tls: enable multiple SSL certificate support. (#5317)

This PR wraps up #1319. The patch enables multiple TLS certificate ingest for downstream TLS contexts, adds related unit and integration tests, docs and release notes. Risk Level: Low Testing: Additional unit and integration tests. To avoid combinatorial explosion, we validate mixed TLS v1.2/1.3 behavior in ssl_integration_test only, and have more targeted certificate selection tests in ssl_socket_Test. Docs Changes: Added to architectural overview of TLS support. Fixes #1319. Signed-off-by: Harvey Tuch <htuch@google.com> Mirrored from https://github.com/envoyproxy/envoy @ fdb08806dc3d42bd3e3f9d467e526359689996af
6 years ago · 6dac25f849
parent dc8b16323e
commit 6dac25f849
1 changed files with 4 additions and 3 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -227,8 +227,8 @@ message CommonTlsContext {
  // TLS protocol versions, cipher suites etc.
  TlsParameters tls_params = 1;

-  // Multiple TLS certificates can be associated with the same context.
-  // E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured.
+  // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
+  // same context to allow both RSA and ECDSA certificates.
  //
  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
@ -236,7 +236,8 @@ message CommonTlsContext {
  repeated TlsCertificate tls_certificates = 2;

  // Configs for fetching TLS certificates via SDS API.
-  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;
+  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
+      [(validate.rules).repeated .max_items = 1];

  message CombinedCertificateValidationContext {
    // How to validate peer certificates.