Skip to content

add auto_sni and auto_san field in ClientTLSSettings #1773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

add auto_sni and auto_san field in ClientTLSSettings #1773

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e0d40c6
add auto_sni and auto_san field in ClientTLSSettings
ZhiHanZ Dec 4, 2020
7d9158b
make clean gen && make proto-commit
ZhiHanZ Dec 4, 2020
1f871b5
updated commet for some notes
ZhiHanZ Dec 4, 2020
c827fe7
make clean gen && make proto-commit
ZhiHanZ Dec 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3,225 changes: 2,199 additions & 1,026 deletions kubernetes/customresourcedefinitions.gen.yaml
View file
Open in desktop

Large diffs are not rendered by default.

7 changes: 7 additions & 0 deletions mesh/v1alpha1/istio.mesh.v1alpha1.gen.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1273,6 +1273,13 @@
"description": "SNI string to present to the server during TLS handshake.",
"type": "string",
"format": "string"
},
"autoSni": {
"description": "auto_sni and auto_san could automatically set the outbound SNI based on host/authority **NOTE:** auto_sni and auto_san fields are only applicable for HTTPs traffic when auto_sni field set as true, it will override the sni set above. Additional context: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-upstreamhttpprotocoloptions-auto-sni https://github.com/istio/istio/issues/27847",
"type": "boolean"
},
"autoSan": {
"type": "boolean"
}
}
},
Expand Down
7 changes: 7 additions & 0 deletions networking/v1alpha3/destination_rule.gen.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,13 @@
"description": "SNI string to present to the server during TLS handshake.",
"type": "string",
"format": "string"
},
"autoSni": {
"description": "auto_sni and auto_san could automatically set the outbound SNI based on host/authority **NOTE:** auto_sni and auto_san fields are only applicable for HTTPs traffic when auto_sni field set as true, it will override the sni set above. Additional context: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-upstreamhttpprotocoloptions-auto-sni https://github.com/istio/istio/issues/27847",
"type": "boolean"
},
"autoSan": {
"type": "boolean"
}
}
},
Expand Down
323 changes: 207 additions & 116 deletions networking/v1alpha3/destination_rule.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

26 changes: 26 additions & 0 deletions networking/v1alpha3/destination_rule.pb.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions networking/v1alpha3/destination_rule.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -952,6 +952,15 @@ message ClientTLSSettings {

// SNI string to present to the server during TLS handshake.
string sni = 6;
// auto_sni and auto_san could automatically set the outbound SNI
Copy link
Contributor

@lizan lizan Dec 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Document this only works with HTTPS traffic, and when auto_sni is true it will override the sni set above.

Copy link
Author

@ZhiHanZ ZhiHanZ Dec 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added notes on them

// based on host/authority
// **NOTE:** auto_sni and auto_san fields are only applicable for HTTPs traffic
// when auto_sni field set as true, it will override the sni set above.
// Additional context:
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-upstreamhttpprotocoloptions-auto-sni
// https://github.com/istio/istio/issues/27847
bool auto_sni = 8;
Copy link
Contributor

@costinm costinm Dec 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless I missed something, the RFC does require that a HTTPs client sets the SNI this way. It is a bug to not do so - I don't think we need an API to indicate we should be compatible with the RFC.

I'm not sure what auto_san does in this context - but if it's about following the RFC it is also redundant.

A bigger issue is that the default value of bool in proto is false - meaning that if user doesn't include the new fields, the default behavior would be non-standard.

I don't think the API need a 'non-standard' mode - and for upgrade issues we can use an temporary internal env variable like we did in the past, not a long-term supported API change.

Copy link
Contributor

@lizan lizan Dec 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@costinm RFC does not mandate HTTPS client to set SNI (it can be not set at all) / verify SAN in this way, RFC 2818 says

If the client has external information as to the expected identity of
the server, the hostname check MAY be omitted.

In most of Istio service-to-service communication in mTLS, we don't set SNI or verify SAN in this way, but we use SVID to perform the identity verification. This only need to be set for certain egress cases.

Copy link

@songdongsheng songdongsheng Mar 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lizan RFC 7540 said:

The TLS implementation MUST support the Server Name Indication (SNI) [TLS-EXT] extension to TLS. HTTP/2 clients MUST indicate the target domain name when negotiating TLS.

RFC 2818 is too old and no longer reflects reality.

Copy link
Member

@howardjohn howardjohn Mar 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I would note we DO always set an SNI. We just set our weird internal format (I think)

bool auto_san = 9;
}

// Locality-weighted load balancing allows administrators to control the
Expand Down
57 changes: 30 additions & 27 deletions proto.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36038,28 +36038,6 @@
"name": "ingress_selector",
"type": "string"
},
{
"id": 10,
"name": "auth_policy",
"type": "AuthPolicy",
"options": [
{
"name": "deprecated",
"value": "true"
}
]
},
{
"id": 11,
"name": "rds_refresh_delay",
"type": "google.protobuf.Duration",
"options": [
{
"name": "deprecated",
"value": "true"
}
]
},
{
"id": 12,
"name": "enable_tracing",
Expand Down Expand Up @@ -36216,6 +36194,8 @@
48,
25,
30,
10,
11,
15,
16,
18,
Expand All @@ -36224,10 +36204,10 @@
21,
23,
29,
53,
37,
38,
39,
53
39
],
"reserved_names": [
"mixer_check_server",
Expand All @@ -36236,16 +36216,18 @@
"disable_mixer_http_reports",
"policy_check_fail_open",
"sidecar_to_telemetry_session_affinity",
"auth_policy",
"rds_refresh_delay",
"mixer_address",
"enable_client_side_policy_check",
"sds_uds_path",
"sds_refresh_delay",
"enable_sds_token_mount",
"sds_use_k8s_sa_jwt",
"termination_drain_duration",
"disable_report_batch",
"report_batch_max_entries",
"report_batch_max_time",
"termination_drain_duration"
"report_batch_max_time"
],
"messages": [
{
Expand Down Expand Up @@ -37084,6 +37066,11 @@
"id": 32,
"name": "proxy_stats_matcher",
"type": "ProxyStatsMatcher"
},
{
"id": 33,
"name": "hold_application_until_proxy_starts",
"type": "google.protobuf.BoolValue"
}
],
"maps": [
Expand Down Expand Up @@ -37722,6 +37709,16 @@
"id": 6,
"name": "sni",
"type": "string"
},
{
"id": 8,
"name": "auto_sni",
"type": "bool"
},
{
"id": 9,
"name": "auto_san",
"type": "bool"
}
]
},
Expand Down Expand Up @@ -42069,7 +42066,13 @@
"field": {
"id": 51,
"name": "addon_components",
"type": "ExternalComponentSpec"
"type": "ExternalComponentSpec",
"options": [
{
"name": "deprecated",
"value": "true"
}
]
}
}
]
Expand Down
Loading