-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(translator): client tls session resumption #4293
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4293 +/- ##
==========================================
+ Coverage 65.72% 65.80% +0.08%
==========================================
Files 200 200
Lines 24125 24145 +20
==========================================
+ Hits 15856 15889 +33
+ Misses 7135 7124 -11
+ Partials 1134 1132 -2 ☔ View full report in Codecov by Sentry. |
Following yesterday's community meeting, some additional industry context. Currently, Mozilla's SSL config generator recommends disabling stateless resumption (session tickets) for nginx, apache and haproxy for security reasons.
This is mostly due to insufficient rotation of session ticket encryption keys in these projects. There is an ongoing discussion on changing the recommendation for newer versions of nginx where keys are rotated: mozilla/server-side-tls#135. BoringSSL rotates encryption keys by default every 48 hours: https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets. Envoy doesn't change this behavior or make the rotation schedule configurable. Industry leaders like cloudflare rotate session ticket encryption keys every hour: https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/. There is no security recommendation to disable stateful session resumption. However:
nginx ingress by default disables stateful and stateless session resumption, but makes it possible to opt-in:
I propose that we change the current behavior and disable both resumption methods by default, but allow users to opt-in similar to nginx ingress. |
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
c6f91b3
to
7f02edf
Compare
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
Signed-off-by: Guy Daich <[email protected]>
@@ -69,3 +79,56 @@ spec: | |||
- kind: "Secret" | |||
group: "" | |||
name: "client-mtls-certificate" | |||
--- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to record how this is generated for future maintenance.
api/v1alpha1/tls_types.go
Outdated
// of different resumption methods. Performance gains from resumption are diminished when | ||
// Envoy proxy is deployed with more than one replica. | ||
// +optional | ||
SessionResumptionSettings *SessionResumptionSettings `json:"sessionResumption,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prefer SessionResumption
Signed-off-by: Guy Daich <[email protected]>
What type of PR is this?
What this PR does / why we need it:
Introduces an API for TLS session management:
Which issue(s) this PR fixes:
Fixes #4268, #2422, #2421