Re: TLS verification using OS default bundle

[Ofer Inbar]

Please ignore the envoy.yaml I accidentally attached to the previous
email, it was from a question I asked here months ago, and isn't
relevant to this one.
-- Cos

[Ofer Inbar]

I asked this on the Envoy Slack earlier this week, but no response
there so I'll try here.

According to
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#arch-overview-ssl-enabling-verification

If you want to validate the other side's certificate, using
validation_context.trusted_ca, and you want Envoy to use the system's
default CA bundle, you have to explicitly put that path as a
filename string inside your validation_context.trusted_ca, yes?

Is there no way to tell Envoy "please validate using the system's
default bundle", without giving it the hardcoded path?

-- Cos

[Greg Greenway]

Correct; you must specify the path to the trust bundle. 

There was some work done to support using the system bundle for grpc in https://github.com/envoyproxy/envoy/pull/34235. If someone wanted to add Envoy support for the config field added there, it would be a welcome change.

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/envoy-users/20250220221519.GM15089%40miplet.aaaaa.org.
<envoy.yaml>