config: add option for tls renogotiation

2025-06-27 15:08:14 +02:00 · 2022-11-28 12:20:01 -07:00 · 2022-11-28 12:20:01 -07:00 · 15d69424d9
commit 15d69424d9
parent fa0ba60aee
5 changed files with 604 additions and 530 deletions
--- a/config/envoyconfig/clusters.go
+++ b/config/envoyconfig/clusters.go
@ -307,7 +307,8 @@ func (b *Builder) buildPolicyTransportSocket(
 				ValidationContext: vc,
 			},
 		},
-		Sni: sni,
+		Sni:                sni,
+		AllowRenegotiation: policy.TLSUpstreamAllowRenegotiation,
 	}
 	if policy.ClientCertificate != nil {
 		tlsContext.CommonTlsContext.TlsCertificates = append(tlsContext.CommonTlsContext.TlsCertificates,
--- a/config/envoyconfig/clusters_test.go
+++ b/config/envoyconfig/clusters_test.go
@ -429,6 +429,61 @@ func Test_buildPolicyTransportSocket(t *testing.T) {
 			}
 		`, ts)
 	})
+	t.Run("allow renegotiation", func(t *testing.T) {
+		ts, err := b.buildPolicyTransportSocket(ctx, o1, &config.Policy{
+			To:                            mustParseWeightedURLs(t, "https://example.com"),
+			TLSUpstreamAllowRenegotiation: true,
+		}, *mustParseURL(t, "https://example.com"))
+		require.NoError(t, err)
+		testutil.AssertProtoJSONEqual(t, `
+			{
+				"name": "tls",
+				"typedConfig": {
+					"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
+					"allowRenegotiation": true,
+					"commonTlsContext": {
+						"alpnProtocols": ["h2", "http/1.1"],
+						"tlsParams": {
+							"cipherSuites": [
+								"ECDHE-ECDSA-AES256-GCM-SHA384",
+								"ECDHE-RSA-AES256-GCM-SHA384",
+								"ECDHE-ECDSA-AES128-GCM-SHA256",
+								"ECDHE-RSA-AES128-GCM-SHA256",
+								"ECDHE-ECDSA-CHACHA20-POLY1305",
+								"ECDHE-RSA-CHACHA20-POLY1305",
+								"ECDHE-ECDSA-AES128-SHA",
+								"ECDHE-RSA-AES128-SHA",
+								"AES128-GCM-SHA256",
+								"AES128-SHA",
+								"ECDHE-ECDSA-AES256-SHA",
+								"ECDHE-RSA-AES256-SHA",
+								"AES256-GCM-SHA384",
+								"AES256-SHA"
+							],
+							"ecdhCurves": [
+								"X25519",
+								"P-256",
+								"P-384",
+								"P-521"
+							]
+						},
+						"validationContext": {
+							"matchTypedSubjectAltNames": [{
+								"sanType": "DNS",
+								"matcher": {
+									"exact": "example.com"
+								}
+							}],
+							"trustedCa": {
+								"filename": "`+rootCA+`"
+							}
+						}
+					},
+					"sni": "example.com"
+				}
+			}
+		`, ts)
+	})
 }

 func Test_buildCluster(t *testing.T) {
--- a/config/policy.go
+++ b/config/policy.go
@ -119,6 +119,9 @@ type Policy struct {
 	TLSDownstreamClientCA     string `mapstructure:"tls_downstream_client_ca" yaml:"tls_downstream_client_ca,omitempty"`
 	TLSDownstreamClientCAFile string `mapstructure:"tls_downstream_client_ca_file" yaml:"tls_downstream_client_ca_file,omitempty"`

+	// TLSUpstreamAllowRenegotiation allows server-initiated TLS renegotiation.
+	TLSUpstreamAllowRenegotiation bool `mapstructure:"tls_upstream_allow_renegotiation" yaml:"allow_renegotiation,omitempty"`
+
 	// SetAuthorizationHeader sets the authorization request header based on the user's identity. Supported modes are
 	// `pass_through`, `access_token` and `id_token`.
 	SetAuthorizationHeader string `mapstructure:"set_authorization_header" yaml:"set_authorization_header,omitempty"`
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
--- a/pkg/grpc/config/config.proto
+++ b/pkg/grpc/config/config.proto
@ -90,6 +90,8 @@ message Route {
  string tls_downstream_client_ca = 38;
  string tls_downstream_client_ca_file = 39;

+  bool tls_upstream_allow_renegotiation = 60;
+
  map<string, string> set_request_headers = 22;
  repeated string remove_request_headers = 23;
  map<string, string> set_response_headers = 41;