Skip to content

tls_inspector: Add missing TLS version check#44274

Open
yanavlasov wants to merge 6 commits intoenvoyproxy:mainfrom
yanavlasov:tls-inspector-version-check
Open

tls_inspector: Add missing TLS version check#44274
yanavlasov wants to merge 6 commits intoenvoyproxy:mainfrom
yanavlasov:tls-inspector-version-check

Conversation

@yanavlasov
Copy link
Copy Markdown
Contributor

@yanavlasov yanavlasov commented Apr 3, 2026

Commit Message:
tls_inspector defined but never implemented check for client's TLS version. This allowed connections with a too low version to be allowed.

Adding runtime guard in case someone depends on the broken functionality.

Risk Level: medium, flag protected.
Testing: unit tests
Docs Changes: n/a
Release Notes: yes
Platform Specific Features: n/a
Runtime guard: envoy.reloadable_features.tls_inspector_enforce_client_tls_version

@yanavlasov
tls_inspector: Add missing TLS version check
2691de2 
Signed-off-by: Yan Avlasov <yavlasov@google.com>
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only Bot commented Apr 3, 2026

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #44274 was opened by yanavlasov.

see: more, trace.

@yanavlasov
Copy link
Copy Markdown
Contributor Author

yanavlasov commented Apr 3, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a check in the tls_inspector listener filter to enforce minimum (1.0) and maximum (1.3) client TLS versions, managed by a new runtime guard. The implementation captures the TLS version during the handshake and triggers a failure if it falls outside the supported range, updating statistics and metadata accordingly. The PR also includes new unit tests and a helper for constructing TLS ClientHello messages. Review feedback suggests adding the missing header for std::iota, fixing typos in the changelog, and using absl::string_view for string parameters in test helpers to avoid unnecessary copies.

Comment thread test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc
Comment thread changelogs/current.yaml Outdated
Comment thread test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc Outdated
@yanavlasov
Address comments
9117214 
Signed-off-by: Yan Avlasov <yavlasov@google.com>
@yanavlasov
Merge branch 'main' into tls-inspector-version-check
42dd324
@yanavlasov
Merge branch 'main' into tls-inspector-version-check
7ea068c
@yanavlasov
Format
c1f8a53 
Signed-off-by: Yan Avlasov <yavlasov@google.com>
@yanavlasov
Spelling
d6a8b88 
Signed-off-by: Yan Avlasov <yavlasov@google.com>
ggreenway
ggreenway requested changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/wait

Comment thread source/extensions/filters/listener/tls_inspector/tls_inspector.cc
}

const std::string& Filter::failureReasonClientHelloWrongTlsVersion() {
CONSTRUCT_ON_FIRST_USE(std::string, "ClientHelloWrongTlsVersion");
Copy link
Copy Markdown
Member

@ggreenway ggreenway Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
CONSTRUCT_ON_FIRST_USE(std::string, "ClientHelloWrongTlsVersion");
CONSTRUCT_ON_FIRST_USE(std::string, "ClientHelloInvalidTlsVersion");

Comment thread test/extensions/filters/listener/tls_inspector/tls_inspector_test.cc
init();
const std::string servername("example.com");
// Generate ClientHello with SSL v3 version (0x0300)
std::vector<uint8_t> client_hello = CreateClientHello(servername, 0, true, 0x0300);
Copy link
Copy Markdown
Member

@ggreenway ggreenway Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there also be a test for version too high?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggreenway ggreenway ggreenway requested changes

@KBaichoo KBaichoo Awaiting requested review from KBaichoo KBaichoo is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@ggreenway ggreenway

Labels

waiting

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yanavlasov @ggreenway