Passive TLS inspector #34396
Labels
area/tls
enhancement
Feature requests. Not bugs or questions.
stale
stalebot believes this issue/PR has not been touched recently
Comments
howardjohn
added
enhancement
|
@howardjohn can I understand that it will also benefit StartTLS handling? |
|
I don't know much about StartTLS but I think that is unrelated and already supported by envoy |
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
stale
|
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
|
Can we reopen this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title: Passive TLS inspector
Description:
Envoy currently provides a tls_inspector. This is handy for many use cases.
One use case it is not great for is proxying arbitrary traffic, and logging TLS attributes (generally, the SNI). Use of the inspector causes blocking until enough data is read, which will never happen for server-first protocols like mysql.
Instead, I would like a 'passive' inspector. Data will flow through as-normal, but if it is found to be TLS, some state is stored. Eventually, I would expect to be able to log the SNI on connection termination using the standard access logger
The text was updated successfully, but these errors were encountered: