From 9bfcbdc9aba98c96e429b322a7e87f191e310176 Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Sat, 10 Dec 2022 01:48:28 +0000 Subject: [PATCH] Rollback #22036 due to crash (#24475) Revert 22036. Signed-off-by: Kevin Baichoo Mirrored from https://github.com/envoyproxy/envoy @ 8011f48033dd1eebbff5d52ce82af9c9d0830c74 --- .../extensions/transport_sockets/tls/v3/tls.proto | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/envoy/extensions/transport_sockets/tls/v3/tls.proto b/envoy/extensions/transport_sockets/tls/v3/tls.proto index 8b6087a9..6f976380 100644 --- a/envoy/extensions/transport_sockets/tls/v3/tls.proto +++ b/envoy/extensions/transport_sockets/tls/v3/tls.proto @@ -55,7 +55,7 @@ message UpstreamTlsContext { google.protobuf.UInt32Value max_session_keys = 4; } -// [#next-free-field: 10] +// [#next-free-field: 9] message DownstreamTlsContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.DownstreamTlsContext"; @@ -123,11 +123,6 @@ message DownstreamTlsContext { // an accompanying OCSP response or if the response expires at runtime. // Defaults to LENIENT_STAPLING OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; - - // Multiple certificates are allowed in Downstream transport socket to serve different SNI. - // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. - // Defaults to false. See more details in :ref:`Multiple TLS certificates `. - google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9; } // TLS key log configuration. @@ -232,9 +227,12 @@ message CommonTlsContext { // TLS protocol versions, cipher suites etc. TlsParameters tls_params = 1; - // Only a single TLS certificate is supported in client contexts. In server contexts, // :ref:`Multiple TLS certificates ` can be associated with the - // same context to allow both RSA and ECDSA certificates and support SNI-based selection. + // same context to allow both RSA and ECDSA certificates. + // + // Only a single TLS certificate is supported in client contexts. In server contexts, the first + // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is + // used for clients that support ECDSA. // // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``, // and ``tls_certificate_provider_instance`` may be used.