test

Signed-off-by: Jonh Wendell <[email protected]>

Author: jwendell

source/common/tls/cert_validator/default_validator.cc

@@ -88,10 +88,12 @@ absl::StatusOr<int> DefaultCertValidator::initializeSslContexts(std::vector<SSL_
 
     for (auto& ctx : contexts) {
       X509_STORE* store = SSL_CTX_get_cert_store(ctx);
-      // RH - Restore reloadable feature check to avoid failure of RevokedIntermediateCertificate test
-      if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_intermediate_ca")) {
-        X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
-      }
+
+#ifndef ENVOY_SSL_OPENSSL
+      // This doesn't work on OpenSSL: https://github.com/openssl/openssl/issues/5081
+      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
       bool has_crl = false;
       for (const X509_INFO* item : list.get()) {
         if (item->x509) {
@@ -146,10 +148,12 @@ absl::StatusOr<int> DefaultCertValidator::initializeSslContexts(std::vector<SSL_
 
     for (auto& ctx : contexts) {
       X509_STORE* store = SSL_CTX_get_cert_store(ctx);
-      // RH - Restore reloadable feature check to avoid failure of RevokedIntermediateCertificate test
-      if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_intermediate_ca")) {
-        X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
-      }
+
+#ifndef ENVOY_SSL_OPENSSL
+      // This doesn't work on OpenSSL: https://github.com/openssl/openssl/issues/5081
+      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
+#endif
+
       for (const X509_INFO* item : list.get()) {
         if (item->crl) {
           X509_STORE_add_crl(store, item->crl);

test/common/tls/ssl_socket_test.cc

@@ -6141,13 +6141,6 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) {
   testUtil(complete_revoked_test_options.setExpectedServerStats("ssl.fail_verify_error")
                .setExpectedVerifyErrorCode(X509_V_ERR_CERT_REVOKED));
 
-  // On OpenSSL, the following check fails due to https://github.com/openssl/openssl/issues/5081.
-  // To make it pass, we have to temporarily set the enable_intermediate_ca feature flag to false.
-  // This ensures that the X509_V_FLAG_PARTIAL_CHAIN option doesn't get applied to the trust store,
-  // which ensures that full cert chain & CRL processing occurs, which allows this check to pass.
-  TestScopedRuntime scoped_runtime;
-  scoped_runtime.mergeValues({{"envoy.reloadable_features.enable_intermediate_ca", "false"}});
-
   // Ensure that complete crl chains succeed with unrevoked certificates.
   TestUtilOptions complete_unrevoked_test_options(unrevoked_client_ctx_yaml,
                                                   complete_server_ctx_yaml, true, version_);
@@ -6234,13 +6227,6 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) {
   testUtil(complete_revoked_test_options.setExpectedServerStats("ssl.fail_verify_error")
                .setExpectedVerifyErrorCode(X509_V_ERR_CERT_REVOKED));
 
-  // On OpenSSL, the following check fails due to https://github.com/openssl/openssl/issues/5081.
-  // To make it pass, we have to temporarily set the enable_intermediate_ca feature flag to false.
-  // This ensures that the X509_V_FLAG_PARTIAL_CHAIN option doesn't get applied to the trust store,
-  // which ensures that full cert chain & CRL processing occurs, which allows this check to pass.
-  TestScopedRuntime scoped_runtime;
-  scoped_runtime.mergeValues({{"envoy.reloadable_features.enable_intermediate_ca", "false"}});
-
   // Ensure that complete crl chains succeed with unrevoked certificates.
   TestUtilOptions complete_unrevoked_test_options(unrevoked_client_ctx_yaml,
                                                   complete_server_ctx_yaml, true, version_);