From 7ab3aae6bd7a7edcc7d2523bd27053fcbbf05e62 Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Fri, 15 Feb 2019 12:27:58 -0800 Subject: [PATCH 1/5] clearify server name comment --- policy/v1beta1/cfg.proto | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/policy/v1beta1/cfg.proto b/policy/v1beta1/cfg.proto index 1bdfbba7886..19faf5c6189 100644 --- a/policy/v1beta1/cfg.proto +++ b/policy/v1beta1/cfg.proto @@ -490,8 +490,9 @@ message Tls { string custom_header = 5; } - // Indicates the name of adapter backend which is useful for routing with - // proxy-fronted backend. + // Used to config mixer TLS client to verify the hostname on the returned + // certificates. It is also included in the client's handshake to support + // virtual hosting. string server_name = 6; } @@ -530,7 +531,8 @@ message Mutual { // include Istio CA certificates and system certificates in cert pool. string ca_certificates = 3; - // Indicates the name of adapter backend server which is useful for routing with - // proxy-fronted backend. + // Used to config mixer TLS client to verify the hostname on the returned + // certificates. It is also included in the client's handshake to support + // virtual hosting. string server_name = 4; } From b8acbcd6e38805c7ba86393feecfb799a81c1b44 Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Fri, 15 Feb 2019 12:47:16 -0800 Subject: [PATCH 2/5] proto gen --- policy/v1beta1/cfg.pb.go | 10 ++++++---- policy/v1beta1/istio.policy.v1beta1.pb.html | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/policy/v1beta1/cfg.pb.go b/policy/v1beta1/cfg.pb.go index 54816031613..1c815f310dd 100644 --- a/policy/v1beta1/cfg.pb.go +++ b/policy/v1beta1/cfg.pb.go @@ -1309,8 +1309,9 @@ type Tls struct { // *Tls_AuthHeader_ // *Tls_CustomHeader TokenType isTls_TokenType `protobuf_oneof:"token_type"` - // Indicates the name of adapter backend which is useful for routing with - // proxy-fronted backend. + // Used to config mixer TLS client to verify the hostname on the returned + // certificates. It is also included in the client's handshake to support + // virtual hosting. ServerName string `protobuf:"bytes,6,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"` } @@ -1638,8 +1639,9 @@ type Mutual struct { // verify the presented adapter certificates. By default Mixer should already // include Istio CA certificates and system certificates in cert pool. CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"` - // Indicates the name of adapter backend server which is useful for routing with - // proxy-fronted backend. + // Used to config mixer TLS client to verify the hostname on the returned + // certificates. It is also included in the client's handshake to support + // virtual hosting. ServerName string `protobuf:"bytes,4,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"` } diff --git a/policy/v1beta1/istio.policy.v1beta1.pb.html b/policy/v1beta1/istio.policy.v1beta1.pb.html index f92ca16ff66..3bcaaf626ef 100644 --- a/policy/v1beta1/istio.policy.v1beta1.pb.html +++ b/policy/v1beta1/istio.policy.v1beta1.pb.html @@ -1012,8 +1012,9 @@

Mutual

serverName string -

Indicates the name of adapter backend server which is useful for routing with -proxy-fronted backend.

+

Used to config mixer TLS client to verify the hostname on the returned +certificates. It is also included in the client’s handshake to support +virtual hosting.

@@ -1328,8 +1329,9 @@

Tls

serverName string -

Indicates the name of adapter backend which is useful for routing with -proxy-fronted backend.

+

Used to config mixer TLS client to verify the hostname on the returned +certificates. It is also included in the client’s handshake to support +virtual hosting.

From a812b749fff761b6e63f4610dc88c67f36e5c72f Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Tue, 19 Feb 2019 11:15:37 -0800 Subject: [PATCH 3/5] update comment of server name field in MTLS. --- policy/v1beta1/cfg.pb.go | 7 ++++--- policy/v1beta1/cfg.proto | 7 ++++--- policy/v1beta1/istio.policy.v1beta1.pb.html | 7 ++++--- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/policy/v1beta1/cfg.pb.go b/policy/v1beta1/cfg.pb.go index 1c815f310dd..b10666c1e20 100644 --- a/policy/v1beta1/cfg.pb.go +++ b/policy/v1beta1/cfg.pb.go @@ -1639,9 +1639,10 @@ type Mutual struct { // verify the presented adapter certificates. By default Mixer should already // include Istio CA certificates and system certificates in cert pool. CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"` - // Used to config mixer TLS client to verify the hostname on the returned - // certificates. It is also included in the client's handshake to support - // virtual hosting. + // Used to config mixer MTLS client, which will be included in the mixer's handshake + // with out of process adapter to support virtual hosting. Note server name will not + // be used to verify hostname on returned adapter certs, since mixer does customized + // verification of whitelisted SubjectAltName for MTLS. ServerName string `protobuf:"bytes,4,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"` } diff --git a/policy/v1beta1/cfg.proto b/policy/v1beta1/cfg.proto index 19faf5c6189..54676befc56 100644 --- a/policy/v1beta1/cfg.proto +++ b/policy/v1beta1/cfg.proto @@ -531,8 +531,9 @@ message Mutual { // include Istio CA certificates and system certificates in cert pool. string ca_certificates = 3; - // Used to config mixer TLS client to verify the hostname on the returned - // certificates. It is also included in the client's handshake to support - // virtual hosting. + // Used to config mixer MTLS client, which will be included in the mixer's handshake + // with out of process adapter to support virtual hosting. Note server name will not + // be used to verify hostname on returned adapter certs, since mixer does customized + // verification of whitelisted SubjectAltName for MTLS. string server_name = 4; } diff --git a/policy/v1beta1/istio.policy.v1beta1.pb.html b/policy/v1beta1/istio.policy.v1beta1.pb.html index 3bcaaf626ef..ec558c9e177 100644 --- a/policy/v1beta1/istio.policy.v1beta1.pb.html +++ b/policy/v1beta1/istio.policy.v1beta1.pb.html @@ -1012,9 +1012,10 @@

Mutual

serverName string -

Used to config mixer TLS client to verify the hostname on the returned -certificates. It is also included in the client’s handshake to support -virtual hosting.

+

Used to config mixer MTLS client, which will be included in the mixer’s handshake +with out of process adapter to support virtual hosting. Note server name will not +be used to verify hostname on returned adapter certs, since mixer does customized +verification of whitelisted SubjectAltName for MTLS.

From 7dcaf4f709a9f3c18b3fcc1202228ad6e84dd3f3 Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Fri, 1 Mar 2019 12:32:52 -0800 Subject: [PATCH 4/5] reword --- policy/v1beta1/cfg.pb.go | 12 +++++------- policy/v1beta1/cfg.proto | 12 +++++------- policy/v1beta1/istio.policy.v1beta1.pb.html | 12 +++++------- 3 files changed, 15 insertions(+), 21 deletions(-) diff --git a/policy/v1beta1/cfg.pb.go b/policy/v1beta1/cfg.pb.go index b10666c1e20..f868157728a 100644 --- a/policy/v1beta1/cfg.pb.go +++ b/policy/v1beta1/cfg.pb.go @@ -1309,9 +1309,8 @@ type Tls struct { // *Tls_AuthHeader_ // *Tls_CustomHeader TokenType isTls_TokenType `protobuf_oneof:"token_type"` - // Used to config mixer TLS client to verify the hostname on the returned - // certificates. It is also included in the client's handshake to support - // virtual hosting. + // Used to configure mixer TLS client to verify the hostname on the returned + // certificates. It is also included in the client's handshake to support SNI. ServerName string `protobuf:"bytes,6,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"` } @@ -1639,10 +1638,9 @@ type Mutual struct { // verify the presented adapter certificates. By default Mixer should already // include Istio CA certificates and system certificates in cert pool. CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"` - // Used to config mixer MTLS client, which will be included in the mixer's handshake - // with out of process adapter to support virtual hosting. Note server name will not - // be used to verify hostname on returned adapter certs, since mixer does customized - // verification of whitelisted SubjectAltName for MTLS. + // Used to configure mixer MTLS client to supply server name for SNI. + // It is not used to verify the hostname of the peer certificate, since + // Istio verifies whitelisted SAN fields in mTLS. ServerName string `protobuf:"bytes,4,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"` } diff --git a/policy/v1beta1/cfg.proto b/policy/v1beta1/cfg.proto index 54676befc56..5aed22678b8 100644 --- a/policy/v1beta1/cfg.proto +++ b/policy/v1beta1/cfg.proto @@ -490,9 +490,8 @@ message Tls { string custom_header = 5; } - // Used to config mixer TLS client to verify the hostname on the returned - // certificates. It is also included in the client's handshake to support - // virtual hosting. + // Used to configure mixer TLS client to verify the hostname on the returned + // certificates. It is also included in the client's handshake to support SNI. string server_name = 6; } @@ -531,9 +530,8 @@ message Mutual { // include Istio CA certificates and system certificates in cert pool. string ca_certificates = 3; - // Used to config mixer MTLS client, which will be included in the mixer's handshake - // with out of process adapter to support virtual hosting. Note server name will not - // be used to verify hostname on returned adapter certs, since mixer does customized - // verification of whitelisted SubjectAltName for MTLS. + // Used to configure mixer MTLS client to supply server name for SNI. + // It is not used to verify the hostname of the peer certificate, since + // Istio verifies whitelisted SAN fields in mTLS. string server_name = 4; } diff --git a/policy/v1beta1/istio.policy.v1beta1.pb.html b/policy/v1beta1/istio.policy.v1beta1.pb.html index ec558c9e177..dbe4e164155 100644 --- a/policy/v1beta1/istio.policy.v1beta1.pb.html +++ b/policy/v1beta1/istio.policy.v1beta1.pb.html @@ -1012,10 +1012,9 @@

Mutual

serverName string -

Used to config mixer MTLS client, which will be included in the mixer’s handshake -with out of process adapter to support virtual hosting. Note server name will not -be used to verify hostname on returned adapter certs, since mixer does customized -verification of whitelisted SubjectAltName for MTLS.

+

Used to configure mixer MTLS client to supply server name for SNI. +It is not used to verify the hostname of the peer certificate, since +Istio verifies whitelisted SAN fields in mTLS.

@@ -1330,9 +1329,8 @@

Tls

serverName string -

Used to config mixer TLS client to verify the hostname on the returned -certificates. It is also included in the client’s handshake to support -virtual hosting.

+

Used to configure mixer TLS client to verify the hostname on the returned +certificates. It is also included in the client’s handshake to support SNI.

From e0323ad08313004500ba9c92eae5b534153ef3b6 Mon Sep 17 00:00:00 2001 From: Pengyuan Bian Date: Mon, 4 Mar 2019 15:28:06 -0800 Subject: [PATCH 5/5] reword MTLS to mutual TLS --- policy/v1beta1/cfg.pb.go | 4 ++-- policy/v1beta1/cfg.proto | 4 ++-- policy/v1beta1/istio.policy.v1beta1.pb.html | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/policy/v1beta1/cfg.pb.go b/policy/v1beta1/cfg.pb.go index f868157728a..3694c70bd51 100644 --- a/policy/v1beta1/cfg.pb.go +++ b/policy/v1beta1/cfg.pb.go @@ -1638,9 +1638,9 @@ type Mutual struct { // verify the presented adapter certificates. By default Mixer should already // include Istio CA certificates and system certificates in cert pool. CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"` - // Used to configure mixer MTLS client to supply server name for SNI. + // Used to configure mixer mutual TLS client to supply server name for SNI. // It is not used to verify the hostname of the peer certificate, since - // Istio verifies whitelisted SAN fields in mTLS. + // Istio verifies whitelisted SAN fields in mutual TLS. ServerName string `protobuf:"bytes,4,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"` } diff --git a/policy/v1beta1/cfg.proto b/policy/v1beta1/cfg.proto index 5aed22678b8..e70b2dcf55f 100644 --- a/policy/v1beta1/cfg.proto +++ b/policy/v1beta1/cfg.proto @@ -530,8 +530,8 @@ message Mutual { // include Istio CA certificates and system certificates in cert pool. string ca_certificates = 3; - // Used to configure mixer MTLS client to supply server name for SNI. + // Used to configure mixer mutual TLS client to supply server name for SNI. // It is not used to verify the hostname of the peer certificate, since - // Istio verifies whitelisted SAN fields in mTLS. + // Istio verifies whitelisted SAN fields in mutual TLS. string server_name = 4; } diff --git a/policy/v1beta1/istio.policy.v1beta1.pb.html b/policy/v1beta1/istio.policy.v1beta1.pb.html index dbe4e164155..eae62809d7f 100644 --- a/policy/v1beta1/istio.policy.v1beta1.pb.html +++ b/policy/v1beta1/istio.policy.v1beta1.pb.html @@ -1012,9 +1012,9 @@

Mutual

serverName string -

Used to configure mixer MTLS client to supply server name for SNI. +

Used to configure mixer mutual TLS client to supply server name for SNI. It is not used to verify the hostname of the peer certificate, since -Istio verifies whitelisted SAN fields in mTLS.

+Istio verifies whitelisted SAN fields in mutual TLS.