# Redis TLS Origination ## through the sidecar Author: Sam Stoelinga | Twitter: samosx | GitHub: samos123 Based on blog post: https://samos-it.com/posts/securing-redis-istio-tls-origination-termination tion.html ## What are we solving? • App with multiple microservices • external Redis TLS only - each microservice talks to Redis  ## I stio TLS Origination - app talks unencrypted TCP

# Golang to the rescue: Saving DevOps from TLS turmoil GopherCon 2017 Lightning Talk Chris Short Manager of DevOps at Bankrate ## I ntroduction ## Chris Short • Manager of DevOps at Bankrate (http://www derived from an opensource.com article I wrote in April 2017: Golang to the rescue: Saving DevOps from TLS turmoil (https://opensource.com/article/17/4/testing-certificate-chains-34-line-go-program) But Most b664b63eb31c788d/p7_1.jpg) You are here: Home > Projects > SSL Server Test > chrisshort.net > 104.31.68.191 ###### SSL Report: chrisshort.net (104.31.68.191) Summary Overall Rating !

Title ## 简谈 Rust 与国密 TLS Introduction on Rust and SM TLS 王江桐 wangjiangtong@huawei.com 华为 公共开发部 嵌入式软件能力中心 ## 😍 ## Title ## 简谈 Rust 与国密 TLS Introduction on Rust and Shangmi TLS  ## 国密算法与协议介绍 Introduction to Shangmi Algorithms and Protocols • 国密套件算法简介 · 国密 TLS 简介 国密套件总览 List of Shangmi Cryptography |算法|算法标准|功能|类型|安全位数(bit)|对应算法|是否公开|应用| |---|---|---|---|---|---|---|---| Introduction of SM2 - SM2 为椭圆曲线（ECC）公钥加密算法，非对称加密，提供加解密、数字签名、证书生成、密钥交换功能。由于以上用例，也常用于区块链或网络安全密码协议，如 SSL/TLS、VPN。 • 保证数据机密性、真实性和完整性。 - SM2 算法和 RSA 算法都是公钥加密算法，SM2 算法是一种更先进安全的算法，其性能与安全性优于 RSA，在我们国家商用密码体系中被用来替换

par SSL/TLS, par défaut sur le port 443 ## Secure Socket Layer $ \rightarrow $ Transport Layer Security • Conçu par Netscape (v2.0 en 1994, v3.0 en 1996) • Brevet racheté par l'IETF : TLS v1.0 0 en 1999 (SSL 3.1), v1.3 en 2018 • Couche Application : – Entre les couches transport et application – Pas besoin de modifier la pile TCP/IP • Possibilité de sécuriser d'autres protocoles : - certificat et la clé privée du serveur • Configurer httpd. Pour Apache : – virtual host (port 443), ssl.conf, (ports.conf) • Création de l'arborescence sécurisée • Démarrage serveur • OU BIEN utiliser

keyword arguments are passed to create_server(). For example, you can set the ssl keyword argument to a SSLContext to enable TLS. ws_handler is the WebSocket handler. It must be a coroutine accepting two arguments are passed to create_connection(). For example, you can set the ssl keyword argument to a SSLContext to enforce some TLS settings. When connecting to a wss:// URI, if this argument isn't provided

protocols (web-socket etc) ## • Configuration mod_jk, mod_proxy, http/1.1 basic, h2c, h2 - https /TLS proxying • Demo • QUESTIONS? ## Who I am Jean-Frederic Clere Red Hat Years writing JAVA code the application server and the internet. • Load-balancer • Failover • Protocol termination - TLS/SSL - HTTP/2 and (soon) HTTP/3 • Understands a protocol and possible upgrades. ## Why a proxy? • Control Dynamic configuration (mod_balancer/mod_cluster...) • Protocol translations AJP - When - Easy TLS/SSL forwarding - Limitations - No upgrade - Header size - No encryption - Limited “authentication”

绑定指定地址与端口 配置文件 配置片段 缓存指南 内容协商 动态共享对象(DSO) 环境变量 日志文件 从 URL 映射到文件系统 性能调谐 安全技巧 服务器全局配置 SSL/TLS 加密 执行 CGI 前的用户切换(suEXEC) URL 改写与 mod_rewrite 虚拟主机 指引/教程 认证，授权与访问控制 访问控制 CGI 与动态内容 .htaccess setting. The previous setting can be restored by configuring the proxy-scgi-pathinfo variable. - mod ssl: CRL based revocation checking now needs to be explicitly configured through SSLCARevocationCheck. were previously ignored. - mod ssl: The default format of the *_DN variables has changed. The old format can still be used with the new LegacyDNStringFormat argument to SSL0options. The SSLv2 protocol is

Agenda • GoPay & Istio • Before mutual TLS • Implementing mutual TLS ☐ Centralized Certificate Management ○ Ingress mutual TLS ☐ Egress mutual TLS • Challenge & Future Works ## GoPay & EnvoyFilters into Istio. - Istio have abstraction concept that make manage things easier. ## Before Mutual TLS? ## HTTPS + Allowlisting Our previous setup is using https with allow listing to only allow specific service that communicate with us or it’s NAT IP that used by all services) ## I mplementing Mutual TLS ## Centralized Certificate Management ![Image](/uploads/documents/2/9/7/4/29745bb46c571c212246eb49b8fc48b0/p10_2

Context原理及其适用场景 随手记 李帅(飞雪无情) ___ ¥ 随手记 👨‍👩‍👧‍👦 卡牛 📸 随管家 ___ ## 大纲 常见并发模式 ■ Context实现原理 ☑ TLS VS Context ☑ 典型适用场景 ## Channel func add(a,b int) <-chan int{ sum:=make(chan int) go func()

分享内容 ●基于 Secret Discovery Service Sidecar 的证书管理方案 ● 使用可信身份服务构建敏感数据下发通道 ●Service Mesh Sidecar 的 TLS 生产级落地实践 ## 基于 Secret Discovery Service Sidecar 的证书管理方案 ## Kubernetes Secret 证书管理流程 在 Kubernetes 场景下，证书是通过 ## Service Mesh Sidecar 的TLS 生产级落地实践 ## TLS 实践难点 ## Service Mesh Sidecar 的TLS 生产级落地实践 ## 开关切换 RPC 通信场景下，为保证平滑无损的TLS切换能力，需要分别控制 Server (Provider) 和 Client (Consumer) 端的 TLS 行为 ● 对于Server 端利用Istio 的Policy 端理想情况下，希望是通过Istio 的 DestinationRule 和 VirtualService 来控制。但由于相关条件尚未具备，因此通过现有注册中心来控制 Client TLS 能力 ## Service Mesh Sidecar 的TLS 生产级落地实践 Server Control ![Image](/uploads/documents/a/3/3/c/a33c8936fbb8834c2db6fa454d902d3c/p16_1