syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v3; import "envoy/config/core/v3/address.proto"; import "envoy/config/core/v3/extension.proto"; import "envoy/extensions/transport_sockets/tls/v3/common.proto"; import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; option java_outer_classname = "TlsProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: TLS transport socket] // [#extension: envoy.transport_sockets.tls] // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. // [#next-free-field: 6] message UpstreamTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.UpstreamTlsContext"; // Common TLS context settings. // // .. attention:: // // Server certificate verification is not enabled by default. Configure // :ref:`trusted_ca` to enable // verification. CommonTlsContext common_tls_context = 1; // SNI string to use when creating TLS backend connections. string sni = 2 [(validate.rules).string = {max_bytes: 255}]; // If true, server-initiated TLS renegotiation will be allowed. // // .. attention:: // // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. bool allow_renegotiation = 3; // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets // for TLSv1.2 and older) to store for the purpose of session resumption. // // Defaults to 1, setting this to 0 disables session resumption. google.protobuf.UInt32Value max_session_keys = 4; // This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension // is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off) // but it is expected to be changed to true by default in a future release. // ``ssl.was_key_usage_invalid`` in :ref:`listener metrics ` will be set for certificate // configurations that would fail if this option were set to true. google.protobuf.BoolValue enforce_rsa_key_usage = 5; } // [#next-free-field: 11] message DownstreamTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.DownstreamTlsContext"; enum OcspStaplePolicy { // OCSP responses are optional. If an OCSP response is absent // or expired, the associated certificate will be used for // connections without an OCSP staple. LENIENT_STAPLING = 0; // OCSP responses are optional. If an OCSP response is absent, // the associated certificate will be used without an // OCSP staple. If a response is provided but is expired, // the associated certificate will not be used for // subsequent connections. If no suitable certificate is found, // the connection is rejected. STRICT_STAPLING = 1; // OCSP responses are required. Configuration will fail if // a certificate is provided without an OCSP response. If a // response expires, the associated certificate will not be // used connections. If no suitable certificate is found, the // connection is rejected. MUST_STAPLE = 2; } // Common TLS context settings. CommonTlsContext common_tls_context = 1; // If specified, Envoy will reject connections without a valid client // certificate. google.protobuf.BoolValue require_client_certificate = 2; // If specified, Envoy will reject connections without a valid and matching SNI. // [#not-implemented-hide:] google.protobuf.BoolValue require_sni = 3; oneof session_ticket_keys_type { // TLS session ticket key settings. TlsSessionTicketKeys session_ticket_keys = 4; // Config for fetching TLS session ticket keys via SDS API. SdsSecretConfig session_ticket_keys_sds_secret_config = 5; // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using // the keys specified through either :ref:`session_ticket_keys ` // or :ref:`session_ticket_keys_sds_secret_config `. // If this config is set to false and no keys are explicitly configured, the TLS server will issue // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the // implication that sessions cannot be resumed across hot restarts or on different hosts. bool disable_stateless_session_resumption = 7; } // If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is // relevant only for TLSv1.2 and earlier.) bool disable_stateful_session_resumption = 10; // If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session. // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) `_. // Only seconds can be specified (fractional seconds are ignored). google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { lt {seconds: 4294967296} gte {} }]; // Config for whether to use certificates if they do not have // an accompanying OCSP response or if the response expires at runtime. // Defaults to LENIENT_STAPLING OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; // Multiple certificates are allowed in Downstream transport socket to serve different SNI. // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. // Defaults to false. See more details in :ref:`Multiple TLS certificates `. google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9; } // TLS key log configuration. // The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page) message TlsKeyLog { // The path to save the TLS key log. string path = 1 [(validate.rules).string = {min_len: 1}]; // The local IP address that will be used to filter the connection which should save the TLS key log // If it is not set, any local IP address will be matched. repeated config.core.v3.CidrRange local_address_range = 2; // The remote IP address that will be used to filter the connection which should save the TLS key log // If it is not set, any remote IP address will be matched. repeated config.core.v3.CidrRange remote_address_range = 3; } // TLS context shared by both client and server TLS contexts. // [#next-free-field: 16] message CommonTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; // Config for Certificate provider to get certificates. This provider should allow certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. // // DEPRECATED: This message is not currently used, but if we ever do need it, we will want to // move it out of CommonTlsContext and into common.proto, similar to the existing // CertificateProviderPluginInstance message. // // [#not-implemented-hide:] message CertificateProvider { // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. string name = 1 [(validate.rules).string = {min_len: 1}]; // Provider specific config. // Note: an implementation is expected to dedup multiple instances of the same config // to maintain a single certificate-provider instance. The sharing can happen, for // example, among multiple clusters or between the tls_certificate and validation_context // certificate providers of a cluster. // This config could be supplied inline or (in future) a named xDS resource. oneof config { option (validate.required) = true; config.core.v3.TypedExtensionConfig typed_config = 2; } } // Similar to CertificateProvider above, but allows the provider instances to be configured on // the client side instead of being sent from the control plane. // // DEPRECATED: This message was moved outside of CommonTlsContext // and now lives in common.proto. // // [#not-implemented-hide:] message CertificateProviderInstance { // Provider instance name. This name must be defined in the client's configuration (e.g., a // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config // field that would be sent in the CertificateProvider message if the config was sent by the // control plane). If not present, defaults to "default". // // Instance names should generally be defined not in terms of the underlying provider // implementation (e.g., "file_watcher") but rather in terms of the function of the // certificates (e.g., "foo_deployment_identity"). string instance_name = 1; // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "example.com" to specify a certificate for a // particular domain. Not all provider instances will actually use this field, so the value // defaults to the empty string. string certificate_name = 2; } message CombinedCertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; // How to validate peer certificates. CertificateValidationContext default_validation_context = 1 [(validate.rules).message = {required: true}]; // Config for fetching validation context via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. SdsSecretConfig validation_context_sds_secret_config = 2 [(validate.rules).message = {required: true}]; // Certificate provider for fetching CA certs. This will populate the // ``default_validation_context.trusted_ca`` field. // [#not-implemented-hide:] CertificateProvider validation_context_certificate_provider = 3 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // Certificate provider instance for fetching CA certs. This will populate the // ``default_validation_context.trusted_ca`` field. // [#not-implemented-hide:] CertificateProviderInstance validation_context_certificate_provider_instance = 4 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; } reserved 5; // TLS protocol versions, cipher suites etc. TlsParameters tls_params = 1; // Only a single TLS certificate is supported in client contexts. In server contexts, // :ref:`Multiple TLS certificates ` can be associated with the // same context to allow both RSA and ECDSA certificates and support SNI-based selection. // // If ``tls_certificate_provider_instance`` is set, this field is ignored. // If this field is set, ``tls_certificate_sds_secret_configs`` is ignored. repeated TlsCertificate tls_certificates = 2; // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. // // The same number and types of certificates as :ref:`tls_certificates ` // are valid in the the certificates fetched through this setting. // // If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field // is ignored. repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6; // Certificate provider instance for fetching TLS certs. // // If this field is set, ``tls_certificates`` and ``tls_certificate_provider_instance`` // are ignored. // [#not-implemented-hide:] CertificateProviderPluginInstance tls_certificate_provider_instance = 14; // Certificate provider for fetching TLS certificates. // [#not-implemented-hide:] CertificateProvider tls_certificate_certificate_provider = 9 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // Certificate provider instance for fetching TLS certificates. // [#not-implemented-hide:] CertificateProviderInstance tls_certificate_certificate_provider_instance = 11 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; oneof validation_context_type { // How to validate peer certificates. CertificateValidationContext validation_context = 3; // Config for fetching validation context via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. SdsSecretConfig validation_context_sds_secret_config = 7; // Combined certificate validation context holds a default CertificateValidationContext // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic // and default CertificateValidationContext are merged into a new CertificateValidationContext // for validation. This merge is done by Message::MergeFrom(), so dynamic // CertificateValidationContext overwrites singular fields in default // CertificateValidationContext, and concatenates repeated fields to default // CertificateValidationContext, and logical OR is applied to boolean fields. CombinedCertificateValidationContext combined_validation_context = 8; // Certificate provider for fetching validation context. // [#not-implemented-hide:] CertificateProvider validation_context_certificate_provider = 10 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // Certificate provider instance for fetching validation context. // [#not-implemented-hide:] CertificateProviderInstance validation_context_certificate_provider_instance = 12 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; } // Supplies the list of ALPN protocols that the listener should expose. In // practice this is likely to be set to one of two values (see the // :ref:`codec_type // ` // parameter in the HTTP connection manager for more information): // // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. // * "http/1.1" If the listener is only going to support HTTP/1.1. // // There is no default for this parameter. If empty, Envoy will not expose ALPN. repeated string alpn_protocols = 4; // Custom TLS handshaker. If empty, defaults to native TLS handshaking // behavior. config.core.v3.TypedExtensionConfig custom_handshaker = 13; // TLS key log configuration TlsKeyLog key_log = 15; }