envoyproxy/envoy

Enable TLS 1.3 on the client-side by default

Open

#9.300 geöffnet am 10. Dez. 2019

Auf GitHub ansehen
 (14 Kommentare) (10 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/tlshelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

Currently, TLS 1.3 is NOT enabled by default on the client-side, because the handshake changed a bit in TLS 1.3, and is considered completed on the client-side as soon as the requested client certificate is sent, i.e. before server validates the presented client certificate. This means that the client-side transport socket reports connection as established, and the client starts sending data without knowing if the server is going to accept the client certificate, which makes handling failures a bit tricky with respect to retries and buffering, and makes enabling TLS 1.3 on client-side significantly more difficult than simply changing the maximum supported protocol version.

cc @mattklein123 @lizan @derekargueta

Contributor Guide