diff --git a/docs/root/intro/arch_overview/security/ssl.rst b/docs/root/intro/arch_overview/security/ssl.rst index 4a5d4f0ea2469..33ec114b9aae6 100644 --- a/docs/root/intro/arch_overview/security/ssl.rst +++ b/docs/root/intro/arch_overview/security/ssl.rst @@ -24,7 +24,7 @@ requirements (TLS1.2, SNI, etc.). Envoy supports the following TLS features: across hot restarts and between parallel Envoy instances (typically useful in a front proxy configuration). * **BoringSSL private key methods**: TLS private key operations (signing and decrypting) can be - performed asynchronously from an extension. This allows extending Envoy to support various key + performed asynchronously from :ref:`an extension `. This allows extending Envoy to support various key management schemes (such as TPM) and TLS acceleration. This mechanism uses `BoringSSL private key method interface `_. @@ -182,6 +182,30 @@ infrastructure. Client TLS authentication filter :ref:`configuration reference `. +.. _arch_overview_ssl_custom_handshaker: + +Custom handshaker extension +--------------------------- + +The :ref:`CommonTlsContext ` +has a ``custom_handshaker`` extension which can be used to override SSL handshake +behavior entirely. This is useful for implementing any TLS behavior which is +difficult to express with callbacks. It is not necessary to write a custom +handshaker to use private key methods, see the +:ref:`private key method interface ` described above. + +To avoid reimplementing all of the `Ssl::ConnectionInfo `_ interface, a custom +implementation might choose to extend +`Envoy::Extensions::TransportSockets::Tls::SslHandshakerImpl `_. + +Custom handshakers need to explicitly declare via `HandshakerCapabilities `_ +which TLS features they are responsible for. The default Envoy handshaker will +manage the remainder. + +A useful example handshaker, named ``SslHandshakerImplForTest``, lives in +`this test `_ +and demonstrates special-case ``SSL_ERROR`` handling and callbacks. + .. _arch_overview_ssl_trouble_shooting: Trouble shooting diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 627d8ad9d0d11..1ee88c864254c 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -108,6 +108,7 @@ New Features * tap: added :ref:`generic body matcher` to scan http requests and responses for text or hex patterns. * tcp: switched the TCP connection pool to the new "shared" connection pool, sharing a common code base with HTTP and HTTP/2. Any unexpected behavioral changes can be temporarily reverted by setting `envoy.reloadable_features.new_tcp_connection_pool` to false. * tcp_proxy: allow earlier network filters to set metadataMatchCriteria on the connection StreamInfo to influence load balancing. +* tls: introduce new :ref:`extension point` for overriding :ref:`TLS handshaker ` behavior. * tls: switched from using socket BIOs to using custom BIOs that know how to interact with IoHandles. The feature can be disabled by setting runtime feature `envoy.reloadable_features.tls_use_io_handle_bio` to false. * tracing: added ability to set some :ref:`optional segment fields` in the AWS X-Ray tracer. * udp_proxy: added :ref:`hash_policies ` to support hash based routing.