From ed85e15770e9bbfdcf16d5705b017ae9faf28cce Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Tue, 11 Jun 2019 00:08:47 +0000 Subject: [PATCH] http: add support for forwarding peer cert chains (#7026) Description: This adds support for forwarding peer cert chains via the XFCC header. Risk Level: Low Testing: Updated existing tests Docs Changes: Updated XFCC doc Release Notes: Added a note about the feature Fixes #6135 Also see #6230 Signed-off-by: Venil Noronha Mirrored from https://github.com/envoyproxy/envoy @ 15abaec72b0374e29490e8e074751e6246980e87 --- .../v2/http_connection_manager.proto | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto index be0b3926..3a40fc31 100644 --- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto @@ -317,6 +317,7 @@ message HttpConnectionManager { ForwardClientCertDetails forward_client_cert_details = 16 [(validate.rules).enum.defined_only = true]; + // [#comment:next free field: 7] message SetCurrentClientCertDetails { // Whether to forward the subject of the client cert. Defaults to false. google.protobuf.BoolValue subject = 1; @@ -328,6 +329,12 @@ message HttpConnectionManager { // Defaults to false. bool cert = 3; + // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + // format. This will appear in the XFCC header comma separated from other values with the value + // Chain="PEM". + // Defaults to false. + bool chain = 6; + // Whether to forward the DNS type Subject Alternative Names of the client cert. // Defaults to false. bool dns = 4;