envoyproxy/envoy

RFC: Enable TLS external session cache

Open

#14.553 aperta il 3 gen 2021

Vedi su GitHub
 (18 commenti) (2 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/tlshelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

Title: Enable TLS external session cache

Description:

TLS provide some session resumption policies to do a quick handshake. Envoy support "session ticket" and "session id" policies when TLS version is older than 1.3. For "session id", Envoy stores the session in the memory on server side(internal session cache). TLS also support external session cache which would be a enhancement for Envoy TLS session management. That means if the TLS session is not found in internal storage or lookups for the internal storage have been deactivated, the server will try the external storage if available. With external cache supported, Envoy could be stateless and still can leverage session resumption, and session could be reserved for longer time, and a session could be shared between multiple Envoy proxies.

I have a initial idea about design and implementation, the API in my mind is probably like this: extensions.transport_sockets.tls.v3.DownstreamTlsContext { "common_tls_context": "{...}", "require_client_certificate": "{...}", "session_ticket_keys": "{...}", "session_ticket_keys_sds_secret_config": "{...}", "disable_stateless_session_resumption": "...", "session_timeout": "{...}", "ocsp_staple_policy": "...", "external_session_cache": "" // introduce this new field extensions.transport_sockets.tls.v3.TlsExternalSessionCache } extensions.transport_sockets.tls.v3.TlsExternalSessionCache { "session_storage_type": "redis", // redis is one of the conventional choices for external cache "session_storage_cluster": "redis_cluster" }

[optional Relevant Links:]

Session Caching

Guida contributor