Skip to content

Make max acceptable client hello size configurable via TlsInspector proto #42278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Make max acceptable client hello size configurable via TlsInspector proto #42278

wants to merge 6 commits into from

Conversation

@eziskind
Copy link
Contributor

@eziskind eziskind commented Nov 26, 2025

This change allows configuring the maximum size of the ClientHello that the TLS inspector will process via the TlsInspector proto configuration. The default value is 16KiB. The initial_read_buffer_size now defaults to this configurable maximum size. No change to current behavior if the field is unset.

Risk Level: low
Testing: unit tests

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Nov 26, 2025

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #42278 was opened by eziskind.

see: more, trace.

botengyao
botengyao reviewed Nov 26, 2025
View reviewed changes
Copy link
Member

@botengyao botengyao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just catches this from my another PR, thanks for adding this support!

/wait

@eziskind
address feedback: lt -> lte
49b6807 
Signed-off-by: Elisha Ziskind <[email protected]>
@eziskind
fix format
b3b424a 
Signed-off-by: Elisha Ziskind <[email protected]>
@agrawroh
Copy link
Member

agrawroh commented Nov 26, 2025

I am curious what's the motivation behind making this configurable. The current value is per the RFC specs. In what cases do we wanna change this?

@eziskind
Copy link
Contributor Author

eziskind commented Nov 26, 2025

I am curious what's the motivation behind making this configurable. The current value is per the RFC specs. In what cases do we wanna change this?

We want to be able to use a lower default value to limit abuse (eg. from DoS attacks) and only allow higher values (up to the RFC spec of 16K) when valid use-cases arise.

@eziskind
fix format-api
e83dc35 
Signed-off-by: Elisha Ziskind <[email protected]>
@agrawroh
Copy link
Member

agrawroh commented Nov 26, 2025

I am curious what's the motivation behind making this configurable. The current value is per the RFC specs. In what cases do we wanna change this?

We want to be able to use a lower default value to limit abuse (eg. from DoS attacks) and only allow higher values (up to the RFC spec of 16K) when valid use-cases arise.

Make sense. Thanks for sharing.

KBaichoo
KBaichoo previously approved these changes Nov 27, 2025
View reviewed changes
Copy link
Contributor

@KBaichoo KBaichoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you!

@eziskind
add mention in changelog
79f0621 
Signed-off-by: Elisha Ziskind <[email protected]>
@agrawroh
Copy link
Member

agrawroh commented Nov 27, 2025

This still needs an API LGTM.
cc @abeyad @ggreenway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@botengyao botengyao botengyao left review comments

@agrawroh agrawroh agrawroh approved these changes

@KBaichoo KBaichoo KBaichoo left review comments

@ggreenway ggreenway Awaiting requested review from ggreenway ggreenway is a code owner

Assignees

@markdroth markdroth

Labels

api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@eziskind @agrawroh @KBaichoo @botengyao @markdroth