envoyproxy/envoy

Support Using Certificate Revocation Lists (CRLs) Stored Remotely

Open

#10 171 ouverte le 26 févr. 2020

Voir sur GitHub
 (10 commentaires) (5 réactions) (0 assignés)C++ (5 373 forks)batch import
area/securityenhancementhelp wanted

Métriques du dépôt

Stars
 (27 997 stars)
Métriques de merge PR
 (Merge moyen 8j) (378 PRs mergées en 30 j)

Description

Description: Currently CRLs cannot be retrieved from a remote location by Envoys and must be vended to Envoys as secret configuration in the form of inline bytes or a file location.

The proposal here is to allow Envoys to fetch and make use of CRLs stored in a remote location. From #7311, there has been support added for fetching data remotely in the form of a RemoteDataSource and this API appears to be something that can be leveraged here to handle fetching the CRL remotely. This removes the burden of storing CRLs from the Envoy control plane. Below is an example of the current API and the proposed API addition for remote CRLs.

Current API

name: "sds_file_secret"
validation_context:
   crl:
     filename: "secret_crl.pem"

New API with Remote CRL Option

name: "sds_file_secret"
validation_context:
   remote_crl:
     http_uri: "http://server.com/secret_crl.pem"
     sha256: "123456789"

With a large enough CRL, this approach would likely be unfavorable when compared to OCSP, #3178. However, this at least provides a middle ground in the case of using a remotely stored CRL without any OCSP support.

Guide contributeur