New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support For Extended TLS Settings #41645
Comments
This requirement makes me think about should we introduce extensions API in istio, these APIs can iterate quickly and we do not need to guarantee their compatibility. Like ratelimit, it is long there, but without much progress |
How is extension API different from Envoy filters? |
one case for it's avaliable for kubernetes Gateway API, as HTTPRoute is first class. |
|
As per offline discussion with @howardjohn the API PR(istio/api#2014) can be rebased and taken forward. |
Just an update that finally the proposal that was accepted and the implementation that got merged - is to have a global MeshConfig for ecdh curves settings for all non ISTIO_MUTUAL tls traffic. |
@kfaseela we are running with istio version 1.13.2. i tried envoyfilter with ecdh curves which did not work for me. Is there any limitations in envoyfilter as well? |
We have not faced any problems using the EnvoyFilter. Istio support for ecdhCurves in MeshConfig is already merged, just in case you want to try |
@kfaseela Thanks for replying . Yes. We do have a plan to upgrade soon . Timeebeing would like unblock the issue, Do you see any issue in Envoyfilter ?
|
At a high level, the filter looks good. Make sure the label used in workloadselector matches with the gateway label.(might be different based on the Istio installation method) |
P-256 and X25519 works, Rest all fails in handshake
|
Those are the default curves on envoy, did u check if the filter is really applied? What are the labels present on your gateway? |
Yes. I see this error in ingress pods when i enable the debug , Anything extra configuration required in istio 1.13.2 to support ecdh configuration ?
|
I have not used the config with 1.13 before. Tried only with 1.16 I guess |
We do use extra ciphersuits at the gateway would that be causing any issue here ?
|
Right now not with my laptop, but I think the name recognized by envoy is P-384 instead of secp384r1. I would have to check in detail tomorrow. |
I just see the set of supported ECDH curves in envoy as |
@kfaseela Yes working now. Thank you so much for help. |
@kfaseela Need one more help, With TLS1.3 works and 1.2 fails with ECDH cipher ? Is there any configuration we need here .
|
is TLS 1.2 working for you without ecdh curves? |
@kfaseela yes. it works with TLS1.2 without curves . I am suspecting it is something to do with external digicert cerificate which we have at ingress layer created using RSA. envoyproxy/envoy#8983??
|
Describe the feature request
We are looking into configuring additional TLS settings in ingress and egress (currently we use basically the defaults).
As per the analysis, it would have been nice if Istio allows configuring more attributes beyond the cipher suite list.
For eg., we must be able to configure elliptic curves (ECDH parameters). Fortunately, Envoy has support for this, but in Istio it is not exposed yet(so there is a way to do this currently with EnvoyFilter). We will also need to configure the signature schemes (e.g. rsa_pkcs1_sha256, rsa_pss_rsae_sha256, ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384). Unfortunately, signature scheme is not configurable in Envoy either, and will initiate a separate request for the same in Envoy.
There have been different efforts/discussions in Istio in similar lines. Please see below:
So, the requirements:
Describe alternatives you've considered
As Envoy supports some of these params already, we can configure the same using EnvoyFilters. However, it would be nice to have these supported using Istio standard APIs
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: gateway-tls-curves
namespace: istio-system
spec:
workloadSelector:
labels:
istio: ingressgateway
configPatches:
match:
context: GATEWAY
listener:
name: "0.0.0.0_8443"
patch:
operation: MERGE
value:
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_params:
ecdh_curves:
- P-256
- X25519
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
The text was updated successfully, but these errors were encountered: