From 1a748ed0cf19ca58d3822bca389cf4922f7eb301 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <adunham@stripe.com>
Date: Fri, 26 Jan 2018 12:53:31 -0800
Subject: [PATCH 1/2] Add CRL docs to architecture overview

Signed-off-by: Andrew Dunham <adunham@stripe.com>
---
 docs/root/intro/arch_overview/ssl.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/root/intro/arch_overview/ssl.rst b/docs/root/intro/arch_overview/ssl.rst
index 234ccd4cf..e8ad64834 100644
--- a/docs/root/intro/arch_overview/ssl.rst
+++ b/docs/root/intro/arch_overview/ssl.rst
@@ -14,6 +14,8 @@ requirements (TLS1.2, SNI, etc.). Envoy supports the following TLS features:
   to server certificate verification.
 * **Certificate verification and pinning**: Certificate verification options include basic chain
   verification, subject name verification, and hash pinning.
+* **Certificate revocation**: Envoy can check peer certificates against a certificate revocation list
+  (CRL) if one is :ref:`provided <envoy_api_field_auth.CertificateValidationContext.crl>`.
 * **ALPN**: TLS listeners support ALPN. The HTTP connection manager uses this information (in
   addition to protocol inference) to determine whether a client is speaking HTTP/1.1 or HTTP/2.
 * **SNI**: SNI is currently supported for client connections. Listener support is likely to be added

From 2dacee883b2b2f9d69ebb5d6d4ab7e158007b3b4 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <adunham@stripe.com>
Date: Fri, 26 Jan 2018 12:53:48 -0800
Subject: [PATCH 2/2] Change 'file' to 'DataSource' in CRL field documentation

Signed-off-by: Andrew Dunham <adunham@stripe.com>
---
 envoy/api/v2/auth/cert.proto | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 989107c07..304e19a96 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -152,7 +152,7 @@ message CertificateValidationContext {
   // An optional `certificate revocation list
   // <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
   // (in PEM format). If specified, Envoy will verify that the presented peer
-  // certificate has not been revoked by this CRL. If this file contains
+  // certificate has not been revoked by this CRL. If this DataSource contains
   // multiple CRLs, all of them will be used.
   DataSource crl = 7;
 }