Skip to content

Add ECDSA P-521 support for XDS interface #6996

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 25, 2025
Merged

Add ECDSA P-521 support for XDS interface #6996

merged 1 commit into from
Apr 25, 2025

Conversation

tsaarni
Copy link
Member

@tsaarni tsaarni commented Apr 15, 2025
edited
Loading

When Envoy connects to Contour over the xDS gRPC interface, it doesn't include secp521r1 in the TLS signature_algorithms extension because of BoringSSL’s default settings. As a result, the TLS handshake fails when using EC certificates with 521-bit private keys for the xDS interface.

This PR updates the Envoy bootstrap configuration to explicitly specify the list of supported signature algorithms, including secp521r1, enabling compatibility with these certificates.

Fixes #6997

@tsaarni tsaarni added the release-note/small A small change that needs one line of explanation in the release notes. label Apr 15, 2025
@tsaarni tsaarni requested a review from a team as a code owner April 15, 2025 16:14
@tsaarni tsaarni requested review from skriss and sunjayBhatia and removed request for a team April 15, 2025 16:14
@sunjayBhatia sunjayBhatia requested review from a team, izturn and clayton-gonsalves and removed request for a team April 15, 2025 16:14
@tsaarni tsaarni force-pushed the xds-with-ecdsa-secp521 branch 2 times, most recently from da0afdf to e494f71 Compare April 15, 2025 16:19
@codecov Codecov
Copy link

codecov bot commented Apr 15, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 80.74%. Comparing base (284fce7) to head (e64b4cf).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #6996      +/-   ##
==========================================
+ Coverage   80.72%   80.74%   +0.01%     
==========================================
  Files         131      131              
  Lines       19868    19884      +16     
==========================================
+ Hits        16039    16055      +16     
  Misses       3537     3537              
  Partials      292      292
Files with missing lines Coverage Δ
internal/envoy/v3/bootstrap.go 92.62% <100.00%> (+0.33%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tsaarni tsaarni force-pushed the xds-with-ecdsa-secp521 branch from e494f71 to e64b4cf Compare April 23, 2025 07:41
@tsaarni tsaarni merged commit f140c71 into projectcontour:main Apr 25, 2025
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunjayBhatia sunjayBhatia sunjayBhatia approved these changes

@skriss skriss Awaiting requested review from skriss skriss is a code owner automatically assigned from projectcontour/maintainers

@izturn izturn Awaiting requested review from izturn izturn was automatically assigned from projectcontour/contour-reviewers

@clayton-gonsalves clayton-gonsalves Awaiting requested review from clayton-gonsalves clayton-gonsalves was automatically assigned from projectcontour/contour-reviewers

Assignees
No one assigned
Labels
release-note/small A small change that needs one line of explanation in the release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SECP521R1 Curve for xDS TLS Communication Between Envoy and Contour
2 participants
@tsaarni @sunjayBhatia