feat(translator): client tls session resumption #4293
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4293 +/- ##
==========================================
- Coverage 65.81% 65.79% -0.02%
==========================================
Files 200 200
Lines 24177 24190 +13
==========================================
+ Hits 15911 15917 +6
- Misses 7129 7134 +5
- Partials 1137 1139 +2 ☔ View full report in Codecov by Sentry. |
|
Following yesterday's community meeting, some additional industry context. Currently, Mozilla's SSL config generator recommends disabling stateless resumption (session tickets) for nginx, apache and haproxy for security reasons.
This is mostly due to insufficient rotation of session ticket encryption keys in these projects. There is an ongoing discussion on changing the recommendation for newer versions of nginx where keys are rotated: mozilla/server-side-tls#135. BoringSSL rotates encryption keys by default every 48 hours: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets. Envoy doesn't change this behavior or make the rotation schedule configurable. Industry leaders like cloudflare rotate session ticket encryption keys every hour: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/. There is no security recommendation to disable stateful session resumption. However:
nginx ingress by default disables stateful and stateless session resumption, but makes it possible to opt-in:
I propose that we change the current behavior and disable both resumption methods by default, but allow users to opt-in similar to nginx ingress. |
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
guydc
force-pushed
the
api-tls-resumption
branch
from
c6f91b3 to
7f02edf
Compare
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
guydc
changed the title
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
| @@ -69,3 +79,56 @@ spec: | |||
| - kind: "Secret" | |||
| group: "" | |||
| name: "client-mtls-certificate" | |||
| --- | |||
There was a problem hiding this comment.
need to record how this is generated for future maintenance.
api/v1alpha1/tls_types.go
Outdated
| // of different resumption methods. Performance gains from resumption are diminished when | ||
| // Envoy proxy is deployed with more than one replica. | ||
| // +optional | ||
| SessionResumptionSettings *SessionResumptionSettings `json:"sessionResumption,omitempty"` |
api/v1alpha1/tls_types.go
Outdated
| SessionTimeout *gwapiv1.Duration `json:"sessionTimeout,omitempty"` | ||
|
|
||
| // SessionResumptionSettings determine the proxy's supported TLS session resumption option. | ||
| // By default, Envoy Gateway does not enable session resumption. Use sessionResumption to | ||
| // enable stateful and stateless session resumption. Users should consider security impacts | ||
| // of different resumption methods. Performance gains from resumption are diminished when | ||
| // Envoy proxy is deployed with more than one replica. | ||
| // +optional | ||
| SessionResumptionSettings *SessionResumption `json:"sessionResumption,omitempty"` |
There was a problem hiding this comment.
can we use following structure?
session:
timeout:
resumption:
if there're more than 1 property with session prefix, prefer to move them into a struct.
There was a problem hiding this comment.
Should the timeout be part of the sessionResumption setting?
There was a problem hiding this comment.
Well, it seems that different implementations have different meanings for session timeout.
BoringSSL seems to treat this as a hard timeout after which a new handshake is required:
This is how long we are willing to use the secret to encrypt traffic without fresh key material.
In envoy, this is also used as a hint on session tickets.
OpenSSL seems to treat this as a soft timeout after which resumption cannot occur, but an active session may still continue (?):
Whenever a new session is negotiated, it is assigned a timeout value, after which it will not be accepted for session reuse.
@arkodg requested that we leave sessionTimeout out of this PR. I will change the API to @zirain's proposal, to support for future addition of session-related settings that are not specific to resumption.
api/v1alpha1/tls_types.go
Outdated
| @@ -15,6 +15,10 @@ type ClientTLSSettings struct { | |||
| // +optional | |||
| ClientValidation *ClientValidationContext `json:"clientValidation,omitempty"` | |||
| TLSSettings `json:",inline"` | |||
|
|
|||
| // Session defines setting related to TLS session management. | |||
There was a problem hiding this comment.
| // Session defines setting related to TLS session management. | |
| // Session defines settings related to TLS session management. |
api/v1alpha1/tls_types.go
Outdated
|
|
||
| // Session defines setting related to TLS session management. | ||
| type Session struct { | ||
| // Resumption determine the proxy's supported TLS session resumption option. |
There was a problem hiding this comment.
| // Resumption determine the proxy's supported TLS session resumption option. | |
| // Resumption determines the proxy's supported TLS session resumption option. |
| @@ -30,6 +30,8 @@ http: | |||
| minVersion: "1.0" | |||
| alpnProtocols: | |||
| - some-other-protocol | |||
| sessionTimeout: 30s | |||
There was a problem hiding this comment.
sessionTimeout clean up needed here
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
What type of PR is this?
What this PR does / why we need it:
Introduces an API for TLS session management:
Which issue(s) this PR fixes:
Fixes #4268, #2422, #2421