-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: allow cert validation by only leaf trusted CA's CRL #18289
Conversation
Signed-off-by: Shikugawa <rei@tetrate.io>
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks flushing out some comments. cc @ggreenway to provide a quick sanity check of the feature.
/wait
Thanks for the quick change! @Shikugawa |
Signed-off-by: Shikugawa <rei@tetrate.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Flushing some more API comments. I will defer to @lizan and others for the testing review to make sure we have good coverage, thanks.
/wait
@lizan Could you take a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API LGTM thanks. I will defer to @lizan for the TLS/test review. Thank you!
Needs a main merge. Ping @lizan PTAL. /wait |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one more about naming, and please resolve conflicts.
Needs a main merge. /wait |
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Shikugawa <rei@tetrate.io>
/retest |
Retrying Azure Pipelines: |
/retest |
Retrying Azure Pipelines: |
Signed-off-by: Shikugawa <rei@tetrate.io>
/retest |
Retrying Azure Pipelines: |
/retest |
Retrying Azure Pipelines: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. Thanks @Shikugawa for the change, and @mattklein123 for the headsup
Signed-off-by: Shikugawa rei@tetrate.io
Commit Message: Allow cert validation by only leaf trusted CAs CRL
Additional Description: Close #18268. In the previous implementation, we don't have availability to validate certs when all trusted CAs don't have their own CRLs if any trusted CAs have that. This feature allows validating even if all trusted CAs don't have CRLs.
Risk Level: Low
Testing: Unit
Docs Changes: Required
Release Notes: Required
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]
[Optional API Considerations:]
cc @incfly