-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support skipping certificate verification when establishing a Quic connection #17700
Comments
Worth pointing out that the Envoy config
It worth discussing whether this match should be mandatory or configurable. |
Thank you @danzh2010 for adding the context, I confirm that this is the verification in question. |
I'm torn here - I like QUIC matching existing TLS behavior but I also like verifying by default. |
Wow! I feel very strongly that certificates should be verified by default. Having things insecure by default seems like a disaster waiting to happen. What would it take to change this behavior? (Maybe this is not practical in the short term but I really think this needs some investigation) |
generally changing high risk config defaults like this in Envoy involves a envoy-announce email, and a runtime guarded change if the config isn't present, so folks can flip the flag while they realize the envoy-announce email affected them. This is likely to break some deployments but I agree I think for security it's one of those breaking changes we really ought to do. |
All things being equal I agree we should verify by default, however 2 gotchas:
I think it would be worth it to track ^ as a separate issue. |
Ok, so what I'd suggest then is we leave QUIC verifying by default, and add the knob to turn it off at Nighthawk's convenience: as it'll keep the prior default there's no need to lock this in before alpha wraps up. What we should do before we leave alpha @danzh2010 is to document the inversion in both QUIC and TLS docs so folks don't get surprised. The explanation can link to the issue tracking TLS switching defaults, which I've just filed as #17771 |
I will update the document about the difference. Adding the knob to turn off verification is not a blocker for MVP, right? |
correct! |
Envoys seems to skip certificate verifications by default as documented in the API.
However the Quic implementation of the createQuicNetworkConnection function currently doesn't take in any configuration and always uses the EnvoyQuicProofVerifier.
This prevents establishment of Quic connection in load testing applications where we might be running with test / bogus certificates. This might also be affecting other use cases, so hoping to start a discussion whether this is something we want to improve by allowing a configuration that skips the certificate verification.
The text was updated successfully, but these errors were encountered: