envoyproxy/envoy

RFC: Enable TLS external session cache

Open

#14,553 opened on Jan 3, 2021

View on GitHub
 (18 comments) (2 reactions) (0 assignees)C++ (5,373 forks)batch import
area/tlshelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

Title: Enable TLS external session cache

Description:

TLS provide some session resumption policies to do a quick handshake. Envoy support "session ticket" and "session id" policies when TLS version is older than 1.3. For "session id", Envoy stores the session in the memory on server side(internal session cache). TLS also support external session cache which would be a enhancement for Envoy TLS session management. That means if the TLS session is not found in internal storage or lookups for the internal storage have been deactivated, the server will try the external storage if available. With external cache supported, Envoy could be stateless and still can leverage session resumption, and session could be reserved for longer time, and a session could be shared between multiple Envoy proxies.

I have a initial idea about design and implementation, the API in my mind is probably like this: extensions.transport_sockets.tls.v3.DownstreamTlsContext { "common_tls_context": "{...}", "require_client_certificate": "{...}", "session_ticket_keys": "{...}", "session_ticket_keys_sds_secret_config": "{...}", "disable_stateless_session_resumption": "...", "session_timeout": "{...}", "ocsp_staple_policy": "...", "external_session_cache": "" // introduce this new field extensions.transport_sockets.tls.v3.TlsExternalSessionCache } extensions.transport_sockets.tls.v3.TlsExternalSessionCache { "session_storage_type": "redis", // redis is one of the conventional choices for external cache "session_storage_cluster": "redis_cluster" }

[optional Relevant Links:]

Session Caching

Contributor guide