syntax = "proto3"; package envoy.api.v2.auth; import "envoy/api/v2/auth/common.proto"; import "envoy/api/v2/auth/secret.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.auth"; option java_outer_classname = "TlsProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth"; option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.transport_sockets.tls.v3"; option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: TLS transport socket] // [#extension: envoy.transport_sockets.tls] // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. message UpstreamTlsContext { // Common TLS context settings. // // .. attention:: // // Server certificate verification is not enabled by default. Configure // :ref:`trusted_ca` to enable // verification. CommonTlsContext common_tls_context = 1; // SNI string to use when creating TLS backend connections. string sni = 2 [(validate.rules).string = {max_bytes: 255}]; // If true, server-initiated TLS renegotiation will be allowed. // // .. attention:: // // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. bool allow_renegotiation = 3; // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets // for TLSv1.2 and older) to store for the purpose of session resumption. // // Defaults to 1, setting this to 0 disables session resumption. google.protobuf.UInt32Value max_session_keys = 4; } // [#next-free-field: 8] message DownstreamTlsContext { // Common TLS context settings. CommonTlsContext common_tls_context = 1; // If specified, Envoy will reject connections without a valid client // certificate. google.protobuf.BoolValue require_client_certificate = 2; // If specified, Envoy will reject connections without a valid and matching SNI. // [#not-implemented-hide:] google.protobuf.BoolValue require_sni = 3; oneof session_ticket_keys_type { // TLS session ticket key settings. TlsSessionTicketKeys session_ticket_keys = 4; // Config for fetching TLS session ticket keys via SDS API. SdsSecretConfig session_ticket_keys_sds_secret_config = 5; // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using // the keys specified through either :ref:`session_ticket_keys ` // or :ref:`session_ticket_keys_sds_secret_config `. // If this config is set to false and no keys are explicitly configured, the TLS server will issue // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the // implication that sessions cannot be resumed across hot restarts or on different hosts. bool disable_stateless_session_resumption = 7; } // If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session. // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) `_. // Only seconds can be specified (fractional seconds are ignored). google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { lt {seconds: 4294967296} gte {} }]; } // TLS context shared by both client and server TLS contexts. // [#next-free-field: 9] message CommonTlsContext { message CombinedCertificateValidationContext { // How to validate peer certificates. CertificateValidationContext default_validation_context = 1 [(validate.rules).message = {required: true}]; // Config for fetching validation context via SDS API. SdsSecretConfig validation_context_sds_secret_config = 2 [(validate.rules).message = {required: true}]; } reserved 5; // TLS protocol versions, cipher suites etc. TlsParameters tls_params = 1; // :ref:`Multiple TLS certificates ` can be associated with the // same context to allow both RSA and ECDSA certificates. // // Only a single TLS certificate is supported in client contexts. In server contexts, the first // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is // used for clients that support ECDSA. repeated TlsCertificate tls_certificates = 2; // Configs for fetching TLS certificates via SDS API. repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 [(validate.rules).repeated = {max_items: 1}]; oneof validation_context_type { // How to validate peer certificates. CertificateValidationContext validation_context = 3; // Config for fetching validation context via SDS API. SdsSecretConfig validation_context_sds_secret_config = 7; // Combined certificate validation context holds a default CertificateValidationContext // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic // and default CertificateValidationContext are merged into a new CertificateValidationContext // for validation. This merge is done by Message::MergeFrom(), so dynamic // CertificateValidationContext overwrites singular fields in default // CertificateValidationContext, and concatenates repeated fields to default // CertificateValidationContext, and logical OR is applied to boolean fields. CombinedCertificateValidationContext combined_validation_context = 8; } // Supplies the list of ALPN protocols that the listener should expose. In // practice this is likely to be set to one of two values (see the // :ref:`codec_type // ` // parameter in the HTTP connection manager for more information): // // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. // * "http/1.1" If the listener is only going to support HTTP/1.1. // // There is no default for this parameter. If empty, Envoy will not expose ALPN. repeated string alpn_protocols = 4; }