Skip to content

tls: add CRLDP data to transport failure reason#43679

Open
guydc wants to merge 4 commits intoenvoyproxy:mainfrom
guydc:feat-tls-crldp-info-on-fail
Open

tls: add CRLDP data to transport failure reason#43679
guydc wants to merge 4 commits intoenvoyproxy:mainfrom
guydc:feat-tls-crldp-info-on-fail

Conversation

@guydc
Copy link
Contributor

@guydc guydc commented Feb 27, 2026
edited
Loading

Commit Message: tls: add CRLDP data to transport failure reason

Additional Description: For errors such as unable to get certificate CRL, the error message now includes the certificate's CRL distribution points and a clarification that the check is performed against user-defined CRLs (e.g., X509_verify_cert: certificate verification error at depth 0: certificate revocation check against provided CRLs failed: unable to get certificate CRL, certificate CRL distribution points: [http://crl.example.com/ca.crl, http://backup-crl.example.com/ca.crl])

Risk Level: Low
Testing: Added unit tests
Docs Changes: No
Release Notes: Added
Platform Specific Features: No
Fixes #43642

@guydc
tls: add CRLDP data to transport failure reason
ddcdcf7 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc guydc mentioned this pull request Feb 27, 2026
Open
@guydc
Copy link
Contributor Author

guydc commented Feb 27, 2026

/retest

@guydc
Merge branch 'main' into feat-tls-crldp-info-on-fail
1aa543a 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc
Copy link
Contributor Author

guydc commented Mar 1, 2026

/retest

ggreenway
ggreenway reviewed Mar 2, 2026
View reviewed changes
Copy link
Member

@ggreenway ggreenway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea of this, but I wonder if it would be better if instead of using the error text out of boringssl, you wrote text for each of the four specific errors

/wait-any

test/common/tls/utility_test.cc Outdated
Comment on lines +343 to +346
Utility::getX509VerificationErrorInfo(store_ctx.get()),
"X509_verify_cert: certificate verification error at depth 0: unable to get certificate CRL, "
"certificate CRL distribution points: [http://crl.example.com/ca.crl, "
"http://backup-crl.example.com/ca.crl]");
Copy link
Member

@ggreenway ggreenway Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried that this error will be quite misleading. The text implies that envoy would be fetching the CRL from the distribution point, but the actual error is that the CRL isn't included in Envoy's configuration

Copy link
Contributor Author

@guydc guydc Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @ggreenway, thanks for reviewing. Sure, I changed it to CRL for certificate was not provided instead. I think that other error CRL-related errors are sufficiently clear.

Copy link
Contributor Author

@guydc guydc Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually, seems like ssl_socket_test expects to find the original BoringSSL error messages. I'll wrap them instead.

@ggreenway ggreenway self-assigned this Mar 2, 2026
@guydc
use better error message for missing CRLs
b703fc1 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc
wrap BorinSSL CRL error messages
8d8aa94 
Signed-off-by: Guy Daich <guy.daich@sap.com>
@guydc
Copy link
Contributor Author

guydc commented Mar 3, 2026

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggreenway ggreenway ggreenway left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ggreenway ggreenway

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TLS: add CRL-related information to TRANSPORT_FAILURE_REASON

2 participants

@guydc @ggreenway