xref: /aosp_15_r20/external/grpc-grpc-java/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto (revision e07d83d3ffcef9ecfc9f7f475418ec639ff0e5fe) 
1syntax = "proto3";
2
3package envoy.api.v2.auth;
4
5import "envoy/api/v2/auth/common.proto";
6import "envoy/api/v2/auth/secret.proto";
7
8import "google/protobuf/duration.proto";
9import "google/protobuf/wrappers.proto";
10
11import "udpa/annotations/migrate.proto";
12import "udpa/annotations/status.proto";
13import "validate/validate.proto";
14
15option java_package = "io.envoyproxy.envoy.api.v2.auth";
16option java_outer_classname = "TlsProto";
17option java_multiple_files = true;
18option go_package = "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth";
19option (udpa.annotations.file_migrate).move_to_package =
20    "envoy.extensions.transport_sockets.tls.v3";
21option (udpa.annotations.file_status).package_version_status = FROZEN;
22
23// [#protodoc-title: TLS transport socket]
24// [#extension: envoy.transport_sockets.tls]
25// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.
26
27message UpstreamTlsContext {
28  // Common TLS context settings.
29  //
30  // .. attention::
31  //
32  //   Server certificate verification is not enabled by default. Configure
33  //   :ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
34  //   verification.
35  CommonTlsContext common_tls_context = 1;
36
37  // SNI string to use when creating TLS backend connections.
38  string sni = 2 [(validate.rules).string = {max_bytes: 255}];
39
40  // If true, server-initiated TLS renegotiation will be allowed.
41  //
42  // .. attention::
43  //
44  //   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
45  bool allow_renegotiation = 3;
46
47  // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
48  // for TLSv1.2 and older) to store for the purpose of session resumption.
49  //
50  // Defaults to 1, setting this to 0 disables session resumption.
51  google.protobuf.UInt32Value max_session_keys = 4;
52}
53
54// [#next-free-field: 8]
55message DownstreamTlsContext {
56  // Common TLS context settings.
57  CommonTlsContext common_tls_context = 1;
58
59  // If specified, Envoy will reject connections without a valid client
60  // certificate.
61  google.protobuf.BoolValue require_client_certificate = 2;
62
63  // If specified, Envoy will reject connections without a valid and matching SNI.
64  // [#not-implemented-hide:]
65  google.protobuf.BoolValue require_sni = 3;
66
67  oneof session_ticket_keys_type {
68    // TLS session ticket key settings.
69    TlsSessionTicketKeys session_ticket_keys = 4;
70
71    // Config for fetching TLS session ticket keys via SDS API.
72    SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
73
74    // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
75    // server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
76    // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
77    // the keys specified through either :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
78    // or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
79    // If this config is set to false and no keys are explicitly configured, the TLS server will issue
80    // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
81    // implication that sessions cannot be resumed across hot restarts or on different hosts.
82    bool disable_stateless_session_resumption = 7;
83  }
84
85  // If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session.
86  // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
87  // Only seconds can be specified (fractional seconds are ignored).
88  google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
89    lt {seconds: 4294967296}
90    gte {}
91  }];
92}
93
94// TLS context shared by both client and server TLS contexts.
95// [#next-free-field: 9]
96message CommonTlsContext {
97  message CombinedCertificateValidationContext {
98    // How to validate peer certificates.
99    CertificateValidationContext default_validation_context = 1
100        [(validate.rules).message = {required: true}];
101
102    // Config for fetching validation context via SDS API.
103    SdsSecretConfig validation_context_sds_secret_config = 2
104        [(validate.rules).message = {required: true}];
105  }
106
107  reserved 5;
108
109  // TLS protocol versions, cipher suites etc.
110  TlsParameters tls_params = 1;
111
112  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
113  // same context to allow both RSA and ECDSA certificates.
114  //
115  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
116  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
117  // used for clients that support ECDSA.
118  repeated TlsCertificate tls_certificates = 2;
119
120  // Configs for fetching TLS certificates via SDS API.
121  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
122      [(validate.rules).repeated = {max_items: 1}];
123
124  oneof validation_context_type {
125    // How to validate peer certificates.
126    CertificateValidationContext validation_context = 3;
127
128    // Config for fetching validation context via SDS API.
129    SdsSecretConfig validation_context_sds_secret_config = 7;
130
131    // Combined certificate validation context holds a default CertificateValidationContext
132    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
133    // and default CertificateValidationContext are merged into a new CertificateValidationContext
134    // for validation. This merge is done by Message::MergeFrom(), so dynamic
135    // CertificateValidationContext overwrites singular fields in default
136    // CertificateValidationContext, and concatenates repeated fields to default
137    // CertificateValidationContext, and logical OR is applied to boolean fields.
138    CombinedCertificateValidationContext combined_validation_context = 8;
139  }
140
141  // Supplies the list of ALPN protocols that the listener should expose. In
142  // practice this is likely to be set to one of two values (see the
143  // :ref:`codec_type
144  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
145  // parameter in the HTTP connection manager for more information):
146  //
147  // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
148  // * "http/1.1" If the listener is only going to support HTTP/1.1.
149  //
150  // There is no default for this parameter. If empty, Envoy will not expose ALPN.
151  repeated string alpn_protocols = 4;
152}
153