Skip to content

openssl compat: fix validated chain and CNSA2 test failures#46080

Merged
jwendell merged 1 commit into
envoyproxy:mainfrom
jwendell:fix-openssl-verified-chain-cnsa2
Jul 10, 2026
Merged

openssl compat: fix validated chain and CNSA2 test failures#46080
jwendell merged 1 commit into
envoyproxy:mainfrom
jwendell:fix-openssl-verified-chain-cnsa2

Conversation

@jwendell

Copy link
Copy Markdown
Member

PR #46061 introduced GetValidatedPeerCertChainWithIntermediate which expects the root CA in the verified chain. OpenSSL with X509_V_FLAG_PARTIAL_CHAIN stops at the first trusted cert, while BoringSSL always builds to the self-signed root. The X509_verify_cert wrapper now walks the chain upward through the trust store via X509_STORE_CTX_get1_issuer until a self-signed root is reached.

PR #45624 introduced CipherSuitesWithCNSA2Policy. CNSA2 compliance policy requires ML-KEM (post-quantum) which OpenSSL does not support, so the test is disabled under OpenSSL builds via BORINGSSL_TEST_P.

PR envoyproxy#46061 introduced GetValidatedPeerCertChainWithIntermediate which
expects the root CA in the verified chain. OpenSSL with
X509_V_FLAG_PARTIAL_CHAIN stops at the first trusted cert, while
BoringSSL always builds to the self-signed root. The X509_verify_cert
wrapper now walks the chain upward through the trust store via
X509_STORE_CTX_get1_issuer until a self-signed root is reached.

PR envoyproxy#45624 introduced CipherSuitesWithCNSA2Policy. CNSA2 compliance
policy requires ML-KEM (post-quantum) which OpenSSL does not support,
so the test is disabled under OpenSSL builds via BORINGSSL_TEST_P.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jonh Wendell <jwendell@redhat.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts Envoy’s TLS/OpenSSL compatibility behavior and tests to align certificate-chain semantics and avoid OpenSSL-only test failures. Specifically, it makes the OpenSSL-backed X509_verify_cert path produce a verified chain that includes the self-signed root (matching BoringSSL behavior expected by GetValidatedPeerCertChainWithIntermediate), and disables a CNSA2 cipher-suite policy test under OpenSSL where required PQ primitives are unavailable.

Changes:

  • Extend OpenSSL’s verified chain after successful X509_verify_cert by walking issuers from the trust store until a self-signed root is reached (bounded).
  • Disable CipherSuitesWithCNSA2Policy under OpenSSL by switching it to BORINGSSL_TEST_P.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
compat/openssl/source/X509_verify_cert.c After successful verification, appends issuer certs from the trust store to ensure the verified chain reaches a self-signed root.
test/common/tls/ssl_socket_test.cc Marks the CNSA2 policy cipher-suite test as BoringSSL-only to avoid OpenSSL PQ capability mismatches.

@jwendell jwendell requested review from ggreenway and tedjpoole July 10, 2026 14:49
@jwendell

Copy link
Copy Markdown
Member Author

ping @envoyproxy/envoy-maintainers I guess Greg is out on Fridays

this fixes openssl builds

@jwendell jwendell enabled auto-merge (squash) July 10, 2026 15:18
@jwendell jwendell merged commit a5e00e9 into envoyproxy:main Jul 10, 2026
28 checks passed
@ggreenway ggreenway self-assigned this Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants