Common TLS configuration (proto)
extensions.transport_sockets.tls.v3.TlsParameters
[extensions.transport_sockets.tls.v3.TlsParameters proto]
{
"tls_minimum_protocol_version": ...,
"tls_maximum_protocol_version": ...,
"cipher_suites": [],
"ecdh_curves": [],
"signature_algorithms": []
}
- tls_minimum_protocol_version
(extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol) Minimum TLS protocol version. By default, it’s
TLSv1_2
for both clients and servers.TLS protocol versions below TLSv1_2 require setting compatible ciphers with the
cipher_suites
setting as the default ciphers no longer include compatible ciphers.Attention
Using TLS protocol versions below TLSv1_2 has serious security considerations and risks.
- tls_maximum_protocol_version
(extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol) Maximum TLS protocol version. By default, it’s
TLSv1_2
for clients andTLSv1_3
for servers.
- cipher_suites
(repeated string) If specified, the TLS listener will only support the specified cipher list when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
If not specified, a default list will be used. Defaults are different for server (downstream) and client (upstream) TLS configurations. Defaults will change over time in response to security considerations; If you care, configure it instead of using the default.
In non-FIPS builds, the default server cipher list is:
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS, the default server cipher list is:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
In non-FIPS builds, the default client cipher list is:
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS, the default client cipher list is:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384
- ecdh_curves
(repeated string) If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used.
In non-FIPS builds, the default curves are:
X25519 P-256
In builds using BoringSSL FIPS, the default curve is:
P-256
- signature_algorithms
(repeated string) If specified, the TLS connection will only support the specified signature algorithms. The list is ordered by preference. If not specified, the default signature algorithms defined by BoringSSL will be used.
Default signature algorithms selected by BoringSSL (may be out of date):
ecdsa_secp256r1_sha256 rsa_pss_rsae_sha256 rsa_pkcs1_sha256 ecdsa_secp384r1_sha384 rsa_pss_rsae_sha384 rsa_pkcs1_sha384 rsa_pss_rsae_sha512 rsa_pkcs1_sha512 rsa_pkcs1_sha1
Signature algorithms supported by BoringSSL (may be out of date):
rsa_pkcs1_sha256 rsa_pkcs1_sha384 rsa_pkcs1_sha512 ecdsa_secp256r1_sha256 ecdsa_secp384r1_sha384 ecdsa_secp521r1_sha512 rsa_pss_rsae_sha256 rsa_pss_rsae_sha384 rsa_pss_rsae_sha512 ed25519 rsa_pkcs1_sha1 ecdsa_sha1
Enum extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol
[extensions.transport_sockets.tls.v3.TlsParameters.TlsProtocol proto]
- TLS_AUTO
(DEFAULT) Envoy will choose the optimal TLS version.
- TLSv1_0
TLS 1.0
- TLSv1_1
TLS 1.1
- TLSv1_2
TLS 1.2
- TLSv1_3
TLS 1.3
extensions.transport_sockets.tls.v3.PrivateKeyProvider
[extensions.transport_sockets.tls.v3.PrivateKeyProvider proto]
BoringSSL private key method configuration. The private key methods are used for external (potentially asynchronous) signing and decryption operations. Some use cases for private key methods would be TPM support and TLS acceleration.
{
"provider_name": ...,
"typed_config": {...},
"fallback": ...
}
- provider_name
(string, REQUIRED) Private key method provider name. The name must match a supported private key method provider type.
- typed_config
(Any) Private key method provider specific configuration.
- fallback
(bool) If the private key provider isn’t available (eg. the required hardware capability doesn’t existed), Envoy will fallback to the BoringSSL default implementation when the
fallback
is true. The default value isfalse
.
extensions.transport_sockets.tls.v3.TlsCertificate
[extensions.transport_sockets.tls.v3.TlsCertificate proto]
{
"certificate_chain": {...},
"private_key": {...},
"pkcs12": {...},
"watched_directory": {...},
"private_key_provider": {...},
"password": {...},
"ocsp_staple": {...}
}
- certificate_chain
(config.core.v3.DataSource) The TLS certificate chain.
If
certificate_chain
is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when theTlsCertificate
is delivered via SDS.
- private_key
(config.core.v3.DataSource) The TLS private key.
If
private_key
is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when theTlsCertificate
is delivered via SDS.
- pkcs12
(config.core.v3.DataSource)
Pkcs12
data containing TLS certificate, chain, and private key.If
pkcs12
is a filesystem path, the file will be read, but no watch will be added to the parent directory, sincepkcs12
isn’t used by SDS. This field is mutually exclusive withcertificate_chain
,private_key
andprivate_key_provider
. This can’t be marked asoneof
due to API compatibility reasons. Setting both private_key, certificate_chain, or private_key_provider and pkcs12 fields will result in an error. Use password to specify the password to unprotect thePKCS12
data, if necessary.
- watched_directory
(config.core.v3.WatchedDirectory) If specified, updates of file-based
certificate_chain
andprivate_key
sources will be triggered by this watch. The certificate/key pair will be read together and validated for atomic read consistency (i.e. no intervening modification occurred between cert/key read, verified by file hash comparisons). This allows explicit control over the path watched, by default the parent directories of the filesystem paths incertificate_chain
andprivate_key
are watched if this field is not specified. This only applies when aTlsCertificate
is delivered by SDS with references to filesystem paths. See the SDS key rotation documentation for further details.
- private_key_provider
(extensions.transport_sockets.tls.v3.PrivateKeyProvider) BoringSSL private key method provider. This is an alternative to private_key field. When both private_key and private_key_provider fields are set,
private_key_provider
takes precedence. Ifprivate_key_provider
is unavailable and fallback is enabled,private_key
will be used.
- password
(config.core.v3.DataSource) The password to decrypt the TLS private key. If this field is not set, it is assumed that the TLS private key is not password encrypted.
- ocsp_staple
(config.core.v3.DataSource) The OCSP response to be stapled with this certificate during the handshake. The response must be DER-encoded and may only be provided via
filename
orinline_bytes
. The response may pertain to only one certificate.
extensions.transport_sockets.tls.v3.TlsSessionTicketKeys
[extensions.transport_sockets.tls.v3.TlsSessionTicketKeys proto]
{
"keys": []
}
- keys
(repeated config.core.v3.DataSource, REQUIRED) Keys for encrypting and decrypting TLS session tickets. The first key in the array contains the key to encrypt all new sessions created by this context. All keys are candidates for decrypting received tickets. This allows for easy rotation of keys by, for example, putting the new key first, and the previous key second.
If session_ticket_keys is not specified, the TLS library will still support resuming sessions via tickets, but it will use an internally-generated and managed key, so sessions cannot be resumed across hot restarts or on different hosts.
Each key must contain exactly 80 bytes of cryptographically-secure random data. For example, the output of
openssl rand 80
.Attention
Using this feature has serious security considerations and risks. Improper handling of keys may result in loss of secrecy in connections, even if ciphers supporting perfect forward secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some discussion. To minimize the risk, you must:
Keep the session ticket keys at least as secure as your TLS certificate private keys
Rotate session ticket keys at least daily, and preferably hourly
Always generate keys using a cryptographically-secure random data source
extensions.transport_sockets.tls.v3.SubjectAltNameMatcher
[extensions.transport_sockets.tls.v3.SubjectAltNameMatcher proto]
Matcher for subject alternative names, to match both type and value of the SAN.
{
"san_type": ...,
"matcher": {...},
"oid": ...
}
- san_type
(extensions.transport_sockets.tls.v3.SubjectAltNameMatcher.SanType) Specification of type of SAN. Note that the default enum value is an invalid choice.
- matcher
(type.matcher.v3.StringMatcher, REQUIRED) Matcher for SAN value.
The string matching for OTHER_NAME SAN values depends on their ASN.1 type:
OBJECT: Validated against its dotted numeric notation (e.g., “1.2.3.4”)
BOOLEAN: Validated against strings “true” or “false”
INTEGER/ENUMERATED: Validated against a string containing the integer value
NULL: Validated against an empty string
Other types: Validated directly against the string value
- oid
(string) OID Value which is required if OTHER_NAME SAN type is used. For example, UPN OID is 1.3.6.1.4.1.311.20.2.3 (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3).
If set for SAN types other than OTHER_NAME, it will be ignored.
Enum extensions.transport_sockets.tls.v3.SubjectAltNameMatcher.SanType
[extensions.transport_sockets.tls.v3.SubjectAltNameMatcher.SanType proto]
Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match against.
- SAN_TYPE_UNSPECIFIED
(DEFAULT)
- DNS
- URI
- IP_ADDRESS
- OTHER_NAME
extensions.transport_sockets.tls.v3.CertificateValidationContext
[extensions.transport_sockets.tls.v3.CertificateValidationContext proto]
{
"trusted_ca": {...},
"watched_directory": {...},
"verify_certificate_spki": [],
"verify_certificate_hash": [],
"match_typed_subject_alt_names": [],
"match_subject_alt_names": [],
"crl": {...},
"allow_expired_certificate": ...,
"trust_chain_verification": ...,
"custom_validator_config": {...},
"only_verify_leaf_cert_crl": ...,
"max_verify_depth": {...}
}
- trusted_ca
(config.core.v3.DataSource) TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (require_client_certificate, verify_certificate_spki, verify_certificate_hash, or match_typed_subject_alt_names) is also specified.
It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. The behavior of requiring all certificates to contain CRLs can be altered by setting only_verify_leaf_cert_crl true. If set to true, only the final certificate in the chain undergoes CRL verification.
See the TLS overview for a list of common system CA locations.
If
trusted_ca
is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when theCertificateValidationContext
is delivered via SDS.X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in
trusted_ca
can be treated as trust anchor as well. It allows verification with building valid partial chain instead of a full chain.If
ca_certificate_provider_instance
is set, it takes precedence overtrusted_ca
.
- watched_directory
(config.core.v3.WatchedDirectory) If specified, updates of a file-based
trusted_ca
source will be triggered by this watch. This allows explicit control over the path watched, by default the parent directory of the filesystem path intrusted_ca
is watched if this field is not specified. This only applies when aCertificateValidationContext
is delivered by SDS with references to filesystem paths. See the SDS key rotation documentation for further details.
- verify_certificate_spki
(repeated string) An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command:
$ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both: verify_certificate_hash and verify_certificate_spki are specified, a hash matching value from either of the lists will result in the certificate being accepted.
Attention
This option is preferred over verify_certificate_hash, because SPKI is tied to a private key, so it doesn’t change when the certificate is renewed using the same private key.
- verify_certificate_hash
(repeated string) An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
A hex-encoded SHA-256 of the certificate can be generated with the following command:
$ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
A long hex-encoded and colon-separated SHA-256 (a.k.a. “fingerprint”) of the certificate can be generated with the following command:
$ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
Both of those formats are acceptable.
When both: verify_certificate_hash and verify_certificate_spki are specified, a hash matching value from either of the lists will result in the certificate being accepted.
- match_typed_subject_alt_names
(repeated extensions.transport_sockets.tls.v3.SubjectAltNameMatcher) An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, that is to say, the SAN is verified if at least one matcher is matched.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the string matcher. For example if the certificate has “*.example.com” as DNS SAN entry, to allow only “api.example.com”, it should be configured as shown below.
match_typed_subject_alt_names: - san_type: DNS matcher: exact: "api.example.com"
Attention
Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with trusted_ca.
- match_subject_alt_names
(repeated type.matcher.v3.StringMatcher) This field is deprecated in favor of match_typed_subject_alt_names. Note that if both this field and match_typed_subject_alt_names are specified, the former (deprecated field) is ignored.
- crl
(config.core.v3.DataSource) An optional certificate revocation list (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used. Note that if a CRL is provided for any certificate authority in a trust chain, a CRL must be provided for all certificate authorities in that chain. Failure to do so will result in verification failure for both revoked and unrevoked certificates from that chain. This default behavior can be altered by setting only_verify_leaf_cert_crl to true.
If
crl
is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when theCertificateValidationContext
is delivered via SDS.
- allow_expired_certificate
(bool) If specified, Envoy will not reject expired certificates.
- trust_chain_verification
(extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification) Certificate trust chain verification mode.
- custom_validator_config
(config.core.v3.TypedExtensionConfig) The configuration of an extension specific certificate validator. If specified, all validation is done by the specified validator, and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
- only_verify_leaf_cert_crl
(bool) If this option is set to true, only the certificate at the end of the certificate chain will be subject to validation by CRL.
- max_verify_depth
(UInt32Value) Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, but in a depth larger than configured, the certificate validation will fail. This matches the semantics of
SSL_CTX_set_verify_depth
in OpenSSL 1.0.x and older versions of BoringSSL. It differs fromSSL_CTX_set_verify_depth
in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. Trusted issues are specified by setting trusted_ca
extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts
[extensions.transport_sockets.tls.v3.CertificateValidationContext.SystemRootCerts proto]
Enum extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification
[extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification proto]
Peer certificate verification mode.
- VERIFY_TRUST_CHAIN
(DEFAULT) Perform default certificate verification (e.g., against CA / verification lists)
- ACCEPT_UNTRUSTED
Connections where the certificate fails verification will be permitted. For HTTP connections, the result of certificate verification can be used in route matching. ( see validated ).