From 40a26bd7b59eab972afa5559b6e4767308694ffa Mon Sep 17 00:00:00 2001
From: Kuat Yessenov <kuat@google.com>
Date: Fri, 23 Feb 2024 00:09:23 +0000
Subject: [PATCH] backport https://github.com/envoyproxy/envoy/pull/32315

Change-Id: I5b5ec42d5b3138060505c74d313d759199083e8d
Signed-off-by: Kuat Yessenov <kuat@google.com>
---
 changelogs/current.yaml                      | 5 +++++
 source/common/grpc/google_grpc_creds_impl.cc | 9 +++------
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
index ab766f2e8138..61fc804b4e27 100644
--- a/changelogs/current.yaml
+++ b/changelogs/current.yaml
@@ -16,5 +16,10 @@ removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
 new_features:
+- area: google_grpc
+  change: |
+    Added an off-by-default runtime flag
+    ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
+    usage by gRPC SDK for ``google_grpc`` services.
 
 deprecated:
diff --git a/source/common/grpc/google_grpc_creds_impl.cc b/source/common/grpc/google_grpc_creds_impl.cc
index ba508bb18b7d..5aa2ea91fd8a 100644
--- a/source/common/grpc/google_grpc_creds_impl.cc
+++ b/source/common/grpc/google_grpc_creds_impl.cc
@@ -18,12 +18,9 @@ std::shared_ptr<grpc::ChannelCredentials> CredsUtility::getChannelCredentials(
     case envoy::config::core::v3::GrpcService::GoogleGrpc::ChannelCredentials::
         CredentialSpecifierCase::kSslCredentials: {
       const auto& ssl_credentials = google_grpc.channel_credentials().ssl_credentials();
-      const auto root_certs = 
-          Config::DataSource::read(ssl_credentials.root_certs(), true, api);
-      const auto private_key =
-          Config::DataSource::read(ssl_credentials.private_key(), true, api);
-      const auto cert_chain =
-          Config::DataSource::read(ssl_credentials.cert_chain(), true, api);
+      const auto root_certs = Config::DataSource::read(ssl_credentials.root_certs(), true, api);
+      const auto private_key = Config::DataSource::read(ssl_credentials.private_key(), true, api);
+      const auto cert_chain = Config::DataSource::read(ssl_credentials.cert_chain(), true, api);
       grpc::experimental::TlsChannelCredentialsOptions options;
       if (!private_key.empty() || !cert_chain.empty()) {
         options.set_certificate_provider(