From 26c8049a206fa1c7bb75497672bc16c1d297f0c3 Mon Sep 17 00:00:00 2001 From: Alyssa Wilk Date: Mon, 10 Jun 2024 15:44:04 +0000 Subject: [PATCH] runtime: deprecating enable_intermediate_ca Signed-off-by: Alyssa Wilk --- changelogs/current.yaml | 3 +++ source/common/runtime/runtime_features.cc | 1 - .../tls/cert_validator/default_validator.cc | 8 ++----- .../default_validator_integration_test.cc | 21 ------------------- 4 files changed, 5 insertions(+), 28 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 3c3e6ba20947..44b93db80b3b 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -164,6 +164,9 @@ bug_fixes: removed_config_or_runtime: # *Normally occurs at the end of the* :ref:`deprecation period ` +- area: tls + change: | + Removed ``envoy.reloadable_features.enable_intermediate_ca`` runtime flag and lagacy code paths. - area: http change: | Removed ``envoy.reloadable_features.use_cluster_cache_for_alt_protocols_filter`` runtime flag and lagacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index 50bc1655a634..55b458c5050d 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -46,7 +46,6 @@ RUNTIME_GUARD(envoy_reloadable_features_edf_lb_locality_scheduler_init_fix); RUNTIME_GUARD(envoy_reloadable_features_enable_compression_bomb_protection); RUNTIME_GUARD(envoy_reloadable_features_enable_connect_udp_support); RUNTIME_GUARD(envoy_reloadable_features_enable_include_histograms); -RUNTIME_GUARD(envoy_reloadable_features_enable_intermediate_ca); RUNTIME_GUARD(envoy_reloadable_features_enable_zone_routing_different_zone_counts); RUNTIME_GUARD(envoy_reloadable_features_exclude_host_in_eds_status_draining); RUNTIME_GUARD(envoy_reloadable_features_ext_authz_http_send_original_xff); diff --git a/source/common/tls/cert_validator/default_validator.cc b/source/common/tls/cert_validator/default_validator.cc index 69b9be3b36a3..a1e0b203e957 100644 --- a/source/common/tls/cert_validator/default_validator.cc +++ b/source/common/tls/cert_validator/default_validator.cc @@ -85,9 +85,7 @@ absl::StatusOr DefaultCertValidator::initializeSslContexts(std::vectorx509) { @@ -136,9 +134,7 @@ absl::StatusOr DefaultCertValidator::initializeSslContexts(std::vectorcrl) { X509_STORE_add_crl(store, item->crl); diff --git a/test/common/tls/cert_validator/default_validator_integration_test.cc b/test/common/tls/cert_validator/default_validator_integration_test.cc index ac5b3232863f..77b7bb2466e0 100644 --- a/test/common/tls/cert_validator/default_validator_integration_test.cc +++ b/test/common/tls/cert_validator/default_validator_integration_test.cc @@ -147,26 +147,5 @@ TEST_P(SslCertValidatorIntegrationTest, CertValidationFailedDepthWithTrustRootOn ASSERT_TRUE(codec->waitForDisconnect()); } -// Test Config: -// peer certificate chain: leaf cert -> level-2 intermediate -> level-1 intermediate -> root -// trust ca certificate chain: level-2 intermediate -> level-1 intermediate -// With verify-depth set, certificate validation is expected to fail since we disallow partial chain -// by setting runtime flag. -TEST_P(SslCertValidatorIntegrationTest, - CertValidationFailedWithVerifyDepthAndPaitialChainDisabled) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({{"envoy.reloadable_features.enable_intermediate_ca", "false"}}); - config_helper_.addSslConfig(ConfigHelper::ServerSslOptions() - .setRsaCert(true) - .setTlsV13(true) - .setClientWithIntermediateCert(true) - .setVerifyDepth(1)); - initialize(); - auto conn = makeSslClientConnection({}); - IntegrationCodecClientPtr codec = makeRawHttpConnection(std::move(conn), absl::nullopt); - test_server_->waitForCounterGe(listenerStatPrefix("ssl.fail_verify_error"), 1); - ASSERT_TRUE(codec->waitForDisconnect()); -} - } // namespace Ssl } // namespace Envoy