Skip to content

Commit 40bf1ce

Browse files
gtriggianogtriggiano
committed
Enable TLS Fingerprinting
This commit modifies the TLS Inspector instantiation to support an optional parameter for enabling JA3/JA4 fingerprinting. The following changes were made: - Updated the TLS Inspector instantiation across multiple test files to use the new parameter, defaulting to false. - Introduced a new field `EnableTLSFingerprinting` in the ListenerConfig struct to manage this feature. - Adjusted the secureProxyProtocol function to accept the new parameter and pass it to the TLS Inspector. - Updated documentation to reflect the new `enableFingerprinting` option in the API reference. Signed-off-by: Giacomo Triggiano <giacomotriggiano@gmail.com>
1 parent 84e88d9 commit 40bf1ce

32 files changed

+468
-119
lines changed

apis/projectcontour/v1alpha1/contourconfig.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -508,6 +508,14 @@ type EnvoyTLS struct {
508508
// Note: This list is a superset of what is valid for stock Envoy builds and those using BoringSSL FIPS.
509509
// +optional
510510
CipherSuites []string `json:"cipherSuites,omitempty"`
511+
512+
// EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
513+
// TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
514+
// fingerprints from TLS client hellos.
515+
//
516+
// Contour's default is false.
517+
// +optional
518+
EnableFingerprinting *bool `json:"enableFingerprinting,omitempty"`
511519
}
512520

513521
// EnvoyListener defines parameters for an Envoy Listener.

apis/projectcontour/v1alpha1/zz_generated.deepcopy.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/contour/serve.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,8 @@ func registerServe(app *kingpin.Application) (*kingpin.CmdClause, *serveContext)
138138
serve.Flag("disable-feature", "Do not start an informer for the specified resources.").PlaceHolder("<extensionservices,tlsroutes,grpcroutes,tcproutes,backendtlspolicies>").EnumsVar(&ctx.disabledFeatures, "extensionservices", "tlsroutes", "grpcroutes", "tcproutes", "backendtlspolicies")
139139
serve.Flag("disable-leader-election", "Disable leader election mechanism.").BoolVar(&ctx.LeaderElection.Disable)
140140

141+
serve.Flag("enable-tls-fingerprinting", "Enable JA3/JA4 TLS fingerprinting in the TLS Inspector filter.").BoolVar(&ctx.enableTLSFingerprinting)
142+
141143
serve.Flag("envoy-http-access-log", "Envoy HTTP access log.").PlaceHolder("/path/to/file").StringVar(&ctx.httpAccessLog)
142144
serve.Flag("envoy-https-access-log", "Envoy HTTPS access log.").PlaceHolder("/path/to/file").StringVar(&ctx.httpsAccessLog)
143145
serve.Flag("envoy-service-http-address", "Kubernetes Service address for HTTP requests.").PlaceHolder("<ipaddr>").StringVar(&ctx.httpAddr)
@@ -444,6 +446,7 @@ func (s *Server) doServe() error {
444446
listenerConfig := xdscache_v3.ListenerConfig{
445447
Compression: contourConfiguration.Envoy.Listener.Compression,
446448
UseProxyProto: *contourConfiguration.Envoy.Listener.UseProxyProto,
449+
EnableTLSFingerprinting: *contourConfiguration.Envoy.Listener.TLS.EnableFingerprinting,
447450
HTTPAccessLog: contourConfiguration.Envoy.HTTPListener.AccessLog,
448451
HTTPSAccessLog: contourConfiguration.Envoy.HTTPSListener.AccessLog,
449452
AccessLogType: contourConfiguration.Envoy.Logging.AccessLogFormat,

cmd/contour/servecontext.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,8 @@ type serveContext struct {
7575
statsPort int
7676

7777
// envoy's listener parameters
78-
useProxyProto bool
78+
useProxyProto bool
79+
enableTLSFingerprinting bool
7980

8081
// envoy's http listener parameters
8182
httpAddr string
@@ -561,6 +562,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
561562
MinimumProtocolVersion: ctx.Config.TLS.MinimumProtocolVersion,
562563
MaximumProtocolVersion: ctx.Config.TLS.MaximumProtocolVersion,
563564
CipherSuites: cipherSuites,
565+
EnableFingerprinting: &ctx.enableTLSFingerprinting,
564566
},
565567
SocketOptions: &contour_v1alpha1.SocketOptions{
566568
TOS: ctx.Config.Listener.SocketOptions.TOS,

cmd/contour/servecontext_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -413,6 +413,7 @@ func defaultContourConfiguration() contour_v1alpha1.ContourConfigurationSpec {
413413
TLS: &contour_v1alpha1.EnvoyTLS{
414414
MinimumProtocolVersion: "",
415415
MaximumProtocolVersion: "",
416+
EnableFingerprinting: ptr.To(false),
416417
},
417418
SocketOptions: &contour_v1alpha1.SocketOptions{
418419
TOS: 0,

examples/contour/01-crds.yaml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,13 @@ spec:
200200
items:
201201
type: string
202202
type: array
203+
enableFingerprinting:
204+
description: |-
205+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
206+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
207+
fingerprints from TLS client hellos.
208+
Contour's default is false.
209+
type: boolean
203210
maximumProtocolVersion:
204211
description: |-
205212
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -438,6 +445,13 @@ spec:
438445
items:
439446
type: string
440447
type: array
448+
enableFingerprinting:
449+
description: |-
450+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
451+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
452+
fingerprints from TLS client hellos.
453+
Contour's default is false.
454+
type: boolean
441455
maximumProtocolVersion:
442456
description: |-
443457
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4147,6 +4161,13 @@ spec:
41474161
items:
41484162
type: string
41494163
type: array
4164+
enableFingerprinting:
4165+
description: |-
4166+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4167+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4168+
fingerprints from TLS client hellos.
4169+
Contour's default is false.
4170+
type: boolean
41504171
maximumProtocolVersion:
41514172
description: |-
41524173
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4385,6 +4406,13 @@ spec:
43854406
items:
43864407
type: string
43874408
type: array
4409+
enableFingerprinting:
4410+
description: |-
4411+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4412+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4413+
fingerprints from TLS client hellos.
4414+
Contour's default is false.
4415+
type: boolean
43884416
maximumProtocolVersion:
43894417
description: |-
43904418
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour-deployment.yaml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,13 @@ spec:
419419
items:
420420
type: string
421421
type: array
422+
enableFingerprinting:
423+
description: |-
424+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
425+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
426+
fingerprints from TLS client hellos.
427+
Contour's default is false.
428+
type: boolean
422429
maximumProtocolVersion:
423430
description: |-
424431
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -657,6 +664,13 @@ spec:
657664
items:
658665
type: string
659666
type: array
667+
enableFingerprinting:
668+
description: |-
669+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
670+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
671+
fingerprints from TLS client hellos.
672+
Contour's default is false.
673+
type: boolean
660674
maximumProtocolVersion:
661675
description: |-
662676
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4366,6 +4380,13 @@ spec:
43664380
items:
43674381
type: string
43684382
type: array
4383+
enableFingerprinting:
4384+
description: |-
4385+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4386+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4387+
fingerprints from TLS client hellos.
4388+
Contour's default is false.
4389+
type: boolean
43694390
maximumProtocolVersion:
43704391
description: |-
43714392
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4604,6 +4625,13 @@ spec:
46044625
items:
46054626
type: string
46064627
type: array
4628+
enableFingerprinting:
4629+
description: |-
4630+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4631+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4632+
fingerprints from TLS client hellos.
4633+
Contour's default is false.
4634+
type: boolean
46074635
maximumProtocolVersion:
46084636
description: |-
46094637
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour-gateway-provisioner.yaml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,6 +211,13 @@ spec:
211211
items:
212212
type: string
213213
type: array
214+
enableFingerprinting:
215+
description: |-
216+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
217+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
218+
fingerprints from TLS client hellos.
219+
Contour's default is false.
220+
type: boolean
214221
maximumProtocolVersion:
215222
description: |-
216223
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -449,6 +456,13 @@ spec:
449456
items:
450457
type: string
451458
type: array
459+
enableFingerprinting:
460+
description: |-
461+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
462+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
463+
fingerprints from TLS client hellos.
464+
Contour's default is false.
465+
type: boolean
452466
maximumProtocolVersion:
453467
description: |-
454468
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4158,6 +4172,13 @@ spec:
41584172
items:
41594173
type: string
41604174
type: array
4175+
enableFingerprinting:
4176+
description: |-
4177+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4178+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4179+
fingerprints from TLS client hellos.
4180+
Contour's default is false.
4181+
type: boolean
41614182
maximumProtocolVersion:
41624183
description: |-
41634184
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4396,6 +4417,13 @@ spec:
43964417
items:
43974418
type: string
43984419
type: array
4420+
enableFingerprinting:
4421+
description: |-
4422+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4423+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4424+
fingerprints from TLS client hellos.
4425+
Contour's default is false.
4426+
type: boolean
43994427
maximumProtocolVersion:
44004428
description: |-
44014429
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour-gateway.yaml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,13 @@ spec:
236236
items:
237237
type: string
238238
type: array
239+
enableFingerprinting:
240+
description: |-
241+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
242+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
243+
fingerprints from TLS client hellos.
244+
Contour's default is false.
245+
type: boolean
239246
maximumProtocolVersion:
240247
description: |-
241248
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -474,6 +481,13 @@ spec:
474481
items:
475482
type: string
476483
type: array
484+
enableFingerprinting:
485+
description: |-
486+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
487+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
488+
fingerprints from TLS client hellos.
489+
Contour's default is false.
490+
type: boolean
477491
maximumProtocolVersion:
478492
description: |-
479493
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4183,6 +4197,13 @@ spec:
41834197
items:
41844198
type: string
41854199
type: array
4200+
enableFingerprinting:
4201+
description: |-
4202+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4203+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4204+
fingerprints from TLS client hellos.
4205+
Contour's default is false.
4206+
type: boolean
41864207
maximumProtocolVersion:
41874208
description: |-
41884209
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4421,6 +4442,13 @@ spec:
44214442
items:
44224443
type: string
44234444
type: array
4445+
enableFingerprinting:
4446+
description: |-
4447+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4448+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4449+
fingerprints from TLS client hellos.
4450+
Contour's default is false.
4451+
type: boolean
44244452
maximumProtocolVersion:
44254453
description: |-
44264454
MaximumProtocolVersion is the maximum TLS version this vhost should

examples/render/contour.yaml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -419,6 +419,13 @@ spec:
419419
items:
420420
type: string
421421
type: array
422+
enableFingerprinting:
423+
description: |-
424+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
425+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
426+
fingerprints from TLS client hellos.
427+
Contour's default is false.
428+
type: boolean
422429
maximumProtocolVersion:
423430
description: |-
424431
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -657,6 +664,13 @@ spec:
657664
items:
658665
type: string
659666
type: array
667+
enableFingerprinting:
668+
description: |-
669+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
670+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
671+
fingerprints from TLS client hellos.
672+
Contour's default is false.
673+
type: boolean
660674
maximumProtocolVersion:
661675
description: |-
662676
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4366,6 +4380,13 @@ spec:
43664380
items:
43674381
type: string
43684382
type: array
4383+
enableFingerprinting:
4384+
description: |-
4385+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4386+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4387+
fingerprints from TLS client hellos.
4388+
Contour's default is false.
4389+
type: boolean
43694390
maximumProtocolVersion:
43704391
description: |-
43714392
MaximumProtocolVersion is the maximum TLS version this vhost should
@@ -4604,6 +4625,13 @@ spec:
46044625
items:
46054626
type: string
46064627
type: array
4628+
enableFingerprinting:
4629+
description: |-
4630+
EnableFingerprinting enables JA3 and JA4 TLS fingerprinting in the
4631+
TLS Inspector listener filter. When enabled, Envoy will extract JA3/JA4
4632+
fingerprints from TLS client hellos.
4633+
Contour's default is false.
4634+
type: boolean
46074635
maximumProtocolVersion:
46084636
description: |-
46094637
MaximumProtocolVersion is the maximum TLS version this vhost should

0 commit comments

Comments
 (0)