From 9c3e2b34ed48832a53cb8b9465a97d68dd21eb54 Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Tue, 12 Jun 2018 22:24:43 +0000
Subject: [PATCH] tls: optionally allow expired TLS client certs. (#3519)

Signed-off-by: Doug Hogan <dhogan@eero.com>

Mirrored from https://github.com/envoyproxy/envoy @ 6d3d5d72986c2131a40268467c3ddcc57ef7bbc7
---
 envoy/api/v2/auth/cert.proto | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index aaaeff16..880453e7 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -213,6 +213,9 @@ message CertificateValidationContext {
   // certificate has not been revoked by this CRL. If this DataSource contains
   // multiple CRLs, all of them will be used.
   core.DataSource crl = 7;
+
+  // If specified, Envoy will not reject expired certificates.
+  bool allow_expired_certificate = 8;
 }
 
 // TLS context shared by both client and server TLS contexts.