Skip to content
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
b019d29
Implement OCSP stapling and an OCSP stapling policy
daniel-goldstein Jul 3, 2020
67ed233
add to release notes
daniel-goldstein Aug 17, 2020
d1716c7
add mock method impl for ocspStaplePolicy on context manager
daniel-goldstein Aug 17, 2020
79bd837
explicitly include atomic because windows build could not find it
daniel-goldstein Aug 17, 2020
9360447
add stats to docs
daniel-goldstein Aug 17, 2020
25a522d
add ocsp staple mock methods
daniel-goldstein Aug 17, 2020
41e603f
listen to clang tidy
daniel-goldstein Aug 17, 2020
1cfb9d6
change ocsp stapling flag in ssl socket test for asan
daniel-goldstein Aug 18, 2020
7ced117
initialize stapling enabled to false
daniel-goldstein Aug 18, 2020
aadc2a8
check must_staple value and clean up
daniel-goldstein Aug 18, 2020
d0b2460
Merge branch 'master' into ocsp-stapling
daniel-goldstein Aug 20, 2020
d172d07
Merge branch 'master' into ocsp-stapling
daniel-goldstein Aug 21, 2020
359a99c
change ocsp policy and stop checking expiration at config time
daniel-goldstein Aug 19, 2020
903269b
remove now-unused runtime flag
daniel-goldstein Aug 20, 2020
4d01105
change outdated comment in proto
daniel-goldstein Aug 20, 2020
142f57e
Merge branch 'upstream-master' into ocsp-stapling
zuercher Aug 25, 2020
70850ee
review comments
zuercher Aug 26, 2020
2cfe8d7
forgot protoxform
zuercher Aug 26, 2020
b01dc72
review comments
zuercher Aug 26, 2020
74a5d05
constexprs and simplify optional usage
zuercher Aug 26, 2020
844c570
detect ocsp client in hello; always skip stapling if client does not …
zuercher Aug 27, 2020
f69d53e
add valid/expiration time stamps for ocsp details and add a test
zuercher Aug 27, 2020
2a44c31
update ocsp admin proto, fix clang_tidy
zuercher Aug 31, 2020
ca62d4c
add todo for integration test
zuercher Sep 2, 2020
9b7bec6
Merge branch 'upstream-master' into ocsp-stapling
zuercher Sep 4, 2020
03ea255
fix runtime features ordering
zuercher Sep 4, 2020
32e848c
Merge branch 'upstream-master' into ocsp-stapling
zuercher Sep 10, 2020
0570c6a
match TLS extension change
zuercher Sep 10, 2020
bbd6e31
Merge branch 'upstream-master' into ocsp-stapling
zuercher Sep 11, 2020
a504886
increase coverage
zuercher Sep 11, 2020
ed91de1
actually fix the endian thing instead of making it worse
zuercher Sep 11, 2020
c7b1406
add OID to dictionary
zuercher Sep 12, 2020
d75170b
review comments
zuercher Sep 14, 2020
f39f91b
remove inline_string support
zuercher Sep 17, 2020
a677b0f
Merge branch 'upstream-master' into ocsp-stapling
zuercher Sep 17, 2020
b4c0866
shellcheck
zuercher Sep 17, 2020
4b9aa9b
Merge branch 'upstream-master' into ocsp-stapling
zuercher Sep 17, 2020
75524f4
remove unused import
zuercher Sep 21, 2020
2f1d27f
Merge branch 'upstream-master' into ocsp-stapling
zuercher Sep 21, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion api/envoy/admin/v3/certs.proto
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ message Certificate {
repeated CertificateDetails cert_chain = 2;
}

// [#next-free-field: 7]
// [#next-free-field: 8]
message CertificateDetails {
option (udpa.annotations.versioning).previous_message_type =
"envoy.admin.v2alpha.CertificateDetails";
Expand All @@ -56,6 +56,9 @@ message CertificateDetails {

// Indicates the time at which the certificate expires.
google.protobuf.Timestamp expiration_time = 6;

// Seconds until expiration of the certificate's OCSP response.
uint64 seconds_until_ocsp_response_expiration = 7;
Comment thread
htuch marked this conversation as resolved.
Outdated
}

message SubjectAlternateName {
Expand Down
5 changes: 4 additions & 1 deletion api/envoy/admin/v4alpha/certs.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 6 additions & 5 deletions api/envoy/extensions/transport_sockets/tls/v3/common.proto
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,11 @@ message TlsCertificate {
// TLS private key is not password encrypted.
config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true];

// [#not-implemented-hide:]
// The OCSP response to be stapled with this certificate during the handshake.
// The response must be DER-encoded if provided as a ``filename`` or
// ``inline_bytes``, and PEM-encoded if provided through ``inline_string``.
// The response must be unexpired as of configuration time and pertain to
Comment thread
ggreenway marked this conversation as resolved.
Outdated
// only one certificate.
config.core.v3.DataSource ocsp_staple = 4;

// [#not-implemented-hide:]
Expand Down Expand Up @@ -205,7 +209,7 @@ message CertificateValidationContext {
ACCEPT_UNTRUSTED = 1;
}

reserved 4;
reserved 4, 5;

reserved "verify_subject_alt_name";

Expand Down Expand Up @@ -312,9 +316,6 @@ message CertificateValidationContext {
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;

// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;

// [#not-implemented-hide:] Must present signed certificate time-stamp.
google.protobuf.BoolValue require_signed_certificate_timestamp = 6;

Expand Down
27 changes: 26 additions & 1 deletion api/envoy/extensions/transport_sockets/tls/v3/tls.proto
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,31 @@ message UpstreamTlsContext {
google.protobuf.UInt32Value max_session_keys = 4;
}

// [#next-free-field: 8]
// [#next-free-field: 9]
message DownstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.DownstreamTlsContext";

enum OcspStaplePolicy {
Comment thread
ggreenway marked this conversation as resolved.
// OCSP responses are optional. Invalid or expired OCSP
// responses are rejected at config time. If an OCSP
// response expires before a config update, it is no
// longer stapled.
SKIP_STAPLING_IF_EXPIRED = 0;
Comment thread
daniel-goldstein marked this conversation as resolved.
Outdated

// OCSP responses are required on all certificates for a
// configuration to be deemed valid. If an OCSP response
// expires before a config update, subsequent TLS
// handshakes for that certificate are aborted.
STAPLING_REQUIRED = 1;

// OCSP responses are optional. Invalid or expired OCSP
// responses are rejected at config time. If an OCSP
// response expires before a config update, subsequent
// TLS handshakes for that certificate are aborted.
REJECT_CONNECTION_ON_EXPIRED = 2;
Comment thread
daniel-goldstein marked this conversation as resolved.
Outdated
}

// Common TLS context settings.
CommonTlsContext common_tls_context = 1;

Expand Down Expand Up @@ -96,6 +116,11 @@ message DownstreamTlsContext {
lt {seconds: 4294967296}
gte {}
}];

// Config for whether to use certificates if they do not have
// an accompanying OCSP response or if the response expires at runtime.
// Defaults to SKIP_STAPLING_IF_EXPIRED
OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}];
}

// TLS context shared by both client and server TLS contexts.
Expand Down
11 changes: 6 additions & 5 deletions api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 26 additions & 1 deletion api/envoy/extensions/transport_sockets/tls/v4alpha/tls.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions docs/root/configuration/listeners/stats.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ Every listener has a statistics tree rooted at *listener.<address>.* with the fo
ssl.fail_verify_error, Counter, Total TLS connections that failed CA verification
ssl.fail_verify_san, Counter, Total TLS connections that failed SAN verification
ssl.fail_verify_cert_hash, Counter, Total TLS connections that failed certificate pinning verification
ssl.ocsp_staple_failed, Counter, Total TLS connections that failed compliance with the OCSP policy
ssl.ocsp_staple_omitted, Counter, Total TLS connections that succeeded without stapling an OCSP response
ssl.ocsp_staple_responses, Counter, Total TLS connections where the server was capable of stapling an OCSP response
Comment thread
ggreenway marked this conversation as resolved.
Outdated
ssl.ocsp_staple_requests, Counter, Total TLS connections where the client requested an OCSP staple
ssl.ciphers.<cipher>, Counter, Total successful TLS connections that used cipher <cipher>
ssl.curves.<curve>, Counter, Total successful TLS connections that used ECDHE curve <curve>
ssl.sigalgs.<sigalg>, Counter, Total successful TLS connections that used signature algorithm <sigalg>
Expand Down
1 change: 1 addition & 0 deletions docs/root/configuration/observability/statistics.rst
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ Server related statistics are rooted at *server.* with following statistics:
total_connections, Gauge, Total connections of both new and old Envoy processes
version, Gauge, Integer represented version number based on SCM revision or :ref:`stats_server_version_override <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.stats_server_version_override>` if set.
days_until_first_cert_expiring, Gauge, Number of days until the next certificate being managed will expire
seconds_until_first_ocsp_response_expiring, Gauge, Number of seconds until the next OCSP response being managed will expire
hot_restart_epoch, Gauge, Current hot restart epoch -- an integer passed via command line flag `--restart-epoch` usually indicating generation.
hot_restart_generation, Gauge, Current hot restart generation -- like hot_restart_epoch but computed automatically by incrementing from parent.
initialization_time_ms, Histogram, Total time taken for Envoy initialization in milliseconds. This is the time from server start-up until the worker threads are ready to accept new connections
Expand Down
39 changes: 37 additions & 2 deletions docs/root/intro/arch_overview/security/ssl.rst
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ Example configuration
tls_certificates:
certificate_chain: { "filename": "/cert.crt" }
private_key: { "filename": "/cert.key" }
ocsp_response: { "filename": "/ocsp_response.der" }
validation_context:
match_subject_alt_names:
exact: "foo"
Expand Down Expand Up @@ -149,14 +150,17 @@ certificates. These may be a mix of RSA and P-256 ECDSA certificates. The follow

* Only one certificate of a particular type (RSA or ECDSA) may be specified.
* Non-P-256 server ECDSA certificates are rejected.
* If the client supports P-256 ECDSA, a P-256 ECDSA certificate will be selected if present in the
:ref:`DownstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>`.
* If the client supports P-256 ECDSA, a P-256 ECDSA certificate will be selected if one is present in the
:ref:`DownstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>`
that is in compliance with the OCSP policy.
* If the client only supports RSA certificates, a RSA certificate will be selected if present in the
:ref:`DownstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>`.
* Otherwise, the first certificate listed is used. This will result in a failed handshake if the
client only supports RSA certificates and the server only has ECDSA certificates.
* Static and SDS certificates may not be mixed in a given :ref:`DownstreamTlsContext
<envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>`.
* The selected certificate must adhere to the OCSP policy. If no
such certificate is found, the connection is refused.

Only a single TLS certificate is supported today for :ref:`UpstreamTlsContexts
<envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>`.
Expand All @@ -168,6 +172,37 @@ TLS certificates can be specified in the static resource or can be fetched remot
Certificate rotation is supported for static resources by sourcing :ref:`SDS configuration from the filesystem <xds_certificate_rotation>` or by pushing updates from the SDS server.
Please see :ref:`SDS <config_secret_discovery_service>` for details.

.. _arch_overview_ssl_ocsp_stapling:

OCSP Stapling
-------------

:ref:`DownstreamTlsContexts <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` support
stapling an Online Certificate Status Protocol (OCSP) response to a TLS certificate during the handshake. The
``ocsp_staple`` field allows the operator to supply a pre-computed OCSP response per-certificate in the context.
A single response cannot pertain to multiple certificates. OCSP responses must be valid at configuration time,
but responses may not always be provided and may expire at runtime.
:ref:`DownstreamTlsContexts <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>`
support an ``ocsp_staple_policy`` field to determine whether envoy should stop using a certificate or
continue without stapling when its associated OCSP response expires.
Certificates marked as `must-staple <https://tools.ietf.org/html/rfc7633>`_ require a
valid OCSP response regardless of the OCSP staple policy. Envoy will not use a must-staple certificate for
new connections after its OCSP response expires.

The following runtime flags are provided to adjust the requirements of OCSP responses and override
the OCSP policy. These flags default to ``true``.

* ``envoy.reloadable_features.require_ocsp_response_for_must_staple_certs``: Disabling this allows the operator to omit an OCSP response for must-staple certs in the config.
* ``envoy.reloadable_features.validate_ocsp_expiration_at_config_time``: Disabling this allows OCSP responses to be expired at configuration time.
* ``envoy.reloadable_features.validate_ocsp_expiration_on_connection``: Disabling this will staple OCSP responses on new connections even if they are expired.

OCSP responses are ignored for :ref:`UpstreamTlsContexts
<envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>`.

.. attention::

Envoy will reject a new connection if at the time no certificates comply with the OCSP staple policy.

.. _arch_overview_ssl_auth_filter:

Authentication filter
Expand Down
1 change: 1 addition & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ New Features
* stats: allow configuring histogram buckets for stats sinks and admin endpoints that support it.
* tap: added :ref:`generic body matcher<envoy_v3_api_msg_config.tap.v3.HttpGenericBodyMatch>` to scan http requests and responses for text or hex patterns.
* tcp: switched the TCP connection pool to the new "shared" connection pool, sharing a common code base with HTTP and HTTP/2. Any unexpected behavioral changes can be temporarily reverted by setting `envoy.reloadable_features.new_tcp_connection_pool` to false.
* tls: added OCSP stapling support through the :ref:`ocsp_staple <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.TlsCertificate>` and :ref:`ocsp_staple_policy <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` configuration options. See :ref:`OCSP Stapling <arch_overview_ssl_ocsp_stapling>` for usage and runtime flags.
* watchdog: support randomizing the watchdog's kill timeout to prevent synchronized kills via a maximium jitter parameter :ref:`max_kill_timeout_jitter<envoy_v3_api_field_config.bootstrap.v3.Watchdog.max_kill_timeout_jitter>`.
* watchdog: supports an extension point where actions can be registered to fire on watchdog events such as miss, megamiss, kill and multikill. See ref:`watchdog actions<envoy_v3_api_field_config.bootstrap.v3.Watchdog.actions>`.
* xds: added :ref:`extension config discovery<envoy_v3_api_msg_config.core.v3.ExtensionConfigSource>` support for HTTP filters.
Expand Down
5 changes: 4 additions & 1 deletion generated_api_shadow/envoy/admin/v3/certs.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion generated_api_shadow/envoy/admin/v4alpha/certs.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading