runtime: removed no_full_scan_certs_on_sni_mismatch

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
alyssawilk · Jun 10, 2024 · 3be301a · 3be301a
1 parent b3b2c1a
commit 3be301a
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 50 deletions.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -176,6 +176,9 @@ removed_config_or_runtime:
 - area: tcp
   change: |
     Removed ``envoy.reloadable_features.detect_and_raise_rst_tcp_connection`` runtime flag and legacy code paths.
+- area: tls
+  change: |
+    Removed ``envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch`` runtime flag and lagacy code paths.
 - area: http
   change: |
     Removed ``envoy.reloadable_features.lowercase_scheme`` runtime flag and lagacy code paths.

diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -72,7 +72,6 @@ RUNTIME_GUARD(envoy_reloadable_features_immediate_response_use_filter_mutation_r
 RUNTIME_GUARD(envoy_reloadable_features_locality_routing_use_new_routing_logic);
 RUNTIME_GUARD(envoy_reloadable_features_no_downgrade_to_canonical_name);
 RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name);
-RUNTIME_GUARD(envoy_reloadable_features_no_full_scan_certs_on_sni_mismatch);
 RUNTIME_GUARD(envoy_reloadable_features_normalize_host_for_preresolve_dfp_dns);
 RUNTIME_GUARD(envoy_reloadable_features_oauth_make_token_cookie_httponly);
 RUNTIME_GUARD(envoy_reloadable_features_oauth_use_standard_max_age_value);

diff --git a/source/common/tls/context_config_impl.cc b/source/common/tls/context_config_impl.cc
@@ -414,10 +414,8 @@ ServerContextConfigImpl::ServerContextConfigImpl(
       session_ticket_keys_provider_(getTlsSessionTicketKeysConfigProvider(factory_context, config)),
       disable_stateless_session_resumption_(getStatelessSessionResumptionDisabled(config)),
       disable_stateful_session_resumption_(config.disable_stateful_session_resumption()),
-      full_scan_certs_on_sni_mismatch_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(
-          config, full_scan_certs_on_sni_mismatch,
-          !Runtime::runtimeFeatureEnabled(
-              "envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch"))) {
+      full_scan_certs_on_sni_mismatch_(
+          PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, full_scan_certs_on_sni_mismatch, false)) {
 
   if (session_ticket_keys_provider_ != nullptr) {
     // Validate tls session ticket keys early to reject bad sds updates.

diff --git a/test/common/tls/ssl_socket_test.cc b/test/common/tls/ssl_socket_test.cc
@@ -1660,10 +1660,6 @@ TEST_P(SslSocketTest, MultiCertPickRSAOnSniMatch) {
 
 // On SNI mismatch, if full scan is disabled, validate that the first cert is used.
 TEST_P(SslSocketTest, MultiCertWithFullScanDisabledOnSniMismatch) {
-  // This test is specific for no full scan case, i.e., below flag is true case.
-  TestScopedRuntime scoped_runtime;
-  scoped_runtime.mergeValues(
-      {{"envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch", "true"}});
   const std::string client_ctx_yaml = absl::StrCat(R"EOF(
     sni: "nomatch.example.com"
     common_tls_context:
@@ -1699,47 +1695,6 @@ TEST_P(SslSocketTest, MultiCertWithFullScanDisabledOnSniMismatch) {
   testUtil(test_options.setExpectedSni("nomatch.example.com"));
 }
 
-// On SNI mismatch, full scan will be executed if it is enabled, validate that ECDSA cert is
-// preferred over RSA cert.
-TEST_P(SslSocketTest, MultiCertPreferEcdsaWithFullScanEnabledOnSniMismatch) {
-  TestScopedRuntime scoped_runtime;
-  scoped_runtime.mergeValues(
-      {{"envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch", "false"}});
-  const std::string client_ctx_yaml = absl::StrCat(R"EOF(
-    sni: "nomatch.example.com"
-    common_tls_context:
-      tls_params:
-        tls_minimum_protocol_version: TLSv1_2
-        tls_maximum_protocol_version: TLSv1_2
-        cipher_suites:
-        - ECDHE-ECDSA-AES128-GCM-SHA256
-        - ECDHE-RSA-AES128-GCM-SHA256
-      validation_context:
-        verify_certificate_hash: )EOF",
-                                                   TEST_SAN_DNS_ECDSA_1_CERT_256_HASH);
-  const std::string server_ctx_yaml = R"EOF(
-  common_tls_context:
-    tls_certificates:
-    - certificate_chain:
-        filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_cert.pem"
-      private_key:
-        filename: "{{ test_rundir }}/test/common/tls/test_data/no_san_key.pem"
-    - certificate_chain:
-        filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_cert.pem"
-      private_key:
-        filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_rsa_1_key.pem"
-    - certificate_chain:
-        filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_cert.pem"
-      private_key:
-        filename: "{{ test_rundir }}/test/common/tls/test_data/san_dns_ecdsa_1_key.pem"
-)EOF";
-
-  TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, version_);
-  // The validation succeeds with the certificate that does not match to SNI, because Envoy does not
-  // define the criteria that how to validate cert SAN based on SNI .
-  testUtil(test_options.setExpectedSni("nomatch.example.com"));
-}
-
 // EC cert is selected for a no-EC-capable client.
 TEST_P(SslSocketTest, CertWithNotECCapable) {
   const std::string client_ctx_yaml = absl::StrCat(R"EOF(