envoyproxy/envoy

Enable TLS 1.3 on the client-side by default

Open

#9.300 aberto em 10 de dez. de 2019

Ver no GitHub
 (14 comments) (10 reactions) (0 assignees)C++ (5.373 forks)batch import
area/tlshelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Currently, TLS 1.3 is NOT enabled by default on the client-side, because the handshake changed a bit in TLS 1.3, and is considered completed on the client-side as soon as the requested client certificate is sent, i.e. before server validates the presented client certificate. This means that the client-side transport socket reports connection as established, and the client starts sending data without knowing if the server is going to accept the client certificate, which makes handling failures a bit tricky with respect to retries and buffering, and makes enabling TLS 1.3 on client-side significantly more difficult than simply changing the maximum supported protocol version.

cc @mattklein123 @lizan @derekargueta

Guia do colaborador