Dynamic Per-Connection Certificates for QUIC in Envoy · envoyproxy/envoy#42063

(1 留言) (0 反應) (0 負責人)C++ (27,997 star) (5,373 fork)batch import

enhancementhelp wanted

描述

Hi all,

I’m exploring a setup where Envoy should present different TLS certificates on a per-QUIC-connection basis, depending on the SNI. Because some clients use ECH, the inner SNI may be encrypted, id like to instead infer the intended SNI from dynamic metadata we set at the listener filter.

A couple of questions:

Is there a recommended approach for selecting certificates dynamically for QUIC based on per-connection metadata (rather than the SNI visible to Envoy)?

Is there any experimental support or planned API to give the QUIC handshake access to FilterState, dynamic metadata, or similar Conn-level information during certificate selection?

Any guidance, design pointers, or examples would be greatly appreciated. Thanks!

貢獻者指南

技術棧: cpp
領域: backendinfrastructuresecurityperformance
議題類型: research
難度: 5
預計時間: over 1 week
活動狀態: fresh
清晰度: needs investigation
前置要求: Understanding of Envoy proxy internalsKnowledge of TLS/QUIC handshake
新手友善度: 10
研究方向: Investigate how Envoy's QUIC handshake can access per connection metadata like FilterState or dynamic metadata for certificate selection. Explore the existing certificate selection mechanisms (e.g., SdsConfig, static certs) and assess feasibility of extending them. Examine source code in source/common/quic/ for hooks during handshake. Consider documented limitations and engage with maintainers on design alternatives.