Closed howardjohn closed 3 days ago
@howardjohn can I understand that it will also benefit StartTLS handling?
I don't know much about StartTLS but I think that is unrelated and already supported by envoy
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.
Can we reopen this?
Title: Passive TLS inspector
Description: Envoy currently provides a tls_inspector. This is handy for many use cases.
One use case it is not great for is proxying arbitrary traffic, and logging TLS attributes (generally, the SNI). Use of the inspector causes blocking until enough data is read, which will never happen for server-first protocols like mysql.
Instead, I would like a 'passive' inspector. Data will flow through as-normal, but if it is found to be TLS, some state is stored. Eventually, I would expect to be able to log the SNI on connection termination using the standard access logger