From a7c4335f48b63576ac319b4073e568eaf23b991a Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
 <135279899+update-envoy[bot]@users.noreply.github.com>
Date: Thu, 12 Oct 2023 17:19:05 +0000
Subject: [PATCH] Mirrored from envoyproxy/envoy @
 cd92acff8ed6b8f6a513c11b20a8ddb8b16ea14f

Signed-off-by: update-envoy[bot] <135279899+update-envoy[bot]@users.noreply.github.com>
---
 envoy/COMMIT                                 |  2 +-
 envoy/config/route/v3/route_components.pb.go | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/envoy/COMMIT b/envoy/COMMIT
index aa3124b3d7..b6a5e060d0 100644
--- a/envoy/COMMIT
+++ b/envoy/COMMIT
@@ -1 +1 @@
-a97acb12869def95c771bc4554852bf30f8b476d
+cd92acff8ed6b8f6a513c11b20a8ddb8b16ea14f
diff --git a/envoy/config/route/v3/route_components.pb.go b/envoy/config/route/v3/route_components.pb.go
index c5a9904b54..ad0fa21278 100755
--- a/envoy/config/route/v3/route_components.pb.go
+++ b/envoy/config/route/v3/route_components.pb.go
@@ -1284,7 +1284,7 @@ type RouteMatch struct {
 	// match. The router will check the query string from the ``path`` header
 	// against all the specified query parameters. If the number of specified
 	// query parameters is nonzero, they all must match the ``path`` header's
-	// query string for a match to occur.  In the event query parameters are
+	// query string for a match to occur. In the event query parameters are
 	// repeated, only the first value for each key will be considered.
 	//
 	// .. note::
@@ -4149,6 +4149,16 @@ type RouteMatch_TlsContextMatchOptions struct {
 	Presented *wrappers.BoolValue `protobuf:"bytes,1,opt,name=presented,proto3" json:"presented,omitempty"`
 	// If specified, the route will match against whether or not a certificate is validated.
 	// If not specified, certificate validation status (true or false) will not be considered when route matching.
+	//
+	// .. warning::
+	//
+	//    Client certificate validation is not currently performed upon TLS session resumption. For
+	//    a resumed TLS session the route will match only when ``validated`` is false, regardless of
+	//    whether the client TLS certificate is valid.
+	//
+	//    The only known workaround for this issue is to disable TLS session resumption entirely, by
+	//    setting both :ref:`disable_stateless_session_resumption <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.disable_stateless_session_resumption>`
+	//    and :ref:`disable_stateful_session_resumption <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.disable_stateful_session_resumption>` on the DownstreamTlsContext.
 	Validated *wrappers.BoolValue `protobuf:"bytes,2,opt,name=validated,proto3" json:"validated,omitempty"`
 }