> taken here about the TLS SNI extension, the Session reuse and the SSL verification.
I think we don't need to support SSL session reuse. Using TLS ticket is enough, which is supported by the client automatically. > an explicit item like “verify” I think we should also support customized trust CA like what `lua_ssl_trusted_certificate` does. It is useful for self signed certificates. Zhang Chao <[email protected]> 于2020年10月24日周六 上午11:04写道: > Hello Community! > > Recently I observed some issues and disscuss in the QQ group about the > support of HTTPS for ETCD cluster. > > I think it might be a necessary feature, although since the limitations of > Cosocket we cannot support the mutual TLS > authentication, we can still support the simple TLS mode: only > authenticating the etcd cluster. > > So two things we need to do to support this. > > 1) lua-resty-etcd > > We should enhance lua-resty-etcd to support the optional SSL handshaking > after connecting to one of ETCD endpoint, care must be taken here about the > TLS SNI extension, the Session reuse and the SSL verification. > > 2) APISIX > > We also should add some new items in the configuration, and use these new > items when creating the etcd client objects. > > etcd: > ...... > > tls: > mode: simple # TLS mode for communicating with the ETCD > # cluster, optional value can be: > # disable: do not setup a TLS connection > # to ETCD endpoints. > # simple: originate a TLS connection to the > # ETCD endpoint > # The default mode is disable. > > Something I cannot decide is how we configure the SNI, I don’t think > expose a configuration item like “sni” is a good way, I’m inclined to use > existing items to deduce the SNI (like hosts?). On the other hand, I > haven’t decided yet about the SSL verification. Maybe we can add more > options for the mode like “weak”, “strict” or an explicit item like > “verify” is also OK. What’s your idea? > > > Chao Zhang > [email protected] > > > >
