1syntax = "proto3"; 2 3package envoy.extensions.transport_sockets.tls.v3; 4 5import "envoy/config/core/v3/base.proto"; 6import "envoy/config/core/v3/extension.proto"; 7import "envoy/type/matcher/v3/string.proto"; 8 9import "google/protobuf/any.proto"; 10import "google/protobuf/wrappers.proto"; 11 12import "envoy/annotations/deprecation.proto"; 13import "udpa/annotations/migrate.proto"; 14import "udpa/annotations/sensitive.proto"; 15import "udpa/annotations/status.proto"; 16import "udpa/annotations/versioning.proto"; 17import "validate/validate.proto"; 18 19option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; 20option java_outer_classname = "CommonProto"; 21option java_multiple_files = true; 22option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; 23option (udpa.annotations.file_status).package_version_status = ACTIVE; 24 25// [#protodoc-title: Common TLS configuration] 26 27// [#next-free-field: 6] 28message TlsParameters { 29 option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters"; 30 31 enum TlsProtocol { 32 // Envoy will choose the optimal TLS version. 33 TLS_AUTO = 0; 34 35 // TLS 1.0 36 TLSv1_0 = 1; 37 38 // TLS 1.1 39 TLSv1_1 = 2; 40 41 // TLS 1.2 42 TLSv1_2 = 3; 43 44 // TLS 1.3 45 TLSv1_3 = 4; 46 } 47 48 // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. 49 // 50 // TLS protocol versions below TLSv1_2 require setting compatible ciphers with the 51 // ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers. 52 // 53 // .. attention:: 54 // 55 // Using TLS protocol versions below TLSv1_2 has serious security considerations and risks. 56 TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; 57 58 // Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for 59 // servers. 60 TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; 61 62 // If specified, the TLS listener will only support the specified `cipher list 63 // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ 64 // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). 65 // 66 // If not specified, a default list will be used. Defaults are different for server (downstream) and 67 // client (upstream) TLS configurations. 68 // Defaults will change over time in response to security considerations; If you care, configure 69 // it instead of using the default. 70 // 71 // In non-FIPS builds, the default server cipher list is: 72 // 73 // .. code-block:: none 74 // 75 // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] 76 // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] 77 // ECDHE-ECDSA-AES256-GCM-SHA384 78 // ECDHE-RSA-AES256-GCM-SHA384 79 // 80 // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: 81 // 82 // .. code-block:: none 83 // 84 // ECDHE-ECDSA-AES128-GCM-SHA256 85 // ECDHE-RSA-AES128-GCM-SHA256 86 // ECDHE-ECDSA-AES256-GCM-SHA384 87 // ECDHE-RSA-AES256-GCM-SHA384 88 // 89 // In non-FIPS builds, the default client cipher list is: 90 // 91 // .. code-block:: none 92 // 93 // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] 94 // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] 95 // ECDHE-ECDSA-AES256-GCM-SHA384 96 // ECDHE-RSA-AES256-GCM-SHA384 97 // 98 // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: 99 // 100 // .. code-block:: none 101 // 102 // ECDHE-ECDSA-AES128-GCM-SHA256 103 // ECDHE-RSA-AES128-GCM-SHA256 104 // ECDHE-ECDSA-AES256-GCM-SHA384 105 // ECDHE-RSA-AES256-GCM-SHA384 106 repeated string cipher_suites = 3; 107 108 // If specified, the TLS connection will only support the specified ECDH 109 // curves. If not specified, the default curves will be used. 110 // 111 // In non-FIPS builds, the default curves are: 112 // 113 // .. code-block:: none 114 // 115 // X25519 116 // P-256 117 // 118 // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: 119 // 120 // .. code-block:: none 121 // 122 // P-256 123 repeated string ecdh_curves = 4; 124 125 // If specified, the TLS connection will only support the specified signature algorithms. 126 // The list is ordered by preference. 127 // If not specified, the default signature algorithms defined by BoringSSL will be used. 128 // 129 // Default signature algorithms selected by BoringSSL (may be out of date): 130 // 131 // .. code-block:: none 132 // 133 // ecdsa_secp256r1_sha256 134 // rsa_pss_rsae_sha256 135 // rsa_pkcs1_sha256 136 // ecdsa_secp384r1_sha384 137 // rsa_pss_rsae_sha384 138 // rsa_pkcs1_sha384 139 // rsa_pss_rsae_sha512 140 // rsa_pkcs1_sha512 141 // rsa_pkcs1_sha1 142 // 143 // Signature algorithms supported by BoringSSL (may be out of date): 144 // 145 // .. code-block:: none 146 // 147 // rsa_pkcs1_sha256 148 // rsa_pkcs1_sha384 149 // rsa_pkcs1_sha512 150 // ecdsa_secp256r1_sha256 151 // ecdsa_secp384r1_sha384 152 // ecdsa_secp521r1_sha512 153 // rsa_pss_rsae_sha256 154 // rsa_pss_rsae_sha384 155 // rsa_pss_rsae_sha512 156 // ed25519 157 // rsa_pkcs1_sha1 158 // ecdsa_sha1 159 repeated string signature_algorithms = 5; 160} 161 162// BoringSSL private key method configuration. The private key methods are used for external 163// (potentially asynchronous) signing and decryption operations. Some use cases for private key 164// methods would be TPM support and TLS acceleration. 165message PrivateKeyProvider { 166 option (udpa.annotations.versioning).previous_message_type = 167 "envoy.api.v2.auth.PrivateKeyProvider"; 168 169 reserved 2; 170 171 reserved "config"; 172 173 // Private key method provider name. The name must match a 174 // supported private key method provider type. 175 string provider_name = 1 [(validate.rules).string = {min_len: 1}]; 176 177 // Private key method provider specific configuration. 178 oneof config_type { 179 google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; 180 } 181} 182 183// [#next-free-field: 9] 184message TlsCertificate { 185 option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate"; 186 187 // The TLS certificate chain. 188 // 189 // If ``certificate_chain`` is a filesystem path, a watch will be added to the 190 // parent directory for any file moves to support rotation. This currently 191 // only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via 192 // SDS. 193 config.core.v3.DataSource certificate_chain = 1; 194 195 // The TLS private key. 196 // 197 // If ``private_key`` is a filesystem path, a watch will be added to the parent 198 // directory for any file moves to support rotation. This currently only 199 // applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS. 200 config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; 201 202 // ``Pkcs12`` data containing TLS certificate, chain, and private key. 203 // 204 // If ``pkcs12`` is a filesystem path, the file will be read, but no watch will 205 // be added to the parent directory, since ``pkcs12`` isn't used by SDS. 206 // This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``. 207 // This can't be marked as ``oneof`` due to API compatibility reasons. Setting 208 // both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`, 209 // :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`, 210 // or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` 211 // and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>` 212 // fields will result in an error. Use :ref:`password 213 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>` 214 // to specify the password to unprotect the ``PKCS12`` data, if necessary. 215 config.core.v3.DataSource pkcs12 = 8 [(udpa.annotations.sensitive) = true]; 216 217 // If specified, updates of file-based ``certificate_chain`` and ``private_key`` 218 // sources will be triggered by this watch. The certificate/key pair will be 219 // read together and validated for atomic read consistency (i.e. no 220 // intervening modification occurred between cert/key read, verified by file 221 // hash comparisons). This allows explicit control over the path watched, by 222 // default the parent directories of the filesystem paths in 223 // ``certificate_chain`` and ``private_key`` are watched if this field is not 224 // specified. This only applies when a ``TlsCertificate`` is delivered by SDS 225 // with references to filesystem paths. See the :ref:`SDS key rotation 226 // <sds_key_rotation>` documentation for further details. 227 config.core.v3.WatchedDirectory watched_directory = 7; 228 229 // BoringSSL private key method provider. This is an alternative to :ref:`private_key 230 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be 231 // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key 232 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and 233 // :ref:`private_key_provider 234 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an 235 // error. 236 PrivateKeyProvider private_key_provider = 6; 237 238 // The password to decrypt the TLS private key. If this field is not set, it is assumed that the 239 // TLS private key is not password encrypted. 240 config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true]; 241 242 // The OCSP response to be stapled with this certificate during the handshake. 243 // The response must be DER-encoded and may only be provided via ``filename`` or 244 // ``inline_bytes``. The response may pertain to only one certificate. 245 config.core.v3.DataSource ocsp_staple = 4; 246 247 // [#not-implemented-hide:] 248 repeated config.core.v3.DataSource signed_certificate_timestamp = 5; 249} 250 251message TlsSessionTicketKeys { 252 option (udpa.annotations.versioning).previous_message_type = 253 "envoy.api.v2.auth.TlsSessionTicketKeys"; 254 255 // Keys for encrypting and decrypting TLS session tickets. The 256 // first key in the array contains the key to encrypt all new sessions created by this context. 257 // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys 258 // by, for example, putting the new key first, and the previous key second. 259 // 260 // If :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>` 261 // is not specified, the TLS library will still support resuming sessions via tickets, but it will 262 // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts 263 // or on different hosts. 264 // 265 // Each key must contain exactly 80 bytes of cryptographically-secure random data. For 266 // example, the output of ``openssl rand 80``. 267 // 268 // .. attention:: 269 // 270 // Using this feature has serious security considerations and risks. Improper handling of keys 271 // may result in loss of secrecy in connections, even if ciphers supporting perfect forward 272 // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some 273 // discussion. To minimize the risk, you must: 274 // 275 // * Keep the session ticket keys at least as secure as your TLS certificate private keys 276 // * Rotate session ticket keys at least daily, and preferably hourly 277 // * Always generate keys using a cryptographically-secure random data source 278 repeated config.core.v3.DataSource keys = 1 279 [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; 280} 281 282// Indicates a certificate to be obtained from a named CertificateProvider plugin instance. 283// The plugin instances are defined in the client's bootstrap file. 284// The plugin allows certificates to be fetched/refreshed over the network asynchronously with 285// respect to the TLS handshake. 286// [#not-implemented-hide:] 287message CertificateProviderPluginInstance { 288 // Provider instance name. If not present, defaults to "default". 289 // 290 // Instance names should generally be defined not in terms of the underlying provider 291 // implementation (e.g., "file_watcher") but rather in terms of the function of the 292 // certificates (e.g., "foo_deployment_identity"). 293 string instance_name = 1; 294 295 // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify 296 // a root-certificate (validation context) or "example.com" to specify a certificate for a 297 // particular domain. Not all provider instances will actually use this field, so the value 298 // defaults to the empty string. 299 string certificate_name = 2; 300} 301 302// Matcher for subject alternative names, to match both type and value of the SAN. 303message SubjectAltNameMatcher { 304 // Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match 305 // against. 306 enum SanType { 307 SAN_TYPE_UNSPECIFIED = 0; 308 EMAIL = 1; 309 DNS = 2; 310 URI = 3; 311 IP_ADDRESS = 4; 312 } 313 314 // Specification of type of SAN. Note that the default enum value is an invalid choice. 315 SanType san_type = 1 [(validate.rules).enum = {defined_only: true not_in: 0}]; 316 317 // Matcher for SAN value. 318 type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}]; 319} 320 321// [#next-free-field: 17] 322message CertificateValidationContext { 323 option (udpa.annotations.versioning).previous_message_type = 324 "envoy.api.v2.auth.CertificateValidationContext"; 325 326 // Peer certificate verification mode. 327 enum TrustChainVerification { 328 // Perform default certificate verification (e.g., against CA / verification lists) 329 VERIFY_TRUST_CHAIN = 0; 330 331 // Connections where the certificate fails verification will be permitted. 332 // For HTTP connections, the result of certificate verification can be used in route matching. ( 333 // see :ref:`validated <envoy_v3_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ). 334 ACCEPT_UNTRUSTED = 1; 335 } 336 337 reserved 4, 5; 338 339 reserved "verify_subject_alt_name"; 340 341 // TLS certificate data containing certificate authority certificates to use in verifying 342 // a presented peer certificate (e.g. server certificate for clusters or client certificate 343 // for listeners). If not specified and a peer certificate is presented it will not be 344 // verified. By default, a client certificate is optional, unless one of the additional 345 // options (:ref:`require_client_certificate 346 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, 347 // :ref:`verify_certificate_spki 348 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, 349 // :ref:`verify_certificate_hash 350 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or 351 // :ref:`match_typed_subject_alt_names 352 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also 353 // specified. 354 // 355 // It can optionally contain certificate revocation lists, in which case Envoy will verify 356 // that the presented peer certificate has not been revoked by one of the included CRLs. Note 357 // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be 358 // provided for all certificate authorities in that chain. Failure to do so will result in 359 // verification failure for both revoked and unrevoked certificates from that chain. 360 // The behavior of requiring all certificates to contain CRLs can be altered by 361 // setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` 362 // true. If set to true, only the final certificate in the chain undergoes CRL verification. 363 // 364 // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common 365 // system CA locations. 366 // 367 // If ``trusted_ca`` is a filesystem path, a watch will be added to the parent 368 // directory for any file moves to support rotation. This currently only 369 // applies to dynamic secrets, when the ``CertificateValidationContext`` is 370 // delivered via SDS. 371 // 372 // X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` 373 // can be treated as trust anchor as well. It allows verification with building valid partial chain instead 374 // of a full chain. 375 // 376 // Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified. 377 // 378 // [#next-major-version: This field and watched_directory below should ideally be moved into a 379 // separate sub-message, since there's no point in specifying the latter field without this one.] 380 config.core.v3.DataSource trusted_ca = 1 381 [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"]; 382 383 // Certificate provider instance for fetching TLS certificates. 384 // 385 // Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified. 386 // [#not-implemented-hide:] 387 CertificateProviderPluginInstance ca_certificate_provider_instance = 13 388 [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"]; 389 390 // If specified, updates of a file-based ``trusted_ca`` source will be triggered 391 // by this watch. This allows explicit control over the path watched, by 392 // default the parent directory of the filesystem path in ``trusted_ca`` is 393 // watched if this field is not specified. This only applies when a 394 // ``CertificateValidationContext`` is delivered by SDS with references to 395 // filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` 396 // documentation for further details. 397 config.core.v3.WatchedDirectory watched_directory = 11; 398 399 // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the 400 // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate 401 // matches one of the specified values. 402 // 403 // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate 404 // can be generated with the following command: 405 // 406 // .. code-block:: bash 407 // 408 // $ openssl x509 -in path/to/client.crt -noout -pubkey 409 // | openssl pkey -pubin -outform DER 410 // | openssl dgst -sha256 -binary 411 // | openssl enc -base64 412 // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= 413 // 414 // This is the format used in HTTP Public Key Pinning. 415 // 416 // When both: 417 // :ref:`verify_certificate_hash 418 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and 419 // :ref:`verify_certificate_spki 420 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, 421 // a hash matching value from either of the lists will result in the certificate being accepted. 422 // 423 // .. attention:: 424 // 425 // This option is preferred over :ref:`verify_certificate_hash 426 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, 427 // because SPKI is tied to a private key, so it doesn't change when the certificate 428 // is renewed using the same private key. 429 repeated string verify_certificate_spki = 3 430 [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}]; 431 432 // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that 433 // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. 434 // 435 // A hex-encoded SHA-256 of the certificate can be generated with the following command: 436 // 437 // .. code-block:: bash 438 // 439 // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 440 // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a 441 // 442 // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate 443 // can be generated with the following command: 444 // 445 // .. code-block:: bash 446 // 447 // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 448 // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A 449 // 450 // Both of those formats are acceptable. 451 // 452 // When both: 453 // :ref:`verify_certificate_hash 454 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and 455 // :ref:`verify_certificate_spki 456 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, 457 // a hash matching value from either of the lists will result in the certificate being accepted. 458 repeated string verify_certificate_hash = 2 459 [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}]; 460 461 // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the 462 // Subject Alternative Name of the presented certificate matches one of the specified matchers. 463 // The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is 464 // matched. 465 // 466 // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be 467 // configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. 468 // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", 469 // it should be configured as shown below. 470 // 471 // .. code-block:: yaml 472 // 473 // match_typed_subject_alt_names: 474 // - san_type: DNS 475 // matcher: 476 // exact: "api.example.com" 477 // 478 // .. attention:: 479 // 480 // Subject Alternative Names are easily spoofable and verifying only them is insecure, 481 // therefore this option must be used together with :ref:`trusted_ca 482 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`. 483 repeated SubjectAltNameMatcher match_typed_subject_alt_names = 15; 484 485 // This field is deprecated in favor of 486 // :ref:`match_typed_subject_alt_names 487 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. 488 // Note that if both this field and :ref:`match_typed_subject_alt_names 489 // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` 490 // are specified, the former (deprecated field) is ignored. 491 repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9 492 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; 493 494 // [#not-implemented-hide:] Must present signed certificate time-stamp. 495 google.protobuf.BoolValue require_signed_certificate_timestamp = 6; 496 497 // An optional `certificate revocation list 498 // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ 499 // (in PEM format). If specified, Envoy will verify that the presented peer 500 // certificate has not been revoked by this CRL. If this DataSource contains 501 // multiple CRLs, all of them will be used. Note that if a CRL is provided 502 // for any certificate authority in a trust chain, a CRL must be provided 503 // for all certificate authorities in that chain. Failure to do so will 504 // result in verification failure for both revoked and unrevoked certificates 505 // from that chain. This default behavior can be altered by setting 506 // :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to 507 // true. 508 config.core.v3.DataSource crl = 7; 509 510 // If specified, Envoy will not reject expired certificates. 511 bool allow_expired_certificate = 8; 512 513 // Certificate trust chain verification mode. 514 TrustChainVerification trust_chain_verification = 10 515 [(validate.rules).enum = {defined_only: true}]; 516 517 // The configuration of an extension specific certificate validator. 518 // If specified, all validation is done by the specified validator, 519 // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). 520 // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. 521 // [#extension-category: envoy.tls.cert_validator] 522 config.core.v3.TypedExtensionConfig custom_validator_config = 12; 523 524 // If this option is set to true, only the certificate at the end of the 525 // certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`. 526 bool only_verify_leaf_cert_crl = 14; 527 528 // Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. 529 // This number does not include the leaf, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer appears in the chain, 530 // but in a depth larger than configured, the certificate validation will fail. 531 // See `BoringSSL SSL_CTX_set_verify_depth <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_CTX_set_verify_depth>` 532 // If you use OpenSSL, its behavior is different from BoringSSL, this will define a limit on the number of certificates between the end-entity and trust-anchor certificates. 533 // Neither the end-entity nor the trust-anchor certificates count against depth. 534 // See `OpenSSL SSL set_verify_depth <https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html>`_. 535 // Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` 536 google.protobuf.UInt32Value max_verify_depth = 16 [(validate.rules).uint32 = {lte: 100}]; 537} 538