From db82348cf38e4c9e057a012b31e57e68ae011af7 Mon Sep 17 00:00:00 2001 From: Andrew Dunham Date: Wed, 27 Dec 2017 00:47:53 -0500 Subject: [PATCH] Add "crl" field to CertificateValidationContext (#358) Signed-off-by: Andrew Dunham --- api/sds.proto | 7 +++++++ docs/root/api-v1/listeners/listeners.rst | 9 +++++++++ 2 files changed, 16 insertions(+) diff --git a/api/sds.proto b/api/sds.proto index bca34619..e4b1bae4 100644 --- a/api/sds.proto +++ b/api/sds.proto @@ -172,6 +172,13 @@ message CertificateValidationContext { // [#not-implemented-hide:] Must present signed certificate time-stamp. google.protobuf.BoolValue require_signed_certificate_timestamp = 6; + + // An optional `certificate revocation list + // `_ + // (in PEM format). If specified, Envoy will verify that the presented peer + // certificate has not been revoked by this CRL. If this file contains + // multiple CRLs, all of them will be used. + DataSource crl = 7; } // TLS context shared by both client and server TLS contexts. diff --git a/docs/root/api-v1/listeners/listeners.rst b/docs/root/api-v1/listeners/listeners.rst index 8d9f654a..5d799b54 100644 --- a/docs/root/api-v1/listeners/listeners.rst +++ b/docs/root/api-v1/listeners/listeners.rst @@ -119,6 +119,7 @@ TLS :ref:`architecture overview `. "ca_cert_file": "...", "verify_certificate_hash": "...", "verify_subject_alt_name": [], + "crl_file": "...", "cipher_suites": "...", "ecdh_curves": "...", "session_ticket_key_paths": [] @@ -172,6 +173,14 @@ verify_subject_alt_name *(optional, array)* An optional list of subject alt names. If specified, Envoy will verify that the client certificate's subject alt name matches one of the specified values. +.. _config_listener_ssl_context_crl_file: + +crl_file + *(optional, string)* An optional `certificate revocation list + `_ (in PEM format). + If specified, Envoy will verify that the presented peer certificate has not been revoked by + this CRL. If this file contains multiple CRLs, all of them will be used. + cipher_suites *(optional, string)* If specified, the TLS listener will only support the specified `cipher list `_.