From cafa1d16958cfb92661bf96ed3086baa542fce31 Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Fri, 26 Oct 2018 02:17:25 +0000
Subject: [PATCH] tls: add support for CRLs in trusted CA. (#4825)

This was supposed to work already, but it wasn't due to a missing
call to X509_STORE_set_flags() and lack of test coverage.

*Risk Level*: Low
*Testing*: bazel test //test/...
*Docs Changes*: Added
*Release Notes*: Added

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 76278101ee854550cc29d8ba87db05e544b1f585
---
 envoy/api/v2/auth/cert.proto | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 297d3bbe..4306ae3a 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -125,6 +125,9 @@ message CertificateValidationContext {
   // <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
   // specified.
   //
+  // It can optionally contain certificate revocation lists, in which case Envoy will verify
+  // that the presented peer certificate has not been revoked by one of the included CRLs.
+  //
   // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
   // system CA locations.
   core.DataSource trusted_ca = 1;