Skip to content

Add option for TLS renegotiation to http.send config #4917

Open
@philipaconrad

Description

@philipaconrad

What is the underlying problem you're trying to solve?

TLS renegotiation is disabled by default in OPA, and this can cause http.send to fail sometimes when interacting with servers using older TLS versions (like TLS 1.2). It'd be nice if we had an option on http.send that would allow selectively enabling that feature.

Example error:

"error": {
  "code": "eval_http_send_network_error",
  "message": "Get \"https://mydomain.example.com/path\": local error: tls: no renegotiation" 
},
"status_code": 0

Describe the ideal solution

Add an option like tls_renegotiation, with options "never" (default), "once", and "freely", which would correspond to the underling Golang TLS client config options.

Note: When using TLS 1.3, this option will be a no-op, due to lack of support for renegotiation requests from the server.

Describe a "Good Enough" solution

Same as above, but just a boolean toggle between never and once behavior.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    • Status

      Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions