Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom handshaker extension: can it be used to implement dynamic tls termination #20708

Closed
vorishirne opened this issue Apr 7, 2022 · 7 comments
Closed

Custom handshaker extension: can it be used to implement dynamic tls termination #20708

vorishirne opened this issue Apr 7, 2022 · 7 comments
Labels
area/tls help wanted Needs help! question Questions that are neither investigations, bugs, nor enhancements

Comments

@vorishirne
Copy link

vorishirne commented Apr 7, 2022
edited
Loading

Description: I want to implement client side forward proxy, for which i may need to generate certificates for each domain that user has requested at runtime. Need help if Custom handshaker extension is not what I am looking for. If yes, what are your suggestions to make my requirement possible with envoy
@vorishirne vorishirne added the triage Issue requires triage label Apr 7, 2022
@zuercher zuercher added question Questions that are neither investigations, bugs, nor enhancements help wanted Needs help! area/tls and removed triage Issue requires triage labels Apr 11, 2022
@vorishirne
Copy link
Author

@htuch pls help if that would help or pls refer the right person to ask this.

@htuch
Copy link
Member

htuch commented Apr 22, 2022

@ggreenway

@ggreenway
Copy link
Contributor

I think this is asking for the same thing as #18928. @vorishirne does that sound correct?

@vorishirne
Copy link
Author

Oh thats an exact match.He is having that as part of a listener filter.
Is that also possible via overriding this entire function

const std::string& ConnectionInfoImplBase::subjectLocalCertificate() const {
  if (!cached_subject_local_certificate_.empty()) {
    return cached_subject_local_certificate_;
  }
  X509* cert = SSL_get_certificate(ssl());
  if (!cert) {
    ASSERT(cached_subject_local_certificate_.empty());
    return cached_subject_local_certificate_;
  }
  cached_subject_local_certificate_ = Utility::getSubjectFromCertificate(*cert);
  return cached_subject_local_certificate_;
}

@lambdai
Copy link
Contributor

lambdai commented Apr 22, 2022

cached_subject_local_certificate_ = Utility::getSubjectFromCertificate(*cert);

Interesting. This subjectLocalCertificate is supposed to be called after the handshake is done. To drive the handshake, you need a certificate.

I am not sure how you'd like to moving forward with a new subjectLocalCertificate() impl

@vorishirne
Copy link
Author

Any function that would ask for the certificate to send to the client. I want to tweak in that.

@vorishirne
Copy link
Author

But now I think the dedicated change from above mentioned issue are already the suitable ones. Will try them only

@rohrit rohrit mentioned this issue May 5, 2022
Open
@LuyaoZhong LuyaoZhong mentioned this issue Apr 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/tls help wanted Needs help! question Questions that are neither investigations, bugs, nor enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@zuercher @lambdai @ggreenway @htuch @vorishirne