-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passive TLS inspector #34396
Comments
@howardjohn can I understand that it will also benefit StartTLS handling? |
I don't know much about StartTLS but I think that is unrelated and already supported by envoy |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
Can we reopen this? |
Title: Passive TLS inspector
Description:
Envoy currently provides a tls_inspector. This is handy for many use cases.
One use case it is not great for is proxying arbitrary traffic, and logging TLS attributes (generally, the SNI). Use of the inspector causes blocking until enough data is read, which will never happen for server-first protocols like mysql.
Instead, I would like a 'passive' inspector. Data will flow through as-normal, but if it is found to be TLS, some state is stored. Eventually, I would expect to be able to log the SNI on connection termination using the standard access logger
The text was updated successfully, but these errors were encountered: