Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: SAN verification changed in Envoy #630

Closed
junr03 opened this issue Jan 13, 2020 · 3 comments
Closed

tls: SAN verification changed in Envoy #630

junr03 opened this issue Jan 13, 2020 · 3 comments
Assignees
@junr03
Labels
core
Milestone
v0.3 "Secondi"

Comments

@junr03
Copy link
Member

junr03 commented Jan 13, 2020

SAN verification changed in Envoy in envoyproxy/envoy#9264. Therefore, for v3 config it is not as easy as to put the configured domain as a SAN to verify, as there is no wildcard matching as there was before. i.e foo.company.com in the config will no longer match *.company.com in the presented certificate.

#626 deleted SAN verification until a better option is exposed in Envoy Mobile.
@junr03 junr03 added the core label Jan 13, 2020
@junr03 junr03 added this to the v0.3 "Secondi" milestone Jan 13, 2020
@junr03 junr03 self-assigned this Jan 13, 2020
@junr03 junr03 mentioned this issue Jan 13, 2020
Merged
junr03 added a commit that referenced this issue Jan 13, 2020
@junr03
envoy: update envoy ref and update config to v3 supported schema (#626)
bceee99 
Description: this PR updates Envoy Mobile's Envoy ref past the point where Envoy internally uses v3 config. I took the chance to update Envoy Mobile's config and delete deprecated fields. Note that SAN verification changes, and thus it was removed here. I opened an issue tracking #630. Further note that this ref update significantly increased the binary size. It is a priority for the team to investigate and trim the binary ahead of the v0.3 release (noted in #447)
Risk Level: med boost to v3 config and deleted deprecated fields.
Testing: passing liveliness in CI and locally.

Signed-off-by: Jose Nino <[email protected]>
@junr03 junr03 mentioned this issue Jan 31, 2020
Merged
@junr03
Copy link
Member Author

junr03 commented Feb 7, 2020

I believe this is relevant, and would allow us to do SAN based on authority. Need to read more carefully, but want to put here before I forget envoyproxy/envoy#9863

@junr03
Copy link
Member Author

junr03 commented Feb 11, 2020

wildcard matching is getting fixed in Envoy in envoyproxy/envoy#10005

@junr03 junr03 mentioned this issue Feb 11, 2020
Merged
@junr03
Copy link
Member Author

junr03 commented Feb 19, 2020
edited
Loading

envoyproxy/envoy#9863 made it so that the dynamic forward proxy automatically does SAN validation. via the verifySubjectAltName path based on the host/authority header. Therefore, after #663 Envoy Mobile has been verifying SAN.

envoyproxy/envoy#10005 was not needed as the auto san path does not use the matcher code and in fact envoyproxy/envoy#10005 moves exact matches in static SAN config to use the same code as the dynamic SAN verification uses.

@junr03 junr03 closed this as completed Feb 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@junr03 junr03

Labels
core
Projects
None yet
Milestone
v0.3 "Secondi"
Development

No branches or pull requests
1 participant
@junr03