TLS

    • Configurable ciphers: Each TLS listener and client can specify the ciphers that it supports.
    • Certificate verification and pinning: Certificate verification options include basic chain verification, subject name verification, and hash pinning.
    • Certificate revocation: Envoy can check peer certificates against a certificate revocation list (CRL) if one is .
    • ALPN: TLS listeners support ALPN. The HTTP connection manager uses this information (in addition to protocol inference) to determine whether a client is speaking HTTP/1.1 or HTTP/2.
    • SNI: SNI is supported for both server (listener) and client (upstream) connections.
    • Session resumption: Server connections support resuming previous sessions via TLS session tickets (see RFC 5077). Resumption can be performed across hot restarts and between parallel Envoy instances (typically useful in a front proxy configuration).

    Currently Envoy is written to use as the TLS provider.

    /etc/ssl/certs/ca-certificates.crt is the default path for the system CA bundle on Debian systems. This makes Envoy verify the server identity of 127.0.0.2:1234 in the same way as e.g. cURL does on standard Debian installations. Common paths for system CA bundles on Linux and BSD are

    • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
    • /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
    • /etc/ssl/ca-bundle.pem (OpenSUSE)
    • /usr/local/etc/ssl/cert.pem (FreeBSD)
    • /etc/ssl/cert.pem (OpenBSD)

    Envoy provides a network filter that performs TLS client authentication via principals fetched from a REST VPN service. This filter matches the presented client certificate hash against the principal list to determine whether the connection should be allowed or not. Optional IP white listing can also be configured. This functionality can be used to build edge proxy VPN support for web infrastructure.