From 333c95e5c0ff7fe925bc137b910bbdda292a0f8c Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Tue, 27 Nov 2018 17:22:08 +0000 Subject: [PATCH] tls: plumbing for multiple TLS certificate ingestion. (#5095) This PR starts to plumb multiple TLS certs from the proto level into the SSL context. We stop short of enabling multiple TLS certificates, but instead have sufficient mechanism and interface changes to propagate them to the SSL context. Future PRs will extend this with the SSL context implementation. Risk Level: Low Testing: bazel test //test/... Part of #1319. Signed-off-by: Harvey Tuch Mirrored from https://github.com/envoyproxy/envoy @ 9d1d959c5e8fc8e02754ea28e6cba9f7b1e3d1fc --- envoy/api/v2/auth/cert.proto | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto index cd1df6b3..c2815260 100644 --- a/envoy/api/v2/auth/cert.proto +++ b/envoy/api/v2/auth/cert.proto @@ -229,11 +229,10 @@ message CommonTlsContext { // Multiple TLS certificates can be associated with the same context. // E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured. // - // .. attention:: - // - // Although this is a list, currently only a single certificate is supported. This will be - // relaxed in the future. - repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated .max_items = 1]; + // Only a single TLS certificate is supported in client contexts. In server contexts, the first + // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is + // used for clients that support ECDSA. + repeated TlsCertificate tls_certificates = 2; // Configs for fetching TLS certificates via SDS API. repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;