Open danzh2010 opened 1 year ago
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
danzh2010
commented
1 year ago This needs a non-stale bot!
github-actions[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
Currently not all config knobs in https://github.com/envoyproxy/envoy/blob/main/api/envoy/extensions/transport_sockets/tls/v3/tls.proto take effect in QUIC listener. Below are the ones which do not take effect and are not hidden behind #not-implemented-hide:
UpstreamTlsContext: allow_renegotiation: not supported by QUICHE. max_session_keys: needs plumbing. Envoy is hard-coded with the QUICHE default kDefaultMaxEntries (1024) in quic_client_session_cache.cc
DownstreamTlsContext: require_client_certificate: needs plumbing. Explicitly disabled by https://github.com/envoyproxy/envoy/pull/24011 one of session_ticket_keys, session_ticket_keys_sds_secret_config, disable_stateless_session_resumption: needs plumbing. Session resumption is currently disabled by the default EnvoyQuicProofSource implementation. session_timeout: not applicable, the boring SSL interface is only used for TLS 1.2 or earlier. ocsp_staple_policy: OCSP response is not supported by QUICHE. full_scan_certs_on_sni_mismatch: needs plumbing. Envoy always picks the first cert chain in the config.
CommonTlsContext: tls_(minimum|maximum)_protocol_version: not applicable as QUIC only supports TLS 1.3. ecdh_curves: needs plumbing. QUICHE supports the same default ones. alpn_protocols: not applicable as the QUIC version supported in Envoy only allows "h3". custom_handshaker: not applicable. Envoy can config similar feature via a custom quic crypto stream and proof source. key_log: boring SSL keylog is not supported by QUICHE.