docs: clarify the new default client cipher list by desimone · Pull Request #16474 · envoyproxy/envoy

desimone · 2021-05-13T04:49:57Z

For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md

Commit Message: docs: clarify the new default client cipher list
Additional Description: These changes clarify that as of v1.16 the default cipher suite is different for client and servers.
Risk Level: Low
Testing: N/A
Docs Changes: Yes
Release Notes: N/A
Platform Specific Features: N/A

Fixes #16469

repokitteh-read-only · 2021-05-13T04:49:59Z

Hi @desimone, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #16474 was opened by desimone.

see: more, trace.

PiotrSikora

You need to fix format (run ./ci/run_envoy_docker.sh './ci/do_ci.sh fix_format', ./ci/do_ci.sh fix_format or ./tools/proto_format/proto_format.sh fix), otherwise LGTM. Thanks!

antoniovicente · 2021-05-14T20:07:57Z

cc @htuch

These changes need to be applied to https://github.com/envoyproxy/envoy/blob/d26b16c328e594e80ea7fba6243e336d2d2be6aa/api/envoy/extensions/transport_sockets/tls/v3/common.proto

And the scripts that Piotr mentions in #16474 (review) need to be run to regenerate shadows from the canonical source mentioned above.

repokitteh-read-only · 2021-05-14T21:50:53Z

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @htuch
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #16474 was synchronize by desimone.

see: more, trace.

desimone · 2021-05-14T21:53:36Z

Reapplied the changes to the correct proto.

\cc @travisgroth can you help me with an assist on those scripts? They don't work with my M1 processor :/

htuch

Thanks, defer to @PiotrSikora to sign-off on the correctness of the cipher lists.

htuch · 2021-05-16T18:07:40Z

api/envoy/extensions/transport_sockets/tls/v3/common.proto

+  //   ECDHE-ECDSA-AES128-GCM-SHA256
+  //   ECDHE-RSA-AES128-GCM-SHA256
+  //   ECDHE-ECDSA-AES256-GCM-SHA384
+  //   ECDHE-RSA-AES256-GCM-SHA384


It would be nice if we could generate these from some canonical location that is shared with code. If we aren't going to change frequently this is fine though.

PiotrSikora · 2021-05-17T07:42:19Z

Thanks, defer to @PiotrSikora to sign-off on the correctness of the cipher lists.

I already did (#16474 (review)).

htuch

LGTM modulo nit. Please fix format as suggested to @PiotrSikora

api/envoy/extensions/transport_sockets/tls/v3/common.proto

travisgroth · 2021-05-18T14:38:22Z

@PiotrSikora I'm getting an error running the format commands:

% ./tools/proto_format/proto_format.sh fix
api/envoy/extensions/transport_sockets/tls/v3/common.proto
Starting local Bazel server and connecting to it...
INFO: SHA256 (https://golang.org/dl/?mode=json&include=all) = c71d9d3a5e2d4baaa5ae93319092dde1d43670c2ddf0ee38507695792febe51d
INFO: Analyzed target @envoy_api_canonical//versioning:active_protos (337 packages loaded, 2034 targets configured).
INFO: Found 1 target...
INFO: From CcCmakeMakeRule external/envoy/bazel/foreign_cc/zlib/include [for host]:

INFO: From CcCmakeMakeRule external/envoy/bazel/foreign_cc/zlib/include:

INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/empty_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/compiler/plugin_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_googleapis/google/api/annotations_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/wrappers_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile tools/type_whisperer/types_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_github_cncf_udpa/udpa/annotations/status_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/struct_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/envoy_api_canonical/envoy/annotations/deprecation_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/duration_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_googleapis/google/api/httpbody_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/timestamp_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/source_context_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_github_cncf_udpa/udpa/annotations/security_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/envoy_api_canonical/envoy/annotations/resource_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_github_cncf_udpa/udpa/annotations/versioning_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_googleapis/google/api/http_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_github_cncf_udpa/udpa/annotations/sensitive_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile tools/type_whisperer/api_type_db_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_envoyproxy_protoc_gen_validate/validate/validate_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/any_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/type_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/descriptor_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_github_cncf_udpa/udpa/annotations/migrate_pb2.py:
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_envoyproxy_protoc_gen_validate: warning: directory does not exist.
external/com_google_protobuf/python: warning: directory does not exist.
bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_googleapis: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/api_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_googleapis/google/rpc/status_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From ProtoCompile external/com_google_protobuf/python/google/protobuf/field_mask_pb2.py:
external/com_google_protobuf/python: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/descriptor_proto/google/protobuf/descriptor.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/any_proto/google/protobuf/any.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/wrappers_proto/google/protobuf/wrappers.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/duration_proto/google/protobuf/duration.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/timestamp_proto/google/protobuf/timestamp.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/struct_proto/google/protobuf/struct.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
INFO: From TypeWhisperer external/com_google_protobuf/empty_proto/google/protobuf/empty.proto.types.pb_text:
./external/com_google_protobuf: warning: directory does not exist.
ERROR: /private/var/tmp/_bazel_tgroth/317f6559654b1ca2fa839199a5ffc255/external/com_google_protobuf/BUILD:356:15: protoxform external/com_google_protobuf/struct_proto/google/protobuf/struct.proto.active_or_frozen.proto failed (Exit 1): protoc failed: error executing command bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_protobuf/protoc -I./external/com_google_protobuf ... (remaining 6 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox protoc failed: error executing command bazel-out/darwin-opt-exec-2B5CBBC6/bin/external/com_google_protobuf/protoc -I./external/com_google_protobuf ... (remaining 6 argument(s) skipped)

Use --sandbox_debug to see verbose messages from the sandbox
./external/com_google_protobuf: warning: directory does not exist.
Traceback (most recent call last):
  File "/private/var/tmp/_bazel_tgroth/317f6559654b1ca2fa839199a5ffc255/sandbox/darwin-sandbox/672/execroot/envoy/bazel-out/darwin-opt-exec-2B5CBBC6/bin/tools/protoxform/protoxform.runfiles/envoy/tools/protoxform/protoxform.py", line 11, in <module>
    from tools.protoxform import migrate, utils
  File "/private/var/tmp/_bazel_tgroth/317f6559654b1ca2fa839199a5ffc255/sandbox/darwin-sandbox/672/execroot/envoy/bazel-out/darwin-opt-exec-2B5CBBC6/bin/tools/protoxform/protoxform.runfiles/envoy/tools/protoxform/migrate.py", line 14, in <module>
    from google.api import annotations_pb2
ModuleNotFoundError: No module named 'google.api'
--api_proto_plugin_out: protoc-gen-api_proto_plugin: Plugin failed with status code 1.
Aspect //tools/protoxform:protoxform.bzl%protoxform_aspect of @envoy_api_canonical//versioning:active_protos failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 139.672s, Critical Path: 37.57s
INFO: 707 processes: 41 internal, 666 darwin-sandbox.
FAILED: Build did NOT complete successfully

Is there any setup needed to run that script? I tried via docker, which also failed, but it gave me no error output to triage.

PiotrSikora · 2021-05-18T21:00:04Z

Use --sandbox_debug to see verbose messages from the sandbox
./external/com_google_protobuf: warning: directory does not exist.
Traceback (most recent call last):
  File "/private/var/tmp/_bazel_tgroth/317f6559654b1ca2fa839199a5ffc255/sandbox/darwin-sandbox/672/execroot/envoy/bazel-out/darwin-opt-exec-2B5CBBC6/bin/tools/protoxform/protoxform.runfiles/envoy/tools/protoxform/protoxform.py", line 11, in <module>
    from tools.protoxform import migrate, utils
  File "/private/var/tmp/_bazel_tgroth/317f6559654b1ca2fa839199a5ffc255/sandbox/darwin-sandbox/672/execroot/envoy/bazel-out/darwin-opt-exec-2B5CBBC6/bin/tools/protoxform/protoxform.runfiles/envoy/tools/protoxform/migrate.py", line 14, in <module>
    from google.api import annotations_pb2
ModuleNotFoundError: No module named 'google.api'

Is there any setup needed to run that script? I tried via docker, which also failed, but it gave me no error output to triage.

It looks that you're missing google-api-python-client. I don't believe we have any setup script for that, unfortunately, but you can install it using pip install google-api-python-client.

It's weird that the Docker would fail, since it should be self-contained, and it works fine for me:

$ git checkout desimone/16469

$ ./ci/run_envoy_docker.sh './ci/do_ci.sh fix_format'
[...]

$ git diff --stat
 api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto                  | 28 ++++++++++++++++++++++++----
 generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto      | 28 ++++++++++++++++++++++++----
 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto | 28 ++++++++++++++++++++++++----
 3 files changed, 72 insertions(+), 12 deletions(-)

htuch · 2021-05-19T02:18:11Z

Maybe @travisgroth isn't running in Docker..

travisgroth · 2021-05-19T02:36:22Z

@htuch

% ./ci/run_envoy_docker.sh './ci/do_ci.sh fix_format'
No remote cache is set, skipping setup remote cache.
ENVOY_SRCDIR=/source
ENVOY_BUILD_TARGET=//source/exe:envoy-static
ENVOY_BUILD_ARCH=x86_64
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
Starting local Bazel server and connecting to it...
Skip setting up Envoy Filter Example.
building using 4 CPUs
building for x86_64
clang toolchain with libc++ configured
fix_format...
api/envoy/extensions/transport_sockets/tls/v3/common.proto
protoxform_test...
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
Starting local Bazel server and connecting to it...
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 2 packages loaded
Loading: 2 packages loaded
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
INFO: Analyzed target //tools/testdata/protoxform:fix_protos (65 packages loaded, 1241 targets configured).
INFO: Found 1 target...
INFO: From CcCmakeMakeRule external/envoy/bazel/foreign_cc/zlib/include [for host]:

ERROR: /build/tmp/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/bazel/foreign_cc/BUILD:349:21: TreeArtifact external/envoy/bazel/foreign_cc/zlib/include was not created
ERROR: /build/tmp/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/bazel/foreign_cc/BUILD:349:21: TreeArtifact external/envoy/bazel/foreign_cc/copy_zlib/zlib was not created
ERROR: /build/tmp/_bazel_envoybuild/b570b5ccd0454dc9af9f65ab1833764d/external/envoy/bazel/foreign_cc/BUILD:349:21: not all outputs were created or valid
Aspect //tools/protoxform:protoxform.bzl%protoxform_aspect of //tools/testdata/protoxform:fix_protos failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 13.459s, Critical Path: 4.92s
INFO: 27 processes: 20 internal, 7 processwrapper-sandbox.
FAILED: Build did NOT complete successfully

travisgroth · 2021-05-19T02:46:22Z

@PiotrSikora thanks that did the trick.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

PiotrSikora

Thanks!

PiotrSikora · 2021-05-19T04:52:41Z

(main branch is broken, that's why the format check fails...)

desimone · 2021-05-20T04:43:34Z

LMK if you need anything additional on my end

htuch · 2021-05-21T03:24:13Z

Try mergre main and push again. Thanks.

desimone · 2021-05-21T03:55:55Z

git merge origin/main && git push ✅

htuch

LGTM, thanks!

htuch · 2021-05-23T12:51:26Z

/lgtm api

These changes clarify that as of v1.16 the default cipher suite is different for client and servers. Risk Level: Low Testing: N/A Docs Changes: Yes Release Notes: N/A Platform Specific Features: N/A Fixes envoyproxy#16469 Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

desimone force-pushed the desimone/16469 branch from 80c9b59 to d26b16c Compare May 13, 2021 04:50

PiotrSikora previously approved these changes May 14, 2021

View reviewed changes

antoniovicente assigned PiotrSikora, htuch and antoniovicente May 14, 2021

desimone dismissed PiotrSikora’s stale review via 640ddbf May 14, 2021 21:50

desimone force-pushed the desimone/16469 branch from d26b16c to 640ddbf Compare May 14, 2021 21:50

repokitteh-read-only bot added the api label May 14, 2021

desimone force-pushed the desimone/16469 branch from ded8583 to 2a4cac7 Compare May 14, 2021 21:57

htuch reviewed May 16, 2021

View reviewed changes

antoniovicente removed their assignment May 17, 2021

htuch suggested changes May 18, 2021

View reviewed changes

api/envoy/extensions/transport_sockets/tls/v3/common.proto Outdated Show resolved Hide resolved

docs: clarify the new default client cipher list

91df41c

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

desimone force-pushed the desimone/16469 branch from 7f39d17 to 91df41c Compare May 19, 2021 03:34

desimone requested review from PiotrSikora and htuch May 19, 2021 03:34

PiotrSikora approved these changes May 19, 2021

View reviewed changes

Merge remote-tracking branch 'origin/main' into desimone/16469

fdcb911

htuch reviewed May 23, 2021

View reviewed changes

repokitteh-read-only bot removed the api label May 23, 2021

htuch merged commit c94e646 into envoyproxy:main May 23, 2021

Conversation

desimone commented May 13, 2021

Uh oh!

repokitteh-read-only bot commented May 13, 2021

Uh oh!

PiotrSikora left a comment

Choose a reason for hiding this comment

Uh oh!

antoniovicente commented May 14, 2021

Uh oh!

repokitteh-read-only bot commented May 14, 2021

Uh oh!

desimone commented May 14, 2021

Uh oh!

htuch left a comment

Choose a reason for hiding this comment

Uh oh!

htuch May 16, 2021

Choose a reason for hiding this comment

Uh oh!

PiotrSikora commented May 17, 2021

Uh oh!

htuch left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

travisgroth commented May 18, 2021

Uh oh!

PiotrSikora commented May 18, 2021

Uh oh!

htuch commented May 19, 2021

Uh oh!

travisgroth commented May 19, 2021

Uh oh!

travisgroth commented May 19, 2021

Uh oh!

PiotrSikora left a comment

Choose a reason for hiding this comment

Uh oh!

PiotrSikora commented May 19, 2021

Uh oh!

desimone commented May 20, 2021

Uh oh!

htuch commented May 21, 2021

Uh oh!

desimone commented May 21, 2021

Uh oh!

htuch left a comment

Choose a reason for hiding this comment

Uh oh!

htuch commented May 23, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants