runtime: deprecating enable_intermediate_ca

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

changelogs/current.yaml

@@ -164,6 +164,9 @@ bug_fixes:
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
+- area: tls
+  change: |
+    Removed ``envoy.reloadable_features.enable_intermediate_ca`` runtime flag and lagacy code paths.
 - area: http
   change: |
     Removed ``envoy.reloadable_features.use_cluster_cache_for_alt_protocols_filter`` runtime flag and lagacy code paths.

source/common/runtime/runtime_features.cc

@@ -46,7 +46,6 @@ RUNTIME_GUARD(envoy_reloadable_features_edf_lb_locality_scheduler_init_fix);
 RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection);
 RUNTIME_GUARD(envoy_reloadable_features_enable_connect_udp_support);
 RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms);
-RUNTIME_GUARD(envoy_reloadable_features_enable_intermediate_ca);
 RUNTIME_GUARD(envoy_reloadable_features_enable_zone_routing_different_zone_counts);
 RUNTIME_GUARD(envoy_reloadable_features_exclude_host_in_eds_status_draining);
 RUNTIME_GUARD(envoy_reloadable_features_ext_authz_http_send_original_xff);

source/common/tls/cert_validator/default_validator.cc

@@ -85,9 +85,7 @@ absl::StatusOr<int> DefaultCertValidator::initializeSslContexts(std::vector<SSL_
 
     for (auto& ctx : contexts) {
       X509_STORE* store = SSL_CTX_get_cert_store(ctx);
-      if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_intermediate_ca")) {
-        X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
-      }
+      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
       bool has_crl = false;
       for (const X509_INFO* item : list.get()) {
         if (item->x509) {
@@ -136,9 +134,7 @@ absl::StatusOr<int> DefaultCertValidator::initializeSslContexts(std::vector<SSL_
 
     for (auto& ctx : contexts) {
       X509_STORE* store = SSL_CTX_get_cert_store(ctx);
-      if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_intermediate_ca")) {
-        X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
-      }
+      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
       for (const X509_INFO* item : list.get()) {
         if (item->crl) {
           X509_STORE_add_crl(store, item->crl);

test/common/tls/cert_validator/default_validator_integration_test.cc

@@ -147,26 +147,5 @@ TEST_P(SslCertValidatorIntegrationTest, CertValidationFailedDepthWithTrustRootOn
   ASSERT_TRUE(codec->waitForDisconnect());
 }
 
-// Test Config:
-//   peer certificate chain: leaf cert -> level-2 intermediate -> level-1 intermediate -> root
-//   trust ca certificate chain: level-2 intermediate -> level-1 intermediate
-// With verify-depth set, certificate validation is expected to fail since we disallow partial chain
-// by setting runtime flag.
-TEST_P(SslCertValidatorIntegrationTest,
-       CertValidationFailedWithVerifyDepthAndPaitialChainDisabled) {
-  TestScopedRuntime scoped_runtime;
-  scoped_runtime.mergeValues({{"envoy.reloadable_features.enable_intermediate_ca", "false"}});
-  config_helper_.addSslConfig(ConfigHelper::ServerSslOptions()
-                                  .setRsaCert(true)
-                                  .setTlsV13(true)
-                                  .setClientWithIntermediateCert(true)
-                                  .setVerifyDepth(1));
-  initialize();
-  auto conn = makeSslClientConnection({});
-  IntegrationCodecClientPtr codec = makeRawHttpConnection(std::move(conn), absl::nullopt);
-  test_server_->waitForCounterGe(listenerStatPrefix("ssl.fail_verify_error"), 1);
-  ASSERT_TRUE(codec->waitForDisconnect());
-}
-
 } // namespace Ssl
 } // namespace Envoy