1.31 backport: Relax recent SNI restrictions (#36950) #36997
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
See istio/istio#53426. Istio has used underscores in their SNI since the beginning and it is critical to its functionality. Usage of underscores in SNI is a bit of a grey area in the RFCs, which are extremely under-specified wrt to what exactly is the allowed formats. However, the de-facto standard is to allow them, as virtually every TLS library does so (including, but not limited to, Golang, rustls, openssl, boringssl). This PR loosens the restriction to additionally allow underscores. Note the intent of the SNI restrictions was not RFC compliance, etc -- but rather to fix [log injection](GHSA-p222-xhp9-39rc) attacks (putting ANSI escapes, HTML, etc) into logs. This change does not loosen the security properties we hoped to gain with the initial patch. Signed-off-by: John Howard <[email protected]> (cherry picked from commit 79ee342)
tyxia
previously approved these changes
Nov 5, 2024
|
@phlax Could you take a look? |
auto-merge was automatically disabled
November 5, 2024 21:19
Head branch was pushed to by a user without write access
Adds a release note for envoyproxy#36950 (comment) Signed-off-by: John Howard <[email protected]> (cherry picked from commit db63605)
ggreenway
approved these changes
Nov 6, 2024
phlax
approved these changes
Nov 7, 2024
|
/retest flakey ext_authz example |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change is being backported as it is a bug-fix for a regression for a fix that was also applied to this branch. Merging this fixes the regression.
See istio/istio#53426. Istio has used underscores in their SNI since the beginning and it is critical to its functionality. Usage of underscores in SNI is a bit of a grey area in the RFCs, which are extremely under-specified wrt to what exactly is the allowed formats. However, the de-facto standard is to allow them, as virtually every TLS library does so (including, but not limited to, Golang, rustls, openssl, boringssl).
This PR loosens the restriction to additionally allow underscores.
Note the intent of the SNI restrictions was not RFC compliance, etc -- but rather to fix log
injection attacks (putting ANSI escapes, HTML, etc) into logs. This change does not loosen the security properties we hoped to gain with the initial patch.
Signed-off-by: John Howard [email protected]
(cherry picked from commit 79ee342)