tls: enable enforce_rsa_key_usage by default

changelogs/current.yaml

@@ -22,6 +22,12 @@ behavior_changes:
     The previous flag for specifying FIPS builds (ie ``--define=boringssl=fips``) will no longer work and
     has been replaced by ``--config=boringssl-fips``. This change will allow us to better support custom
     SSL libraries, and will allow FIPS-compliant Envoy to be built with the imminent switch to Bazel bzlmod.
+- area: tls
+  change: |
+    Set
+    :ref:`enforce_rsa_key_usage <envoy_v3_api_field_extensions.transport_sockets.tls.v3.UpstreamTlsContext.enforce_rsa_key_usage>`
+    to true by default. The handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. In
+    the next version of Envoy, this option will be removed and the enforcing behavior will always be used.
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*

source/common/tls/context_config_impl.cc

@@ -414,8 +414,27 @@ ClientContextConfigImpl::ClientContextConfigImpl(
           FIPS_mode() ? DEFAULT_CURVES_FIPS : DEFAULT_CURVES, factory_context, creation_status),
       server_name_indication_(config.sni()), auto_host_sni_(config.auto_host_sni()),
       allow_renegotiation_(config.allow_renegotiation()),
-      enforce_rsa_key_usage_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, enforce_rsa_key_usage, false)),
+      enforce_rsa_key_usage_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, enforce_rsa_key_usage, true)),
       max_session_keys_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_session_keys, 1)) {
+
+  if (!config.has_enforce_rsa_key_usage()) {
+    ENVOY_LOG(
+        warn,
+        "The 'enforce_rsa_key_usage' option is not configured, its default value is changed to "
+        "true, and the config option will be deprecated in the next version. The handshake will "
+        "fail "
+        "if the keyUsage extension is present and incompatible with the "
+        "TLS usage. Please update the certificates to be compliant.");
+  } else if (!enforce_rsa_key_usage_) {
+    ENVOY_LOG(
+        warn,
+        "The 'enforce_rsa_key_usage' option is set to false, which disables the enforcement of RSA "
+        "key usage. This option will be deprecated in the next version. The handshake will fail "
+        "if the keyUsage extension is present and incompatible with the "
+        "TLS usage. Please update the certificates to be compliant.");
+    factory_context.serverFactoryContext().runtime().countDeprecatedFeatureUse();
+  }
+
   // BoringSSL treats this as a C string, so embedded NULL characters will not
   // be handled correctly.
   if (server_name_indication_.find('\0') != std::string::npos) {

source/common/tls/context_config_impl.h

@@ -30,7 +30,8 @@ struct CertificateValidationContextConfigProviderSharedPtrWithName {
   Secret::CertificateValidationContextConfigProviderSharedPtr provider_;
 };
 
-class ContextConfigImpl : public virtual Ssl::ContextConfig {
+class ContextConfigImpl : public virtual Ssl::ContextConfig,
+                          public Logger::Loggable<Logger::Id::misc> {
 public:
   // Ssl::ContextConfig
   const std::string& alpnProtocols() const override { return alpn_protocols_; }

test/common/tls/ssl_socket_test.cc

@@ -7906,8 +7906,6 @@ TEST_P(SslSocketTest, RsaKeyUsageVerificationEnforcementOn) {
 
   envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_tls_context;
 
-  // Enable the rsa_key_usage enforcement.
-  client_tls_context.mutable_enforce_rsa_key_usage()->set_value(true);
   TestUtilOptionsV2 test_options(listener, client_tls_context, /*expect_success=*/false, version_,
                                  /*skip_server_failure_reason_check=*/true);
   // Client connection is failed with key_usage_mismatch.