backport envoyproxy#32315

Change-Id: I5b5ec42d5b3138060505c74d313d759199083e8d Signed-off-by: Kuat Yessenov <[email protected]>
kyessenov · Feb 23, 2024 · 40a26bd · 40a26bd
1 parent 179acbb
commit 40a26bd
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -16,5 +16,10 @@ removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
 new_features:
+- area: google_grpc
+  change: |
+    Added an off-by-default runtime flag
+    ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
+    usage by gRPC SDK for ``google_grpc`` services.
 
 deprecated:
diff --git a/source/common/grpc/google_grpc_creds_impl.cc b/source/common/grpc/google_grpc_creds_impl.cc
@@ -18,12 +18,9 @@ std::shared_ptr<grpc::ChannelCredentials> CredsUtility::getChannelCredentials(
     case envoy::config::core::v3::GrpcService::GoogleGrpc::ChannelCredentials::
         CredentialSpecifierCase::kSslCredentials: {
       const auto& ssl_credentials = google_grpc.channel_credentials().ssl_credentials();
-      const auto root_certs = 
-          Config::DataSource::read(ssl_credentials.root_certs(), true, api);
-      const auto private_key =
-          Config::DataSource::read(ssl_credentials.private_key(), true, api);
-      const auto cert_chain =
-          Config::DataSource::read(ssl_credentials.cert_chain(), true, api);
+      const auto root_certs = Config::DataSource::read(ssl_credentials.root_certs(), true, api);
+      const auto private_key = Config::DataSource::read(ssl_credentials.private_key(), true, api);
+      const auto cert_chain = Config::DataSource::read(ssl_credentials.cert_chain(), true, api);
       grpc::experimental::TlsChannelCredentialsOptions options;
       if (!private_key.empty() || !cert_chain.empty()) {
         options.set_certificate_provider(