Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (378 merged PRs in 30d)
Description
Title: Enable TLS external session cache
Description:
TLS provide some session resumption policies to do a quick handshake. Envoy support "session ticket" and "session id" policies when TLS version is older than 1.3. For "session id", Envoy stores the session in the memory on server side(internal session cache). TLS also support external session cache which would be a enhancement for Envoy TLS session management. That means if the TLS session is not found in internal storage or lookups for the internal storage have been deactivated, the server will try the external storage if available. With external cache supported, Envoy could be stateless and still can leverage session resumption, and session could be reserved for longer time, and a session could be shared between multiple Envoy proxies.
I have a initial idea about design and implementation, the API in my mind is probably like this: extensions.transport_sockets.tls.v3.DownstreamTlsContext { "common_tls_context": "{...}", "require_client_certificate": "{...}", "session_ticket_keys": "{...}", "session_ticket_keys_sds_secret_config": "{...}", "disable_stateless_session_resumption": "...", "session_timeout": "{...}", "ocsp_staple_policy": "...", "external_session_cache": "" // introduce this new field extensions.transport_sockets.tls.v3.TlsExternalSessionCache } extensions.transport_sockets.tls.v3.TlsExternalSessionCache { "session_storage_type": "redis", // redis is one of the conventional choices for external cache "session_storage_cluster": "redis_cluster" }
[optional Relevant Links:]