envoyproxy/envoy

Support Using Certificate Revocation Lists (CRLs) Stored Remotely

Open

#10,171 opened on Feb 26, 2020

View on GitHub
 (10 comments) (5 reactions) (0 assignees)C++ (5,373 forks)batch import
area/securityenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

Description: Currently CRLs cannot be retrieved from a remote location by Envoys and must be vended to Envoys as secret configuration in the form of inline bytes or a file location.

The proposal here is to allow Envoys to fetch and make use of CRLs stored in a remote location. From #7311, there has been support added for fetching data remotely in the form of a RemoteDataSource and this API appears to be something that can be leveraged here to handle fetching the CRL remotely. This removes the burden of storing CRLs from the Envoy control plane. Below is an example of the current API and the proposed API addition for remote CRLs.

Current API

name: "sds_file_secret"
validation_context:
   crl:
     filename: "secret_crl.pem"

New API with Remote CRL Option

name: "sds_file_secret"
validation_context:
   remote_crl:
     http_uri: "http://server.com/secret_crl.pem"
     sha256: "123456789"

With a large enough CRL, this approach would likely be unfavorable when compared to OCSP, #3178. However, this at least provides a middle ground in the case of using a remotely stored CRL without any OCSP support.

Contributor guide