Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full TLS proxying #769

Open
krizhanovsky opened this issue Jul 19, 2017 · 1 comment
Open

Full TLS proxying #769

krizhanovsky opened this issue Jul 19, 2017 · 1 comment
Labels
crucial enhancement TLS Tempesta TLS module and related issues
Milestone
0.9 - LA

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Jul 19, 2017
edited
Loading

Protocol

Currently Tempesta can only terminate TLS traffic acting as a TLS accelerator/terminator. However, CDNs and filtering networks do require full TLS, i.e. establish encrypted channel between Tempesta and origin servers. Thousands upstream servers are possible in application delivery network (ADN) scenarios, so connect() over TLS must be fast enough.

Only TLS 1.3 #1031 should be supported.

Following features must be supported:

  1. Hostname name validation (see the OpenSSL wiki). We don't want to make DNS queries from the kernel, so the server (upstream) address must also specify the common name of the server (i.e. result of inet_pton()). Alternatively we can use linux/net/dns_resolver.
  2. abbreviated handshakes

Cryptography

TLS client side involves ECDSA signature verification, i.e. calculation of m * G + n * Q, which is done by ttls_ecp_muladd() in simplest way. The Shamir's trick and/or multi-exponentiation (Bodo Möller, "Algorithms for multi-exponentiation") should be used. See OpenSSL's ec_wNAF_mul() as the reference.
@krizhanovsky krizhanovsky added this to the 1.0 WebOS milestone Jul 19, 2017
@krizhanovsky krizhanovsky mentioned this issue Sep 1, 2017
Closed
@krizhanovsky krizhanovsky modified the milestones: backlog, 0.6 KTLS Feb 4, 2018
@krizhanovsky krizhanovsky self-assigned this Mar 22, 2018
@krizhanovsky krizhanovsky modified the milestones: 0.6 KTLS, backlog May 29, 2018
@krizhanovsky krizhanovsky mentioned this issue May 29, 2018
Open
@krizhanovsky
Copy link
Contributor Author

krizhanovsky commented Aug 14, 2018
edited
Loading

It seems 50% of CDN clients require TLS encrypted traffic. Since backends are client-manageable, TLS 1.3 only is enough for client side. Backends are also trusted, so it seems we don't need to do full certificates chain validation and/or can use pre-shared keys. Thus, it seems we don't need neither OCSP stapling #831 nor clients certificates validation #830 for this task,

@krizhanovsky krizhanovsky modified the milestones: backlog, 1.1 QUIC Aug 14, 2018
@krizhanovsky krizhanovsky mentioned this issue Nov 6, 2018
Closed
@krizhanovsky krizhanovsky removed their assignment Nov 17, 2018
@krizhanovsky krizhanovsky mentioned this issue Nov 19, 2018
Closed
@krizhanovsky krizhanovsky modified the milestones: 1.1 QUIC, 1.2 TDB v0.2 Nov 19, 2018
@krizhanovsky krizhanovsky added the TLS Tempesta TLS module and related issues label Apr 28, 2020
@krizhanovsky krizhanovsky mentioned this issue Dec 26, 2021
Closed
@krizhanovsky krizhanovsky modified the milestones: 0.8 - TBD, 1.1 - TLS 1.3 Jan 3, 2022
@krizhanovsky krizhanovsky mentioned this issue Feb 21, 2022
Closed
7 tasks
@krizhanovsky krizhanovsky mentioned this issue Apr 19, 2023
Open
@krizhanovsky krizhanovsky modified the milestones: 1.x: TBD, 1.0 - GA, 1.1: TBD Oct 31, 2023
@krizhanovsky krizhanovsky modified the milestones: 1.1: TBD, 0.9 - LA Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crucial enhancement TLS Tempesta TLS module and related issues
Projects
None yet
Milestone
0.9 - LA
Development

No branches or pull requests
1 participant
@krizhanovsky