repo: Assorted CVE fixes (IMPORTANT!)

changelogs/current.yaml

@@ -48,6 +48,29 @@ bug_fixes:
 - area: tracing
   change: |
     Prevent Envoy from crashing at start up when the OpenTelemetry environment resource detector cannot detect any attributes.
+- area: proxy protocol
+  change: |
+    Fixed a crash when Envoy is configured for PROXY protocol on both a listener and cluster, and the listener receives
+    a PROXY protocol header with address type LOCAL (typically used for health checks).
+- area: url matching
+  change: |
+    Fixed excessive CPU utilization when using regex URL template matcher.
+- area: http
+  change: |
+    Fixed crash when HTTP request idle and per try timeouts occurs within backoff interval.
+- area: proxy_protocol
+  change: |
+    Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is
+    received in a proxy protocol header. Connections will instead be dropped/reset.
+- area: proxy_protocol
+  change: |
+    Fixed a bug where TLVs with non utf8 characters were inserted as protobuf values into filter metadata circumventing
+    ext_authz checks when ``failure_mode_allow`` is set to ``true``.
+- area: tls
+  change: |
+    Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is
+    received in an mTLS client cert IP SAN. These SANs will be ignored. This applies only when using formatter
+    ``%DOWNSTREAM_PEER_IP_SAN%``.
 
 removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

source/common/network/BUILD

@@ -20,6 +20,7 @@ envoy_cc_library(
         ":socket_interface_lib",
         "//envoy/network:address_interface",
         "//source/common/common:assert_lib",
+        "//source/common/common:cleanup_lib",
         "//source/common/common:safe_memcpy_lib",
         "//source/common/common:statusor_lib",
         "//source/common/common:thread_lib",

source/common/network/address_impl.cc

@@ -212,9 +212,19 @@ std::string Ipv4Instance::sockaddrToString(const sockaddr_in& addr) {
   return {start, end};
 }
 
+namespace {
+bool force_ipv4_unsupported_for_test = false;
+}
+
+Cleanup Ipv4Instance::forceProtocolUnsupportedForTest(bool new_val) {
+  bool old_val = force_ipv4_unsupported_for_test;
+  force_ipv4_unsupported_for_test = new_val;
+  return Cleanup([old_val]() { force_ipv4_unsupported_for_test = old_val; });
+}
+
 absl::Status Ipv4Instance::validateProtocolSupported() {
   static const bool supported = SocketInterfaceSingleton::get().ipFamilySupported(AF_INET);
-  if (supported) {
+  if (supported && !force_ipv4_unsupported_for_test) {
     return absl::OkStatus();
   }
   return absl::FailedPreconditionError("IPv4 addresses are not supported on this machine");
@@ -324,9 +334,19 @@ Ipv6Instance::Ipv6Instance(absl::Status& status, const sockaddr_in6& address, bo
   initHelper(address, v6only);
 }
 
+namespace {
+bool force_ipv6_unsupported_for_test = false;
+}
+
+Cleanup Ipv6Instance::forceProtocolUnsupportedForTest(bool new_val) {
+  bool old_val = force_ipv6_unsupported_for_test;
+  force_ipv6_unsupported_for_test = new_val;
+  return Cleanup([old_val]() { force_ipv6_unsupported_for_test = old_val; });
+}
+
 absl::Status Ipv6Instance::validateProtocolSupported() {
   static const bool supported = SocketInterfaceSingleton::get().ipFamilySupported(AF_INET6);
-  if (supported) {
+  if (supported && !force_ipv6_unsupported_for_test) {
     return absl::OkStatus();
   }
   return absl::FailedPreconditionError("IPv6 addresses are not supported on this machine");

source/common/network/address_impl.h

@@ -11,12 +11,16 @@
 #include "envoy/network/socket.h"
 
 #include "source/common/common/assert.h"
+#include "source/common/common/cleanup.h"
 #include "source/common/common/statusor.h"
 
 namespace Envoy {
 namespace Network {
 namespace Address {
 
+// Add an address-specific version for easier searching.
+#define TRY_NEEDS_AUDIT_ADDRESS TRY_NEEDS_AUDIT
+
 /**
  * Check whether we are a) on Android or an Apple platform and b) configured via runtime to always
  * use v6 sockets.
@@ -144,6 +148,12 @@ class Ipv4Instance : public InstanceBase {
   // given address if not.
   static absl::Status validateProtocolSupported();
 
+  /**
+   * For use in tests only.
+   * Force validateProtocolSupported() to return false for IPv4.
+   */
+  static Envoy::Cleanup forceProtocolUnsupportedForTest(bool new_val);
+
 private:
   /**
    * Construct from an existing unix IPv4 socket address (IP v4 address and port).
@@ -226,6 +236,12 @@ class Ipv6Instance : public InstanceBase {
   // Validate that IPv6 is supported on this platform
   static absl::Status validateProtocolSupported();
 
+  /**
+   * For use in tests only.
+   * Force validateProtocolSupported() to return false for IPv6.
+   */
+  static Envoy::Cleanup forceProtocolUnsupportedForTest(bool new_val);
+
 private:
   /**
    * Construct from an existing unix IPv6 socket address (IP v6 address and port).

source/common/router/router.cc

@@ -1115,6 +1115,7 @@ void Filter::onResponseTimeout() {
 // Called when the per try timeout is hit but we didn't reset the request
 // (hedge_on_per_try_timeout enabled).
 void Filter::onSoftPerTryTimeout(UpstreamRequest& upstream_request) {
+  ASSERT(!upstream_request.retried());
   // Track this as a timeout for outlier detection purposes even though we didn't
   // cancel the request yet and might get a 2xx later.
   updateOutlierDetection(Upstream::Outlier::Result::LocalOriginTimeout, upstream_request,

source/common/router/upstream_request.cc

@@ -510,11 +510,20 @@ void UpstreamRequest::setupPerTryTimeout() {
 
 void UpstreamRequest::onPerTryIdleTimeout() {
   ENVOY_STREAM_LOG(debug, "upstream per try idle timeout", *parent_.callbacks());
+  if (per_try_timeout_) {
+    // Disable the per try idle timer, so it does not trigger further retries
+    per_try_timeout_->disableTimer();
+  }
   stream_info_.setResponseFlag(StreamInfo::CoreResponseFlag::StreamIdleTimeout);
   parent_.onPerTryIdleTimeout(*this);
 }
 
 void UpstreamRequest::onPerTryTimeout() {
+  if (per_try_idle_timeout_) {
+    // Delete the per try idle timer, so it does not trigger further retries.
+    // The timer has to be deleted to prevent data flow from re-arming it.
+    per_try_idle_timeout_.reset();
+  }
   // If we've sent anything downstream, ignore the per try timeout and let the response continue
   // up to the global timeout
   if (!parent_.downstreamResponseStarted()) {

source/extensions/common/proxy_protocol/proxy_protocol_header.cc

@@ -127,6 +127,15 @@ bool generateV2Header(const Network::ProxyProtocolData& proxy_proto_data, Buffer
   }
 
   ASSERT(extension_length <= std::numeric_limits<uint16_t>::max());
+  if (proxy_proto_data.src_addr_ == nullptr || proxy_proto_data.src_addr_->ip() == nullptr) {
+    IS_ENVOY_BUG("Missing or incorrect source IP in proxy_proto_data_");
+    return false;
+  }
+  if (proxy_proto_data.dst_addr_ == nullptr || proxy_proto_data.dst_addr_->ip() == nullptr) {
+    IS_ENVOY_BUG("Missing or incorrect dest IP in proxy_proto_data_");
+    return false;
+  }
+
   const auto& src = *proxy_proto_data.src_addr_->ip();
   const auto& dst = *proxy_proto_data.dst_addr_->ip();
   generateV2Header(src.addressAsString(), dst.addressAsString(), src.port(), dst.port(),

source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc

@@ -24,6 +24,7 @@
 #include "source/common/network/address_impl.h"
 #include "source/common/network/proxy_protocol_filter_state.h"
 #include "source/common/network/utility.h"
+#include "source/common/protobuf/utility.h"
 #include "source/extensions/common/proxy_protocol/proxy_protocol_header.h"
 
 using envoy::config::core::v3::ProxyProtocolPassThroughTLVs;
@@ -144,24 +145,37 @@ ReadOrParseState Filter::parseBuffer(Network::ListenerFilterBuffer& buffer) {
   if (proxy_protocol_header_.has_value() &&
       !cb_->filterState().hasData<Network::ProxyProtocolFilterState>(
           Network::ProxyProtocolFilterState::key())) {
-    if (!proxy_protocol_header_.value().local_command_) {
-      auto buf = reinterpret_cast<const uint8_t*>(buffer.rawSlice().mem_);
+    auto buf = reinterpret_cast<const uint8_t*>(buffer.rawSlice().mem_);
+    if (proxy_protocol_header_.value().local_command_) {
+      ENVOY_LOG(trace, "Parsed proxy protocol header, cmd: LOCAL, length: {}, buffer: {}",
+                proxy_protocol_header_.value().wholeHeaderLength(),
+                Envoy::Hex::encode(buf, proxy_protocol_header_.value().wholeHeaderLength()));
+
+      cb_->filterState().setData(
+          Network::ProxyProtocolFilterState::key(),
+          std::make_unique<Network::ProxyProtocolFilterState>(Network::ProxyProtocolData{
+              socket.connectionInfoProvider().remoteAddress(),
+              socket.connectionInfoProvider().localAddress(), parsed_tlvs_}),
+          StreamInfo::FilterState::StateType::Mutable,
+          StreamInfo::FilterState::LifeSpan::Connection);
+    } else {
       ENVOY_LOG(
           trace,
-          "Parsed proxy protocol header, length: {}, buffer: {}, TLV length: {}, TLV buffer: {}",
+          "Parsed proxy protocol header, cmd: PROXY, length: {}, buffer: {}, TLV length: {}, TLV "
+          "buffer: {}",
           proxy_protocol_header_.value().wholeHeaderLength(),
           Envoy::Hex::encode(buf, proxy_protocol_header_.value().wholeHeaderLength()),
           proxy_protocol_header_.value().extensions_length_,
           Envoy::Hex::encode(buf + proxy_protocol_header_.value().headerLengthWithoutExtension(),
                              proxy_protocol_header_.value().extensions_length_));
+      cb_->filterState().setData(
+          Network::ProxyProtocolFilterState::key(),
+          std::make_unique<Network::ProxyProtocolFilterState>(Network::ProxyProtocolData{
+              proxy_protocol_header_.value().remote_address_,
+              proxy_protocol_header_.value().local_address_, parsed_tlvs_}),
+          StreamInfo::FilterState::StateType::Mutable,
+          StreamInfo::FilterState::LifeSpan::Connection);
     }
-
-    cb_->filterState().setData(
-        Network::ProxyProtocolFilterState::key(),
-        std::make_unique<Network::ProxyProtocolFilterState>(Network::ProxyProtocolData{
-            proxy_protocol_header_.value().remote_address_,
-            proxy_protocol_header_.value().local_address_, parsed_tlvs_}),
-        StreamInfo::FilterState::StateType::Mutable, StreamInfo::FilterState::LifeSpan::Connection);
   }
 
   if (proxy_protocol_header_.has_value() && !proxy_protocol_header_.value().local_command_) {
@@ -263,11 +277,21 @@ bool Filter::parseV2Header(const char* buf) {
         la4.sin_family = AF_INET;
         la4.sin_port = v4->dst_port;
         la4.sin_addr.s_addr = v4->dst_addr;
-        proxy_protocol_header_.emplace(
-            WireHeader{PROXY_PROTO_V2_HEADER_LEN, hdr_addr_len, PROXY_PROTO_V2_ADDR_LEN_INET,
-                       hdr_addr_len - PROXY_PROTO_V2_ADDR_LEN_INET, Network::Address::IpVersion::v4,
-                       std::make_shared<Network::Address::Ipv4Instance>(&ra4),
-                       std::make_shared<Network::Address::Ipv4Instance>(&la4)});
+
+        TRY_NEEDS_AUDIT_ADDRESS {
+          // TODO(ggreenway): make this work without requiring operating system support for an
+          // address family.
+          proxy_protocol_header_.emplace(WireHeader{
+              PROXY_PROTO_V2_HEADER_LEN, hdr_addr_len, PROXY_PROTO_V2_ADDR_LEN_INET,
+              hdr_addr_len - PROXY_PROTO_V2_ADDR_LEN_INET, Network::Address::IpVersion::v4,
+              std::make_shared<Network::Address::Ipv4Instance>(&ra4),
+              std::make_shared<Network::Address::Ipv4Instance>(&la4)});
+        }
+        END_TRY CATCH(const EnvoyException& e, {
+          ENVOY_LOG(debug, "Proxy protocol failure: {}", e.what());
+          return false;
+        });
+
         return true;
       } else if (((proto_family & 0xf0) >> 4) == PROXY_PROTO_V2_AF_INET6) {
         PACKED_STRUCT(struct pp_ipv6_addr {
@@ -289,11 +313,19 @@ bool Filter::parseV2Header(const char* buf) {
         la6.sin6_port = v6->dst_port;
         safeMemcpy(&(la6.sin6_addr.s6_addr), &(v6->dst_addr));
 
-        proxy_protocol_header_.emplace(WireHeader{
-            PROXY_PROTO_V2_HEADER_LEN, hdr_addr_len, PROXY_PROTO_V2_ADDR_LEN_INET6,
-            hdr_addr_len - PROXY_PROTO_V2_ADDR_LEN_INET6, Network::Address::IpVersion::v6,
-            std::make_shared<Network::Address::Ipv6Instance>(ra6),
-            std::make_shared<Network::Address::Ipv6Instance>(la6)});
+        TRY_NEEDS_AUDIT_ADDRESS {
+          proxy_protocol_header_.emplace(WireHeader{
+              PROXY_PROTO_V2_HEADER_LEN, hdr_addr_len, PROXY_PROTO_V2_ADDR_LEN_INET6,
+              hdr_addr_len - PROXY_PROTO_V2_ADDR_LEN_INET6, Network::Address::IpVersion::v6,
+              std::make_shared<Network::Address::Ipv6Instance>(ra6),
+              std::make_shared<Network::Address::Ipv6Instance>(la6)});
+        }
+        END_TRY CATCH(const EnvoyException& e, {
+          // TODO(ggreenway): make this work without requiring operating system support for an
+          // address family.
+          ENVOY_LOG(debug, "Proxy protocol failure: {}", e.what());
+          return false;
+        });
         return true;
       }
     }
@@ -409,7 +441,9 @@ bool Filter::parseTlvs(const uint8_t* buf, size_t len) {
     auto key_value_pair = config_->isTlvTypeNeeded(tlv_type);
     if (nullptr != key_value_pair) {
       ProtobufWkt::Value metadata_value;
-      metadata_value.set_string_value(tlv_value.data(), tlv_value.size());
+      // Sanitize any non utf8 characters.
+      auto sanitised_tlv_value = MessageUtil::sanitizeUtf8String(tlv_value);
+      metadata_value.set_string_value(sanitised_tlv_value.data(), sanitised_tlv_value.size());
 
       std::string metadata_key = key_value_pair->metadata_namespace().empty()
                                      ? "envoy.filters.listener.proxy_protocol"

source/extensions/transport_sockets/tls/connection_info_impl_base.cc

@@ -185,7 +185,7 @@ absl::Span<const std::string> ConnectionInfoImplBase::ipSansPeerCertificate() co
     ASSERT(cached_ip_san_peer_certificate_.empty());
     return cached_ip_san_peer_certificate_;
   }
-  cached_ip_san_peer_certificate_ = Utility::getSubjectAltNames(*cert, GEN_IPADD);
+  cached_ip_san_peer_certificate_ = Utility::getSubjectAltNames(*cert, GEN_IPADD, true);
   return cached_ip_san_peer_certificate_;
 }
 

source/extensions/transport_sockets/tls/utility.cc

@@ -167,7 +167,7 @@ std::string Utility::getSerialNumberFromCertificate(X509& cert) {
   return "";
 }
 
-std::vector<std::string> Utility::getSubjectAltNames(X509& cert, int type) {
+std::vector<std::string> Utility::getSubjectAltNames(X509& cert, int type, bool skip_unsupported) {
   std::vector<std::string> subject_alt_names;
   bssl::UniquePtr<GENERAL_NAMES> san_names(
       static_cast<GENERAL_NAMES*>(X509_get_ext_d2i(&cert, NID_subject_alt_name, nullptr, nullptr)));
@@ -176,7 +176,15 @@ std::vector<std::string> Utility::getSubjectAltNames(X509& cert, int type) {
   }
   for (const GENERAL_NAME* san : san_names.get()) {
     if (san->type == type) {
-      subject_alt_names.push_back(generalNameAsString(san));
+      if (skip_unsupported) {
+        // An IP SAN for an unsupported IP version will throw an exception.
+        // TODO(ggreenway): remove this when IP address construction no longer throws.
+        TRY_NEEDS_AUDIT_ADDRESS { subject_alt_names.push_back(generalNameAsString(san)); }
+        END_TRY CATCH(const EnvoyException& e,
+                      { ENVOY_LOG_MISC(debug, "Error reading SAN, value skipped: {}", e.what()); });
+      } else {
+        subject_alt_names.push_back(generalNameAsString(san));
+      }
     }
   }
   return subject_alt_names;

source/extensions/transport_sockets/tls/utility.h

@@ -52,9 +52,11 @@ std::string getSerialNumberFromCertificate(X509& cert);
  * Retrieves the subject alternate names of a certificate.
  * @param cert the certificate
  * @param type type of subject alternate name
+ * @param skip_unsupported If true and a name is for an unsupported (on this host) IP version,
+ *   omit that name from the return value. If false, an exception will be thrown in this situation.
  * @return std::vector returns the list of subject alternate names.
  */
-std::vector<std::string> getSubjectAltNames(X509& cert, int type);
+std::vector<std::string> getSubjectAltNames(X509& cert, int type, bool skip_unsupported = false);
 
 /**
  * Converts the Subject Alternate Name to string.

test/config/integration/certs/clientcert.cfg

@@ -39,3 +39,5 @@ URI.1 = spiffe://lyft.com/frontend-team
 URI.2 = http://frontend.lyft.com
 DNS.1 = lyft.com
 DNS.2 = www.lyft.com
+IP.1 = 1.2.3.4
+IP.2 = 0:1:2:3::4

test/config/integration/certs/clientcert.pem

@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEiTCCA3GgAwIBAgIUT9Wze0Fvw/pMvqAmPJjlD7HNjZAwDQYJKoZIhvcNAQEL
+MIIEoTCCA4mgAwIBAgIUfOq/vQ8mjLRgSYL45lUeRsi92lQwDQYJKoZIhvcNAQEL
 BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
 DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
-aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjIwNDA3MTY0NjM1WhcNMjQw
-NDA2MTY0NjM1WjCBqDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjMxMTE0MjMxODQwWhcNMjUx
+MTEzMjMxODQwWjCBqDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
 FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM
 EEx5ZnQgRW5naW5lZXJpbmcxGzAZBgNVBAMMElRlc3QgRnJvbnRlbmQgVGVhbTEl
 MCMGCSqGSIb3DQEJARYWZnJvbnRlbmQtdGVhbUBseWZ0LmNvbTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAOwOQ96U2nYcA+lV5eFmHqwkUVH/b5wn/FXg
-ALBfT2qSn2pzMmqj3RHebqN4I7uiRGPmk7eVHxktW/ytFDdk+AwbGEOP8vWl9zR7
-3pveKchHVSdSNJ4RkXpgDLZYDDDj/JQxNzDwPD43eIUw9SKj+Mw9nTRv0hm39hhh
-hjBmvOfbdWjQPMsuSDqEAPGE06PpirTdwZNSsuBjfvo6zdnJxTgzd/Cf1KINda4P
-xklw9M9CuKQMeLwVfwMDNeI2uJ7kn1dpsOhSDBU7LEleSWGGAlcycDzLuy/5/rKc
-dON9MKUK+82rJ+cME6I+DYqS1Nz+wY9t8farXLuGK41n0G4qr1MCAwEAAaOB2zCB
-2DAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
-AgYIKwYBBQUHAwEwXAYDVR0RBFUwU4Yfc3BpZmZlOi8vbHlmdC5jb20vZnJvbnRl
+hvcNAQEBBQADggEPADCCAQoCggEBAL0rleTUkmUs7g/PA9skuWZoa6RoK/NfwwfC
+WniKgiX+yRZcBy9//6HlOD3jLezD6tp+smh1UzIu3r69/r0eDjA+PsxQKDFH69LJ
+74CaFtx9rjapY3VNwuE3jNclcKzDnjNVHrvND+YAIkLhRbXyBqg3n7T1C2wtVIs5
+zOy79iu97vVuX744IDsIuWUWPpFImfgdELeAByRq8IN333jljTf3pN3GfjDf9aKL
+M6jTGRitNVPY2mOe6LpkUntHs42weUBCZ2B39c8olXWeEoCJL35ENuJ/JlxpamP+
+OlK/eShorsFE+UH8tYRMeNkb8ZEdFHohYQGO8WJ5VBw4d47loRsCAwEAAaOB8zCB
+8DAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
+AgYIKwYBBQUHAwEwdAYDVR0RBG0wa4Yfc3BpZmZlOi8vbHlmdC5jb20vZnJvbnRl
 bmQtdGVhbYYYaHR0cDovL2Zyb250ZW5kLmx5ZnQuY29tgghseWZ0LmNvbYIMd3d3
-Lmx5ZnQuY29tMB0GA1UdDgQWBBROWpBWXFbgQUweTJcDDdEtGxJ6wzAfBgNVHSME
-GDAWgBQdDTmYdOz7TqwMpoOli3Dmj78ygjANBgkqhkiG9w0BAQsFAAOCAQEALyDC
-CJ2V30VRqf/vHnv4hocaNvkbg2XqSczsNsXQB9Oh15y2nrTu8nIlktJeMCwgYKB3
-tyuIYADw2c0HKmFshOiNM3P1taM+Gljx/OeyhMq/dgKTF0rX7w3vOoWrvW7o0cDJ
-gBzDAmPJegrIlAqfb97MOcLtBlk9vjh7ukh8BSRI+5Hdj5Gb8Y6tQvmiqzm5yx5L
-Swz7im1BIGwk4Hq82JO20egDYCn9zhmuDIEJGtRbl0ymcfdaC4oKqiqU/CrynaAo
-SkNXfca8Sqk1tvbfDzNkOAnLN572vkbhUnLfcqcfouRXlUl2DYmG+dCoYuWw4/co
-ahwsslCKM3xGY4ax9Q==
+Lmx5ZnQuY29thwQBAgMEhxAAAAABAAIAAwAAAAAAAAAEMB0GA1UdDgQWBBTl8J5P
+CF97S4cY6TytejTb3sngmTAfBgNVHSMEGDAWgBQdDTmYdOz7TqwMpoOli3Dmj78y
+gjANBgkqhkiG9w0BAQsFAAOCAQEAsMuSPKvSx/uDRIHWNQhUWSHfa4nfonyGBmnV
+VvC7Xatq3kZ1MCedzxHbqOOdlO4cSVq+eOHlVzWJUsJSj1J8hcVh3vZp6GFoRZgU
+F93g2dlgkmEEqEFB4qI71PwjC6amEV+xY21v/QPEouI1VumUnMnAV81G5uJDzPtn
+gmNyM6hnvKGufpaovZFeXsB0ZUnYPz+4QdKwHTErsV8uUdeJUhFHg1NjCmrqQAmm
+PG0G9JOi/dY/X5/LfGomAb7E+wuJFKHFP7gE6JvWi5M1Y1IlW1tCgN3dSCdCaUZm
+JPKWR3x+gYOFHfKNpdG/zRwOrClgISmDzZiXXFSHCn95tFocXA==
 -----END CERTIFICATE-----

test/config/integration/certs/clientcert_hash.h

@@ -1,5 +1,5 @@
 #pragma once
 
 // NOLINT(namespace-envoy)
-constexpr char TEST_CLIENT_CERT_HASH[] = "4A:FD:3A:AE:4B:36:08:A6:CB:41:4F:20:8A:86:1F:3B:43:6F:2F:"
-                                         "12:49:82:8D:9F:F6:FA:53:4D:23:26:FB:43";
+constexpr char TEST_CLIENT_CERT_HASH[] = "F6:31:41:AA:8E:E3:D7:AC:AE:A8:AF:AD:C9:11:CD:0A:83:72:03:"
+                                         "6D:4B:B3:72:4F:6F:71:E1:ED:18:5B:92:AA";