envoyproxy/envoy

RFC: Enable TLS external session cache

Open

#14,553 创建于 2021年1月3日

在 GitHub 查看
 (18 评论) (2 反应) (0 负责人)C++ (5,373 fork)batch import
area/tlshelp wanted

仓库指标

Star
 (27,997 star)
PR 合并指标
 (平均合并 8天) (30 天内合并 378 个 PR)

描述

Title: Enable TLS external session cache

Description:

TLS provide some session resumption policies to do a quick handshake. Envoy support "session ticket" and "session id" policies when TLS version is older than 1.3. For "session id", Envoy stores the session in the memory on server side(internal session cache). TLS also support external session cache which would be a enhancement for Envoy TLS session management. That means if the TLS session is not found in internal storage or lookups for the internal storage have been deactivated, the server will try the external storage if available. With external cache supported, Envoy could be stateless and still can leverage session resumption, and session could be reserved for longer time, and a session could be shared between multiple Envoy proxies.

I have a initial idea about design and implementation, the API in my mind is probably like this: extensions.transport_sockets.tls.v3.DownstreamTlsContext { "common_tls_context": "{...}", "require_client_certificate": "{...}", "session_ticket_keys": "{...}", "session_ticket_keys_sds_secret_config": "{...}", "disable_stateless_session_resumption": "...", "session_timeout": "{...}", "ocsp_staple_policy": "...", "external_session_cache": "" // introduce this new field extensions.transport_sockets.tls.v3.TlsExternalSessionCache } extensions.transport_sockets.tls.v3.TlsExternalSessionCache { "session_storage_type": "redis", // redis is one of the conventional choices for external cache "session_storage_cluster": "redis_cluster" }

[optional Relevant Links:]

Session Caching

贡献者指南