envoyproxy/envoy

Support Using Certificate Revocation Lists (CRLs) Stored Remotely

Open

#10.171 aberto em 26 de fev. de 2020

Ver no GitHub
 (10 comments) (5 reactions) (0 assignees)C++ (5.373 forks)batch import
area/securityenhancementhelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Description: Currently CRLs cannot be retrieved from a remote location by Envoys and must be vended to Envoys as secret configuration in the form of inline bytes or a file location.

The proposal here is to allow Envoys to fetch and make use of CRLs stored in a remote location. From #7311, there has been support added for fetching data remotely in the form of a RemoteDataSource and this API appears to be something that can be leveraged here to handle fetching the CRL remotely. This removes the burden of storing CRLs from the Envoy control plane. Below is an example of the current API and the proposed API addition for remote CRLs.

Current API

name: "sds_file_secret"
validation_context:
   crl:
     filename: "secret_crl.pem"

New API with Remote CRL Option

name: "sds_file_secret"
validation_context:
   remote_crl:
     http_uri: "http://server.com/secret_crl.pem"
     sha256: "123456789"

With a large enough CRL, this approach would likely be unfavorable when compared to OCSP, #3178. However, this at least provides a middle ground in the case of using a remotely stored CRL without any OCSP support.

Guia do colaborador