envoyproxy · tyxia · Feb 12, 2026 · Feb 11, 2026 · Feb 11, 2026 · Feb 11, 2026
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -22,6 +22,12 @@ behavior_changes:
     The previous flag for specifying FIPS builds (ie ``--define=boringssl=fips``) will no longer work and
     has been replaced by ``--config=boringssl-fips``. This change will allow us to better support custom
     SSL libraries, and will allow FIPS-compliant Envoy to be built with the imminent switch to Bazel bzlmod.
+- area: tls
+  change: |
+    Set
+    :ref:`enforce_rsa_key_usage <envoy_v3_api_field_extensions.transport_sockets.tls.v3.UpstreamTlsContext.enforce_rsa_key_usage>`
+    to true by default. The handshake will fail if the keyUsage extension is present and incompatible with the TLS usage. BoringSSL
+    will enforce this very soon, please update the certificates to be compliant.
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*

diff --git a/source/common/tls/client_context_impl.cc b/source/common/tls/client_context_impl.cc
@@ -66,6 +66,13 @@ ClientContextImpl::ClientContextImpl(
       allow_renegotiation_(config.allowRenegotiation()),
       enforce_rsa_key_usage_(config.enforceRsaKeyUsage()),
       max_session_keys_(config.maxSessionKeys()) {
+
+  if (enforce_rsa_key_usage_) {
+    ENVOY_LOG(warn, "The 'enforce_rsa_key_usage' option is enabled, the handshake will fail if the "
+                    "keyUsage extension is present and incompatible with the TLS usage. BoringSSL "
+                    "will enforce this very soon please update the certificates to be compliant.");
+  }
+
   if (!creation_status.ok()) {
     return;
   }

diff --git a/source/common/tls/context_config_impl.cc b/source/common/tls/context_config_impl.cc
@@ -414,7 +414,7 @@ ClientContextConfigImpl::ClientContextConfigImpl(
           FIPS_mode() ? DEFAULT_CURVES_FIPS : DEFAULT_CURVES, factory_context, creation_status),
       server_name_indication_(config.sni()), auto_host_sni_(config.auto_host_sni()),
       allow_renegotiation_(config.allow_renegotiation()),
-      enforce_rsa_key_usage_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, enforce_rsa_key_usage, false)),
+      enforce_rsa_key_usage_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, enforce_rsa_key_usage, true)),
       max_session_keys_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, max_session_keys, 1)) {
   // BoringSSL treats this as a C string, so embedded NULL characters will not
   // be handled correctly.

diff --git a/test/common/tls/ssl_socket_test.cc b/test/common/tls/ssl_socket_test.cc
@@ -7906,8 +7906,6 @@ TEST_P(SslSocketTest, RsaKeyUsageVerificationEnforcementOn) {
 
   envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext client_tls_context;
 
-  // Enable the rsa_key_usage enforcement.
-  client_tls_context.mutable_enforce_rsa_key_usage()->set_value(true);
   TestUtilOptionsV2 test_options(listener, client_tls_context, /*expect_success=*/false, version_,
                                  /*skip_server_failure_reason_check=*/true);
   // Client connection is failed with key_usage_mismatch.