tls: support for ECDSA P-384 and P-521 certificates (#10855) #36369
Mobile/CC (success)
Check has finished
Details
Check run finished (success ✔️)
The check run can be viewed here:
Mobile/CC (pr/36369/main@d1821b2)
Check started by
Request (pr/36369/main@d1821b2)
d1821b2 
#36369 merge main@e3ed5a7
tls: support for ECDSA P-384 and P-521 certificates (#10855)
Commit Message: tls: support for ECDSA P-384 and P-521 certificates (#10855)
Additional Description: Commercial National Security Algorithm Suite (CNSA) requires ECDSA keys be specified with P-384 curves. The assertion that there are no security benefits to curves higher than P-256 is no longer true. This change is intended to limit the adoptable curves to P-384 and P-521.
Risk Level: Medium - removal of limitation of curves to be used for ECDSA certificates, with [potential misconfiguration and DoS risks[(https://github.com//issues/10855#issuecomment-618023133) mentioned in previous discourse on the issue.
Testing: Testing using unit and integration tests
Docs Changes: Changes made to reference that P-384 and P-521 certificates now are useable.
Environment
Request variables
| Key | Value |
|---|---|
| ref | edeba3d |
| sha | d1821b2 |
| pr | 36369 |
| base-sha | e3ed5a7 |
| actor | @anitabyte |
| message | tls: support for ECDSA P-384 and P-521 certificates (#10855)... |
| started | 1727477818.362402 |
| target-branch | main |
| trusted | false |
Build image
Container image/s (as used in this CI run)
| Key | Value |
|---|---|
| default | envoyproxy/envoy-build-ubuntu:f94a38f62220a2b017878b790b6ea98a0f6c5f9c |
| mobile | envoyproxy/envoy-build-ubuntu:mobile-f94a38f62220a2b017878b790b6ea98a0f6c5f9c |
Version
Envoy version (as used in this CI run)
| Key | Value |
|---|---|
| major | 1 |
| minor | 32 |
| patch | 0 |
| dev | true |