-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TCP Proxy: Fix TLS passthrough for fragmented ClientHello. #11843
base: main
Are you sure you want to change the base?
Conversation
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Welcome @maxl99! |
Hi @maxl99. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
✅ Deploy Preview for kubernetes-ingress-nginx canceled.
|
a989d48
to
9a0ea21
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, tested this, works perfectly
Fixed nginx-ingress image to include this patch: - kubernetes/ingress-nginx#11843 Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
/ok-to-test I will run the test suite first. |
/kind bug If this is a bug, could you please also add some tests to prevent future regression? |
We need to read the entire length of the ClientHello packet in order to get the SNI field for proper tls passthrough.
9a0ea21
to
b7ed9ba
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: kvaps, maxl99 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
I tried to implement an e2e test that sends a ClientHello with 2 packets (similar to the behaviour we see in the packet capture). |
ssl-passthrough is targeted for deprecation. I understand this is disruptive. But there is demand for real-client-ip and now this fragmented client-helo. Its also very clear that 2 PRs are in queue for addressing this. But please consider that the requirement now is 2 folds. On one hand a developer of the project needs to evaluate not just the PRs here but also the impact of those changes on the design, security & stability of the controller.. Secondly the continued support/maintenance to sustain the TLS-Passthrough feature in its current go-proxy avatar, requires resources. The project hit CVEs and and other sustaining related problems and faced acute shortage of resources for a extended length of time. So to avoid future impact to the security/stability of the controller, a decision was made to focus on the core functionality of the project. We are even deprecating several functioning useful popular features. Implementing the Gateway-API is the other focus besides shipping a secure-by-default controller. Hence wait for other comments, but I would say not to expect much traction on this as the TLS-Passthrough feature itself may be deprecated sooner than later. I understand its the least desired scene but its the reality of changing times. Users do obviously have the option to fork the project and implement desired changes there. regards. |
What this PR does / why we need it:
We need to read the entire length of the ClientHello packet in order to get the SNI field for proper tls passthrough.
Types of changes
Which issue/s this PR fixes
fixes #11491
fixes #11424
How Has This Been Tested?
Tested with tldr_fail_test.py (modified to use tls1.2)
Without the patch:
With the patch, passthrough also works for a fragmented ClientHello.
Checklist: