Support 'untrusted' client certificate routing#5207
Conversation
… based on validation
|
@jimini-lumox what's the intended use case? Unvalidated TLS is not really any more secure than plain text.. |
|
@htuch unverified TLS provides protection against passive observers, so it's "slightly" better than plain text :) But this PR is about unauthenticated clients in mutual TLS, and not about server certificates. @jimini-lumox what exactly is your use case? |
|
We use Envoy as an Edge Proxy to host services, with thousands of devices in venues on a private network. Example Listener Config |
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
Removed stale tag, this PR should be reviewed. @PiotrSikora WDYT? I'll give this another pass in the next day. |
htuch
left a comment
There was a problem hiding this comment.
The overall use case looks valid. Let's settle on the API/design before digging into the code.
I'm wondering if there are other approaches as well that might work. For example, what if we had a filter chain match fall-thru for when client certificates don't match, which could do the diversion. This would require us to make changes to the filter chain match criteria I think.
Also, there is quite a bit of similarity here between on-demand LDS or filter chain discovery and what you want to do. If we can hold a new connection in-flight, do the required access control lookup and then resume (and update the filter chain TLS context) then we would not need to recreate the connection after an xDS update.
WDYT? @PiotrSikora?
|
|
||
| // If specified, Envoy will not reject expired certificates. | ||
| bool allow_expired_certificate = 8; | ||
|
|
There was a problem hiding this comment.
Can you update the description at
envoy/api/envoy/api/v2/auth/cert.proto
Line 118 in e7d71aa
|
Oops, sorry for the delay, this felt off my radar. I think that we could simply add
I believe that this, combined with the existing Also, we already have the External Authorization filter, which should work even better, shouldn't it? wrt filter chain matching, we do TLS after the filter chain and its TLS context are already selected, so doing verification, and then re-picking filter chain with a different TLS context in case of success/failure would be rather challenging and quite messy, IMHO. |
|
+1 to what @PiotrSikora said. That's what I was thinking for this as well. |
|
Nice addition - probably worth including explicit release notes about it :-) |
|
This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
Moved to #5501, so that we don't forget about this feature. |
Description: Add the ability to pass through and route 'untrusted' clients.
Unit tests have not been added yet - want to get an early idea whether this PR would be rejected due to possible security concerns etc..
By default the client validation rules are unchanged.
Additional validation context options:
'untrusted' (either not validated, or failed validation) client certificate details added to 'x-forwarded-untrusted-client-cert'
Risk Level: Medium
Testing: Manual so far - unit tests will be added
Docs Changes: API proto changes
Release Notes: N/A