated DataSource signed_certificate_timestamp = 5;
}

message TlsSessionTicketKeys {
// Keys to encrypt/decrypt TLS session tickets for session resumption. The first
// key is used to encrypt new tickets that are created. All keys are candidates
// for decrypting received tickets.
//
// Each key must be exactly 80 bytes long, containing cryptographically-secure random
// data. For example, the output of "openssl rand 80".
repeated DataSource keys = 1;
}

message CertificateValidationContext {
// TLS certificate data containing certificate authority certificates to use
// in verifying a presented certificate. If not specified and a certificate is
Expand Down Expand Up @@ -130,6 +140,11 @@ message DownstreamTlsContext {

// If specified, Envoy will reject connections without a valid and matching SNI.
google.protobuf.BoolValue require_sni = 3;

oneof session_ticket_keys {
TlsSessionTicketKeys keys = 4;
SdsSecretConfig config = 5;
}
}

message SdsSecretConfig {
Expand All @@ -145,5 +160,6 @@ message Secret {
string name = 1;
oneof type {
TlsCertificate tls_certificate = 2;
TlsSessionTicketKeys session_ticket_keys = 3;
}
}