Yuchen Dai

> Through TCP log labels? @bianpengyuan @douglas-reid Can you take over the rest? It's unclear to me how we'd like to export the metric. TBH I don't have the context...

I am curious what kind of cert is needed for the google/bing access. If the upstream is google/bing, envoy doesn't terminate tls but initiate tls. The straw man flow confuses...

Perhaps SDS should be acts as that counted cache. RDS/ECDS/EDS maintains the N:1 mapping (N subscription 1 config) and it's not surprising to introduce to SDS. @LuyaoZhong My understanding is...

> * downstream requires accessing some external websites like "https://www.google.com" Reading the below, I think the domain name is captured by envoy via SNI? I want to add that the...

re: `connect upstream and get server certificate` Can this job achieved as part of the cert provider bootstrap(or another extension)? If so, you only need ref the new component in...

Sorry, I don't fully understand your intention. I sincerely think you need a "better"(in term of reuse and consuming RDS) http async client to fetch the cert. The HCM as...

> That should work as long as the connect timeout O(s) not O(ms). I'm a bit worried that relying on the wall clock adds uncertainty (if CPU is starved, we...

Still an ongoing issue

I am exploring the relationship among SNI, SAN in cert and Host in Http. I will share a document after

Currently, Envoy has two arguable behaviors 1. HCM doesn't verify requested server name(SNI) with :authority. Theoretically, the first http stream in within the connection can raise the issue. Should we...