openssl compat: fix validated chain and CNSA2 test failures#46080
Merged
jwendell merged 1 commit intoJul 10, 2026
Conversation
PR envoyproxy#46061 introduced GetValidatedPeerCertChainWithIntermediate which expects the root CA in the verified chain. OpenSSL with X509_V_FLAG_PARTIAL_CHAIN stops at the first trusted cert, while BoringSSL always builds to the self-signed root. The X509_verify_cert wrapper now walks the chain upward through the trust store via X509_STORE_CTX_get1_issuer until a self-signed root is reached. PR envoyproxy#45624 introduced CipherSuitesWithCNSA2Policy. CNSA2 compliance policy requires ML-KEM (post-quantum) which OpenSSL does not support, so the test is disabled under OpenSSL builds via BORINGSSL_TEST_P. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Jonh Wendell <jwendell@redhat.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts Envoy’s TLS/OpenSSL compatibility behavior and tests to align certificate-chain semantics and avoid OpenSSL-only test failures. Specifically, it makes the OpenSSL-backed X509_verify_cert path produce a verified chain that includes the self-signed root (matching BoringSSL behavior expected by GetValidatedPeerCertChainWithIntermediate), and disables a CNSA2 cipher-suite policy test under OpenSSL where required PQ primitives are unavailable.
Changes:
- Extend OpenSSL’s verified chain after successful
X509_verify_certby walking issuers from the trust store until a self-signed root is reached (bounded). - Disable
CipherSuitesWithCNSA2Policyunder OpenSSL by switching it toBORINGSSL_TEST_P.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
compat/openssl/source/X509_verify_cert.c |
After successful verification, appends issuer certs from the trust store to ensure the verified chain reaches a self-signed root. |
test/common/tls/ssl_socket_test.cc |
Marks the CNSA2 policy cipher-suite test as BoringSSL-only to avoid OpenSSL PQ capability mismatches. |
Member
Author
|
ping @envoyproxy/envoy-maintainers I guess Greg is out on Fridays this fixes openssl builds |
ggreenway
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR #46061 introduced
GetValidatedPeerCertChainWithIntermediatewhich expects the root CA in the verified chain. OpenSSL with X509_V_FLAG_PARTIAL_CHAIN stops at the first trusted cert, while BoringSSL always builds to the self-signed root. TheX509_verify_certwrapper now walks the chain upward through the trust store viaX509_STORE_CTX_get1_issueruntil a self-signed root is reached.PR #45624 introduced
CipherSuitesWithCNSA2Policy. CNSA2 compliance policy requires ML-KEM (post-quantum) which OpenSSL does not support, so the test is disabled under OpenSSL builds via BORINGSSL_TEST_P.