-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support ssl key-encrypt-salt rotation #7925
Changes from all commits
0103018
2ba4f77
e6a8c57
d7632ee
02f838e
b3d6e38
8e31c0a
c096363
501f475
457bddc
4cc8097
1842e6d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -112,9 +112,10 @@ apisix: | |
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless. | ||
# ref: https://github.com/mozilla/server-side-tls/issues/135 | ||
|
||
key_encrypt_salt: edd1c9f0985e76a2 # If not set, will save origin ssl key into etcd. | ||
# If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC | ||
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! | ||
key_encrypt_salt: # If not set, will save origin ssl key into etcd. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this a breaking change? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it's backward compatible, we could use 2 ways at the same time There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I have test case about this case |
||
- edd1c9f0985e76a2 # If set this, the key_encrypt_salt should be an array whose elements are string, and the size is also 16, and it will encrypt ssl key with AES-128-CBC | ||
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! | ||
# Only use the first key to encrypt, and decrypt in the order of the array. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The comment is not accurate to describe the field, since the comment says it "must be a string of length 16". There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The comment is still wrong. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we only recommend using array? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm updating this to |
||
|
||
#fallback_sni: "my.default.domain" # If set this, when the client doesn't send SNI during handshake, the fallback SNI will be used instead | ||
enable_control: true | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know
anyOf
can satisfy the schema check but it should beoneOf
in this scene?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this is the conventional way in APISIX, it's used everywhere, so i think i should follow this.