Common TLS configuration¶
auth.TlsParameters¶
{
"tls_minimum_protocol_version": "...",
"tls_maximum_protocol_version": "...",
"cipher_suites": [],
"ecdh_curves": []
}
- tls_minimum_protocol_version
(auth.TlsParameters.TlsProtocol) Minimum TLS protocol version. By default, it’s
TLSv1_2
for clients andTLSv1_0
for servers.
- tls_maximum_protocol_version
(auth.TlsParameters.TlsProtocol) Maximum TLS protocol version. By default, it’s
TLSv1_3
for servers in non-FIPS builds, andTLSv1_2
for clients and for servers using BoringSSL FIPS.
- cipher_suites
(string) If specified, the TLS listener will only support the specified cipher list when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not specified, the default list will be used.
In non-FIPS builds, the default cipher list is:
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA
In builds using BoringSSL FIPS, the default cipher list is:
ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA
- ecdh_curves
(string) If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves will be used.
In non-FIPS builds, the default curves are:
X25519 P-256
In builds using BoringSSL FIPS, the default curve is:
P-256
Enum auth.TlsParameters.TlsProtocol¶
[auth.TlsParameters.TlsProtocol proto]
- TLS_AUTO
(DEFAULT) Envoy will choose the optimal TLS version.
- TLSv1_0
TLS 1.0
- TLSv1_1
TLS 1.1
- TLSv1_2
TLS 1.2
- TLSv1_3
TLS 1.3
auth.PrivateKeyProvider¶
[auth.PrivateKeyProvider proto]
BoringSSL private key method configuration. The private key methods are used for external (potentially asynchronous) signing and decryption operations. Some use cases for private key methods would be TPM support and TLS acceleration.
{
"provider_name": "...",
"config": "{...}",
"typed_config": "{...}"
}
- provider_name
(string, REQUIRED) Private key method provider name. The name must match a supported private key method provider type.
- config
(Struct) Private key method provider specific configuration.
Only one of config, typed_config may be set.
- typed_config
(Any) Private key method provider specific configuration.
Only one of config, typed_config may be set.
auth.TlsCertificate¶
{
"certificate_chain": "{...}",
"private_key": "{...}",
"private_key_provider": "{...}",
"password": "{...}"
}
- certificate_chain
(core.DataSource) The TLS certificate chain.
- private_key
(core.DataSource) The TLS private key.
- private_key_provider
(auth.PrivateKeyProvider) BoringSSL private key method provider. This is an alternative to private_key field. This can’t be marked as
oneof
due to API compatibility reasons. Setting both private_key and private_key_provider fields will result in an error.
- password
(core.DataSource) The password to decrypt the TLS private key. If this field is not set, it is assumed that the TLS private key is not password encrypted.
auth.TlsSessionTicketKeys¶
[auth.TlsSessionTicketKeys proto]
{
"keys": []
}
- keys
(core.DataSource, REQUIRED) Keys for encrypting and decrypting TLS session tickets. The first key in the array contains the key to encrypt all new sessions created by this context. All keys are candidates for decrypting received tickets. This allows for easy rotation of keys by, for example, putting the new key first, and the previous key second.
If session_ticket_keys is not specified, the TLS library will still support resuming sessions via tickets, but it will use an internally-generated and managed key, so sessions cannot be resumed across hot restarts or on different hosts.
Each key must contain exactly 80 bytes of cryptographically-secure random data. For example, the output of
openssl rand 80
.Attention
Using this feature has serious security considerations and risks. Improper handling of keys may result in loss of secrecy in connections, even if ciphers supporting perfect forward secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some discussion. To minimize the risk, you must:
Keep the session ticket keys at least as secure as your TLS certificate private keys
Rotate session ticket keys at least daily, and preferably hourly
Always generate keys using a cryptographically-secure random data source
auth.CertificateValidationContext¶
[auth.CertificateValidationContext proto]
{
"trusted_ca": "{...}",
"verify_certificate_spki": [],
"verify_certificate_hash": [],
"verify_subject_alt_name": [],
"match_subject_alt_names": [],
"crl": "{...}",
"allow_expired_certificate": "...",
"trust_chain_verification": "..."
}
- trusted_ca
(core.DataSource) TLS certificate data containing certificate authority certificates to use in verifying a presented peer certificate (e.g. server certificate for clusters or client certificate for listeners). If not specified and a peer certificate is presented it will not be verified. By default, a client certificate is optional, unless one of the additional options (require_client_certificate, verify_certificate_spki, verify_certificate_hash, or match_subject_alt_names) is also specified.
It can optionally contain certificate revocation lists, in which case Envoy will verify that the presented peer certificate has not been revoked by one of the included CRLs.
See the TLS overview for a list of common system CA locations.
- verify_certificate_spki
(string) An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values.
A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate can be generated with the following command:
$ openssl x509 -in path/to/client.crt -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | openssl enc -base64 NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
This is the format used in HTTP Public Key Pinning.
When both: verify_certificate_hash and verify_certificate_spki are specified, a hash matching value from either of the lists will result in the certificate being accepted.
Attention
This option is preferred over verify_certificate_hash, because SPKI is tied to a private key, so it doesn’t change when the certificate is renewed using the same private key.
- verify_certificate_hash
(string) An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
A hex-encoded SHA-256 of the certificate can be generated with the following command:
$ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
A long hex-encoded and colon-separated SHA-256 (a.k.a. “fingerprint”) of the certificate can be generated with the following command:
$ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
Both of those formats are acceptable.
When both: verify_certificate_hash and verify_certificate_spki are specified, a hash matching value from either of the lists will result in the certificate being accepted.
- verify_subject_alt_name
(string) An optional list of Subject Alternative Names. If specified, Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified values.
Attention
Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with trusted_ca.
- match_subject_alt_names
(type.matcher.StringMatcher) An optional list of Subject Alternative name matchers. Envoy will verify that the Subject Alternative Name of the presented certificate matches one of the specified matches.
When a certificate has wildcard DNS SAN entries, to match a specific client, it should be configured with exact match type in the string matcher. For example if the certificate has “*.example.com” as DNS SAN entry, to allow only “api.example.com”, it should be configured as shown below.
match_subject_alt_names: exact: "api.example.com"
Attention
Subject Alternative Names are easily spoofable and verifying only them is insecure, therefore this option must be used together with trusted_ca.
- crl
(core.DataSource) An optional certificate revocation list (in PEM format). If specified, Envoy will verify that the presented peer certificate has not been revoked by this CRL. If this DataSource contains multiple CRLs, all of them will be used.
- allow_expired_certificate
(bool) If specified, Envoy will not reject expired certificates.
- trust_chain_verification
(auth.CertificateValidationContext.TrustChainVerification) Certificate trust chain verification mode.
Enum auth.CertificateValidationContext.TrustChainVerification¶
[auth.CertificateValidationContext.TrustChainVerification proto]
Peer certificate verification mode.
- VERIFY_TRUST_CHAIN
(DEFAULT) Perform default certificate verification (e.g., against CA / verification lists)
- ACCEPT_UNTRUSTED
Connections where the certificate fails verification will be permitted. For HTTP connections, the result of certificate verification can be used in route matching. ( see validated ).