Cronet TLS options from GreatFire Envoy #6
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
patch from Matthew Bogner
stevenmcdonald
commented
Jul 10, 2025
| @@ -9,6 +9,11 @@ namespace net { | |||
| SSLConfigServiceDefaults::SSLConfigServiceDefaults() = default; | |||
| SSLConfigServiceDefaults::~SSLConfigServiceDefaults() = default; | |||
|
|
|||
| SSLConfigServiceDefaults::SSLConfigServiceDefaults(SSLContextConfig default_config): default_config_(default_config) { | |||
| // TODO: This is how Envoy implemented it, but it seems like not the ideal solution. Should we make a new SSLConfigService subclass? | |||
There was a problem hiding this comment.
Matt had a question here in the comments
There was a problem hiding this comment.
Adding a reply here in part to remind myself of the situation: the commented out code below seems redundant since the config (with the cipher suites) is assigned above. With that out of the way, I think the question is whether it's important that this class remains a non-configurable class that provides only the default SSL configuration parameters.
stevenmcdonald
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Who and why?
See the notes on: #5
TLS options
This patch allows the caller to specify TLS options, similar to the
--ssl-version-min--ssl-vesion-maxand--cipher-suite-blacklistcommand line flags for the browser.We haven't been using this in Envoy, maybe we should? I don't know if this is still a useful feature in 2025. I remember a time when it was important to be able to exclude some of the TLS 1.2 suites, but as far as I know, those aren't used anywhere anymore. I can see some utility to this for testing, even if it's no longer needed for security.
Similar questions/comments to (#5)
SSLConfigServiceDefaultsto apply the changes, which seems "not ideal" as a colleague put it. He wondered if a new subclass was a more appropriate way to apply the settings