tls: add support for CRLs in trusted CA. (#4825)

This was supposed to work already, but it wasn't due to a missing call to X509_STORE_set_flags() and lack of test coverage. *Risk Level*: Low *Testing*: bazel test //test/... *Docs Changes*: Added *Release Notes*: Added Signed-off-by: Piotr Sikora <piotrsikora@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 76278101ee854550cc29d8ba87db05e544b1f585
6 years ago · cafa1d1695
parent c793b08755
commit cafa1d1695
1 changed files with 3 additions and 0 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -125,6 +125,9 @@ message CertificateValidationContext {
  // <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
  // specified.
  //
+  // It can optionally contain certificate revocation lists, in which case Envoy will verify
+  // that the presented peer certificate has not been revoked by one of the included CRLs.
+  //
  // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
  // system CA locations.
  core.DataSource trusted_ca = 1;