envoyproxy/envoy

Support Using Certificate Revocation Lists (CRLs) Stored Remotely

Open

#10,171 创建于 2020年2月26日

在 GitHub 查看
 (10 评论) (5 反应) (0 负责人)C++ (5,373 fork)batch import
area/securityenhancementhelp wanted

仓库指标

Star
 (27,997 star)
PR 合并指标
 (平均合并 8天) (30 天内合并 378 个 PR)

描述

Description: Currently CRLs cannot be retrieved from a remote location by Envoys and must be vended to Envoys as secret configuration in the form of inline bytes or a file location.

The proposal here is to allow Envoys to fetch and make use of CRLs stored in a remote location. From #7311, there has been support added for fetching data remotely in the form of a RemoteDataSource and this API appears to be something that can be leveraged here to handle fetching the CRL remotely. This removes the burden of storing CRLs from the Envoy control plane. Below is an example of the current API and the proposed API addition for remote CRLs.

Current API

name: "sds_file_secret"
validation_context:
   crl:
     filename: "secret_crl.pem"

New API with Remote CRL Option

name: "sds_file_secret"
validation_context:
   remote_crl:
     http_uri: "http://server.com/secret_crl.pem"
     sha256: "123456789"

With a large enough CRL, this approach would likely be unfavorable when compared to OCSP, #3178. However, this at least provides a middle ground in the case of using a remotely stored CRL without any OCSP support.

贡献者指南