-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Enable TLS external session cache #14553
Comments
I think it would be interesting to look at external session caches, but I would definitely want this to be pluggable from the start. |
Makes sense to me. +1 on making it pluggable. One option is just a simple gRPC service, and adapters to a backing store (redis, etc) are the responsibility of the user. |
@ggreenway @mattklein123 Thanks for your comments. Could you give me some guide or references? I am a newbie in Envoy project, it will be great if I can contribute this feature to community. Enabling external session cache needs setting some callback functions to SSL context, I'm thinking about it has to modify the main code in transport socket tls extension. So do you mean only making the external session storage as a gRPC service and it provides API to connect to concrete backing store? |
Sorry for the long delay in response.
Yes, exactly. I think if we develop a gRPC API that can be optionally called from the TLS code, this will allow arbitrary backend implementations. We have many examples of APIs at this point that are "side-calls" of this nature. Take a look at:
^ should hopefully be enough to get you started but feel free to ping back if you have any questions and we can help more. Also, for this feature I would recommend doing a small gdoc with a proposed design that we can discuss. Thank you! |
@mattklein123 Thank you for providing these references, I‘ll draft gdoc when I get time, it might take some time since I'll take a vacation about one or two weeks, I'll update when I'm back. Thanks. :) |
Sorry for long-time no updates due to some personal emergent work. @mattklein123 @ggreenway Do we have a template for design doc? |
We don't have a fixed template right now. I would just type up something in whatever format you want and we can go from there. I would just cover standard design doc stuff (problem statement, goals, non-goals, high level design, etc.) |
@mattklein123 Hi, I draft a minimal design doc, welcome to review. |
I think it would be good to discuss if/how this would be applicable to TLS 1.3, and how this compares to session tickets (ie when would you use a session cache instead of session tickets). |
@ggreenway @mattklein123 I add a background section to answer the questions from you.design doc If possible I would like to add more details into design doc such as interface definition, it might help me coding. :) |
Hi, @ggreenway @mattklein123 , I'd like to start with a PoC first and polish my design doc at the same time. I have almost done the API part. And currently I get stuck at generating pb.h files from my proto file(I need to implement a envoy built-in grpc client based on current design), is there any tool in envoy to help that? |
proto compilation is done by the build system. For an example, look at the ratelimit filter (source/extensions/filters/common/ratelimit). In the BUILD file, it specifies a dependency on the protos in the |
Thanks. |
@ggreenway I'm a little confusing about the Envoy built-in grpc client, e.g. ratelimit and ext_proc, they all implemented a async client, it seems that the request and response are seperated, but for tls external session, I need get the response immediatly after I send out the request since I need that session to do the quick handshake, am I supposed to implement a sync client? Do you have any suggestion? |
For it to work properly, you must be able to treat it as async. If you try to make it sync, an envoy worker will be blocked waiting on the response, and performance will be unacceptable. |
@LuyaoZhong what's the current status of this RFC? Thanks |
@l8huang I think @LuyaoZhong is already moving the interesting. If you are interesting on this, you can free to take it. |
I pick up the task. I submit a initial PR #35014 |
Title: Enable TLS external session cache
Description:
I have a initial idea about design and implementation, the API in my mind is probably like this:
extensions.transport_sockets.tls.v3.DownstreamTlsContext
{
"common_tls_context": "{...}",
"require_client_certificate": "{...}",
"session_ticket_keys": "{...}",
"session_ticket_keys_sds_secret_config": "{...}",
"disable_stateless_session_resumption": "...",
"session_timeout": "{...}",
"ocsp_staple_policy": "...",
"external_session_cache": "" // introduce this new field extensions.transport_sockets.tls.v3.TlsExternalSessionCache
}
extensions.transport_sockets.tls.v3.TlsExternalSessionCache
{
"session_storage_type": "redis", // redis is one of the conventional choices for external cache
"session_storage_cluster": "redis_cluster"
}
[optional Relevant Links:]
The text was updated successfully, but these errors were encountered: