Skip to content

tls: enable enforce_rsa_key_usage by default#43433

Merged
tyxia merged 8 commits intoenvoyproxy:mainfrom
tyxia:rsa
Feb 12, 2026
Merged

tls: enable enforce_rsa_key_usage by default#43433
tyxia merged 8 commits intoenvoyproxy:mainfrom
tyxia:rsa

Conversation

@tyxia
Copy link
Member

@tyxia tyxia commented Feb 11, 2026

Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

@tyxia
enable rsa_key
9efbc79 
Signed-off-by: tyxia <tyxia@google.com>
@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Feb 11, 2026

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #43433 was opened by tyxia.

see: more, trace.

@tyxia
enable rsa_key
e7ff7ea 
Signed-off-by: tyxia <tyxia@google.com>
@tyxia tyxia changed the title enable rsa_key tls: enable enforce_rsa_key_usage by default Feb 11, 2026
@tyxia
enable rsa_key
6aecfcc 
Signed-off-by: tyxia <tyxia@google.com>
@tyxia
Copy link
Member Author

tyxia commented Feb 12, 2026

/retest

@tyxia
format
ec5dd42 
Signed-off-by: tyxia <tyxia@google.com>
@tyxia tyxia marked this pull request as ready for review February 12, 2026 02:50
ggreenway
ggreenway requested changes Feb 12, 2026
View reviewed changes
Copy link
Member

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/wait

@tyxia
update
c5fa6cd 
Signed-off-by: tyxia <tyxia@google.com>
ggreenway
ggreenway requested changes Feb 12, 2026
View reviewed changes
Copy link
Member

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/wait

@tyxia
update
51583ad 
Signed-off-by: tyxia <tyxia@google.com>
@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Feb 12, 2026

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @wbpcode
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #43433 was synchronize by tyxia.

see: more, trace.

ggreenway
ggreenway requested changes Feb 12, 2026
View reviewed changes
source/common/tls/context_config_impl.cc Outdated
max_session_keys_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_session_keys, 1)) {

if (!config.has_enforce_rsa_key_usage()) {
ENVOY_LOG(
Copy link
Member

@ggreenway ggreenway Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we shouldn't warn in this case, and just rely on the release note. With this warning, there's no way to launch envoy without some warning logged: either this message if it's unset, a log of using a deprecated feature if it is set and is true, and a log of using a deprecated feature and the below log message if its set and false. If we remove this case and only warn for !enforce_rsa_key_usage_ then people who are using the new behavior don't get a warning, which seems fine.

Copy link
Member Author

@tyxia tyxia Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense. Thanks for suggestions!

@tyxia
update
c610586 
Signed-off-by: tyxia <tyxia@google.com>
@tyxia tyxia marked this pull request as draft February 12, 2026 17:26
@tyxia
update
e0f744b 
Signed-off-by: tyxia <tyxia@google.com>
ggreenway
ggreenway approved these changes Feb 12, 2026
View reviewed changes
Copy link
Member

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tyxia tyxia marked this pull request as ready for review February 12, 2026 18:07
@tyxia tyxia enabled auto-merge (squash) February 12, 2026 18:09
@tyxia tyxia merged commit 49be387 into envoyproxy:main Feb 12, 2026
26 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggreenway ggreenway ggreenway approved these changes

Assignees

@yanavlasov yanavlasov

@ggreenway ggreenway

@wbpcode wbpcode

Labels

api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tyxia @ggreenway @yanavlasov @wbpcode