Skip to content

TLS: Allow specification of both typed and non-typed san matchers in config #20529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ggreenway merged 11 commits into from
Apr 25, 2022
Merged

TLS: Allow specification of both typed and non-typed san matchers in config #20529

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
85a2cea
Ignore non typed san matchers when both typed and non typed san matchers
pradeepcrao Mar 25, 2022
edbe61f
Merge remote-tracking branch 'upstream/main' into san_backwards
pradeepcrao Mar 25, 2022
c3300cc
Address feedback.
pradeepcrao Mar 28, 2022
326ad25
Merge remote-tracking branch 'upstream/main' into san_backwards
pradeepcrao Mar 28, 2022
9ef7193
Fix doc build failure.
pradeepcrao Mar 29, 2022
da2b461
Merge remote-tracking branch 'upstream/main' into san_backwards
pradeepcrao Mar 29, 2022
a47153f
Fix format.
pradeepcrao Mar 29, 2022
d32ac1f
Merge remote-tracking branch 'upstream/main' into san_backwards
pradeepcrao Apr 20, 2022
1e5c762
Fix format.
pradeepcrao Apr 20, 2022
508fc0c
Modify doc.
pradeepcrao Apr 21, 2022
c1177fe
Fix bad merge
pradeepcrao Apr 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion api/envoy/extensions/transport_sockets/tls/v3/common.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -448,8 +448,12 @@ message CertificateValidationContext {
// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated SubjectAltNameMatcher match_typed_subject_alt_names = 15;

// This field is deprecated in favor of ref:`match_typed_subject_alt_names
// This field is deprecated in favor of
// :ref:`match_typed_subject_alt_names
// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
// Note that if both this field and :ref:`match_typed_subject_alt_names
// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
// are specified, the former (deprecated field) is ignored.
repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

Expand Down
1 change: 1 addition & 0 deletions docs/root/version_history/current.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Minor Behavior Changes
----------------------
*Changes that may cause incompatibilities for some users, but should not for most*

* tls: if both :ref:`match_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>` and :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.
* tls: removed SHA-1 cipher suites from the server-side defaults.

Bug Fixes
Expand Down
19 changes: 14 additions & 5 deletions source/common/ssl/certificate_validation_context_config_impl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@
#include "source/common/common/logger.h"
#include "source/common/config/datasource.h"

#include "spdlog/spdlog.h"

namespace Envoy {
namespace Ssl {

Expand Down Expand Up @@ -59,14 +61,21 @@ CertificateValidationContextConfigImpl::CertificateValidationContextConfigImpl(
std::vector<envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher>
CertificateValidationContextConfigImpl::getSubjectAltNameMatchers(
const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext& config) {
if (!config.match_typed_subject_alt_names().empty() &&
!config.match_subject_alt_names().empty()) {
throw EnvoyException("SAN-based verification using both match_typed_subject_alt_names and "
Copy link
Copy Markdown
Member

@soulxu soulxu Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we keep a warning message for the user? since we ignore this quietly, the user won't know the match_subject_alt_names was ignored.

Copy link
Copy Markdown
Contributor Author

@pradeepcrao pradeepcrao Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

"the deprecated match_subject_alt_names is not allowed");
}
std::vector<envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher>
subject_alt_name_matchers(config.match_typed_subject_alt_names().begin(),
config.match_typed_subject_alt_names().end());
// If typed subject alt name matchers are provided in the config, don't check
// for the deprecated non-typed field.
Copy link
Copy Markdown
Member

@soulxu soulxu Mar 28, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is minor behavior change we should add to release note I think?

Copy link
Copy Markdown
Member

@soulxu soulxu Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also worth to update the API doc https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-certificatevalidationcontext

Copy link
Copy Markdown
Contributor Author

@pradeepcrao pradeepcrao Mar 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Could you please take a look?

if (!subject_alt_name_matchers.empty()) {
// Warn that we're ignoring the deprecated san matcher field, if both are
// specified.
if (!config.match_subject_alt_names().empty()) {
ENVOY_LOG_MISC(warn,
"Ignoring match_subject_alt_names as match_typed_subject_alt_names is also "
"specified, and the former is deprecated.");
}
return subject_alt_name_matchers;
}
// Handle deprecated string type san matchers without san type specified, by
// creating a matcher for each supported type.
for (const envoy::type::matcher::v3::StringMatcher& matcher : config.match_subject_alt_names()) {
Expand Down
36 changes: 28 additions & 8 deletions test/extensions/transport_sockets/tls/context_impl_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1932,8 +1932,8 @@ TEST_F(ServerContextConfigImplTest, PrivateKeyMethodLoadFailureBothKeyAndMethod)
"Certificate configuration can't have both private_key and private_key_provider");
}

// Test that we don't allow specification of both typed and untyped matchers for
// sans.
// Test that if both typed and untyped matchers for sans are specified, we
// ignore the untyped matchers.
TEST_F(ServerContextConfigImplTest, DeprecatedSanMatcher) {
envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context;
NiceMock<Ssl::MockContextManager> context_manager;
Expand All @@ -1943,22 +1943,42 @@ TEST_F(ServerContextConfigImplTest, DeprecatedSanMatcher) {
const std::string yaml =
R"EOF(
common_tls_context:
tls_certificates:
- certificate_chain:
filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_cert.pem"
private_key:
filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/selfsigned_key.pem"
validation_context:
trusted_ca: { filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" }
allow_expired_certificate: true
match_typed_subject_alt_names:
- san_type: DNS
matcher:
exact: "foo.example"
exact: "foo1.example"
match_subject_alt_names:
exact: "foo.example"
exact: "foo2.example"
)EOF";
TestUtility::loadFromYaml(TestEnvironment::substitute(yaml), tls_context);

EXPECT_THROW_WITH_MESSAGE(
ServerContextConfigImpl server_context_config(tls_context, factory_context_), EnvoyException,
"SAN-based verification using both match_typed_subject_alt_names and "
"the deprecated match_subject_alt_names is not allowed");
absl::optional<ServerContextConfigImpl> server_context_config;
EXPECT_LOG_CONTAINS("warning",
"Ignoring match_subject_alt_names as match_typed_subject_alt_names is also "
"specified, and the former is deprecated.",
server_context_config.emplace(tls_context, factory_context_));
EXPECT_EQ(
server_context_config.value().certificateValidationContext()->subjectAltNameMatchers().size(),
1);
EXPECT_EQ(server_context_config.value()
.certificateValidationContext()
->subjectAltNameMatchers()[0]
.san_type(),
envoy::extensions::transport_sockets::tls::v3::SubjectAltNameMatcher::DNS);
EXPECT_EQ(server_context_config.value()
.certificateValidationContext()
->subjectAltNameMatchers()[0]
.matcher()
.exact(),
"foo1.example");
}

TEST_F(ServerContextConfigImplTest, Pkcs12LoadFailureBothPkcs12AndMethod) {
Expand Down