From 14e846741156536727205bfc49fad6ce9287cf13 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <adunham@stripe.com>
Date: Tue, 24 Oct 2017 20:20:31 -0700
Subject: [PATCH 1/4] Add "crl" field to CertificateValidationContext

Signed-off-by: Andrew Dunham <adunham@stripe.com>
---
 api/sds.proto | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/sds.proto b/api/sds.proto
index 172e0ebac..65cb45890 100644
--- a/api/sds.proto
+++ b/api/sds.proto
@@ -172,6 +172,9 @@ message CertificateValidationContext {
 
   // [#not-implemented-hide:] Must present signed certificate time-stamp.
   google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
+
+  // If specified, Envoy will verify certificates against this CRL.
+  DataSource crl = 7;
 }
 
 // TLS context shared by both client and server TLS contexts.

From ff059f8ae595a262d85dceee09fab1f27738c944 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <adunham@stripe.com>
Date: Thu, 21 Dec 2017 18:44:44 -0500
Subject: [PATCH 2/4] Add 'crl_file' to documentation

Signed-off-by: Andrew Dunham <adunham@stripe.com>
---
 docs/root/api-v1/listeners/listeners.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/root/api-v1/listeners/listeners.rst b/docs/root/api-v1/listeners/listeners.rst
index 8d9f654af..fcf416395 100644
--- a/docs/root/api-v1/listeners/listeners.rst
+++ b/docs/root/api-v1/listeners/listeners.rst
@@ -119,6 +119,7 @@ TLS :ref:`architecture overview <arch_overview_ssl>`.
     "ca_cert_file": "...",
     "verify_certificate_hash": "...",
     "verify_subject_alt_name": [],
+    "crl_file": "...",
     "cipher_suites": "...",
     "ecdh_curves": "...",
     "session_ticket_key_paths": []
@@ -172,6 +173,14 @@ verify_subject_alt_name
   *(optional, array)* An optional list of subject alt names. If specified, Envoy will verify
   that the client certificate's subject alt name matches one of the specified values.
 
+.. _config_listener_ssl_context_crl_file:
+
+crl_file
+  *(optional, string)* An optional `certificate revocation list
+  <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
+  If specified, Envoy will verify that the presented client certificate has not been revoked by
+  this CRL. If this file contains multiple CRLs, all of them will be used.
+
 cipher_suites
   *(optional, string)* If specified, the TLS listener will only support the specified `cipher list
   <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_.

From 43ef409ecfd68e134cd27b20c9e7f8cc607be623 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <adunham@stripe.com>
Date: Thu, 21 Dec 2017 21:28:17 -0500
Subject: [PATCH 3/4] Review feedback: copy detailed documentation to v2 proto
 comment

Signed-off-by: Andrew Dunham <adunham@stripe.com>
---
 api/sds.proto | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/api/sds.proto b/api/sds.proto
index 65cb45890..2c1ee7635 100644
--- a/api/sds.proto
+++ b/api/sds.proto
@@ -173,7 +173,11 @@ message CertificateValidationContext {
   // [#not-implemented-hide:] Must present signed certificate time-stamp.
   google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
 
-  // If specified, Envoy will verify certificates against this CRL.
+  // An optional `certificate revocation list
+  // <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
+  // (in PEM format). If specified, Envoy will verify that the presented client
+  // certificate has not been revoked by this CRL. If this file contains
+  // multiple CRLs, all of them will be used.
   DataSource crl = 7;
 }
 

From d82d917142de3409b97f6650d1393da5e45343cf Mon Sep 17 00:00:00 2001
From: Andrew Dunham <adunham@stripe.com>
Date: Fri, 22 Dec 2017 22:28:20 -0500
Subject: [PATCH 4/4] Review feedback: change 'client certificate' to 'peer
 certificate'

Signed-off-by: Andrew Dunham <adunham@stripe.com>
---
 api/sds.proto                            | 2 +-
 docs/root/api-v1/listeners/listeners.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/sds.proto b/api/sds.proto
index 2c1ee7635..f86994d07 100644
--- a/api/sds.proto
+++ b/api/sds.proto
@@ -175,7 +175,7 @@ message CertificateValidationContext {
 
   // An optional `certificate revocation list
   // <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
-  // (in PEM format). If specified, Envoy will verify that the presented client
+  // (in PEM format). If specified, Envoy will verify that the presented peer
   // certificate has not been revoked by this CRL. If this file contains
   // multiple CRLs, all of them will be used.
   DataSource crl = 7;
diff --git a/docs/root/api-v1/listeners/listeners.rst b/docs/root/api-v1/listeners/listeners.rst
index fcf416395..5d799b540 100644
--- a/docs/root/api-v1/listeners/listeners.rst
+++ b/docs/root/api-v1/listeners/listeners.rst
@@ -178,7 +178,7 @@ verify_subject_alt_name
 crl_file
   *(optional, string)* An optional `certificate revocation list
   <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ (in PEM format).
-  If specified, Envoy will verify that the presented client certificate has not been revoked by
+  If specified, Envoy will verify that the presented peer certificate has not been revoked by
   this CRL. If this file contains multiple CRLs, all of them will be used.
 
 cipher_suites