You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/22 07:49:24 UTC
[GitHub] [apisix] whioue opened a new issue #6418: bug: apisix failed to verify the validity of the server certificate
whioue opened a new issue #6418:
URL: https://github.com/apache/apisix/issues/6418
### Issue description
配置 ssl 资源,同时配置了 client.ca 和 client.depth 参数、在上游中配置了客户端证书和密钥、在运行开启了双向认证的服务端。我通过抓包进行分析,发现客户端与apisix之间是进行一个完整且正常的双向认证,但是apisix作为客户端与服务端进行双向认证时,apisix未校验服务端证书的合法性,当服务端配置不合法的证书和密钥时,apisix未终止请求而是直接返回了服务端的响应结果。
### Environment
- apisix version (cmd: `apisix version`):v2.8
- OS (cmd: `uname -a`):linux centos
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
- apisix-dashboard version, if have:
- the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
- luarocks version, if the issue is about installation (cmd: `luarocks --version`):
### Steps to reproduce
{
"uris": ["/*"],
"hosts": ["www.testCa.com"],
"methods": ["PUT", "GET"],
"upstream": {
"type": "roundrobin",
"nodes": {
"192.168.32.2:8089": 1
},
"scheme": "https",
"tls": {
"client_cert": "-----BEGIN CERTIFICATE-----\nMIIC3........DCCA==\n-----END CERTIFICATE-----",
"client_key": "-----BEGIN RSA PRIVATE KEY-----\nHrMHU.......vE9EsvnO==\n-----END RSA PRIVATE KEY-----"
},
"hash_on": "vars",
"pass_host": "pass"
}
}
ssl:
{
"snis": ["www.testCa.com"],
"cert": "-----BEGIN CERTIFICATE-----\nMIIC+jCCA........pMg==\n-----END CERTIFICATE-----",
"client": {
"ca": "-----BEGIN CERTIFICATE-----\nMIIC......Ot7Tl89Pz\nYic=\n-----END CERTIFICATE-----",
"depth": 1
},
"key": "-----BEGIN RSA PRIVATE KEY-----\nHrMHU.......vRFEWCGnO==\n-----END RSA PRIVATE KEY-----",
"status": 1
}
### Actual result
upstream中配置正确的客户端证书和密钥、服务端配置正确的ca证书和不合法/不匹配的服务端证书和密钥,访问后apisix未终止请求而是返回后端响应。
### Error log
无
### Expected result
希望apisix可以校验服务端证书合法性,满足完整的双向认证过程。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] whioue commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
Posted by GitBox <gi...@apache.org>.
whioue commented on issue #6418:
URL: https://github.com/apache/apisix/issues/6418#issuecomment-1048403905
> @whioue APISIX doesn't enable the `proxy_ssl_verify` directive, one of the solutions is enabling the `proxy_ssl_verify` by yourself, through the https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L193.
在upstream中只配置了client_cert和client_key,却没有client_ca字段,我理解这样的话apisix到业务主机端并不是一个完整的双向认证,与https://github.com/apache/apisix/blob/master/docs/zh/latest/mtls.md文档中所述不完全相符。后续在upstream中有考虑引进设置client_ca用于验证服务端证书吗?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6418:
URL: https://github.com/apache/apisix/issues/6418#issuecomment-1048369958
@whioue APISIX doesn't enable the `proxy_ssl_verify` directive, one of the solutions is enabling the `proxy_ssl_verify` by yourself, through the https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L193.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] whioue edited a comment on issue #6418: bug: apisix failed to verify the validity of the server certificate
Posted by GitBox <gi...@apache.org>.
whioue edited a comment on issue #6418:
URL: https://github.com/apache/apisix/issues/6418#issuecomment-1047723879
> @whioue “服务端配置不合法的证书和密钥时”具体是什么意思,你有试过通过curl访问你的后端吗?
启动后置服务时加载ca证书和服务端证书、服务端密钥,但是服务端证书和私钥并不是此ca证书所签发的,正常来说apisix作为客户端来访问此服务时,双向认证时服务端会将此证书和密钥发送给apisix,而apisix并未校验出此证书和密钥不合法而终止请求,而是继续请求获取到了服务响应。当使用curl进行访问此后端服务时提示证书验证失败,不能正常访问获取响应。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] whioue edited a comment on issue #6418: bug: apisix failed to verify the validity of the server certificate
Posted by GitBox <gi...@apache.org>.
whioue edited a comment on issue #6418:
URL: https://github.com/apache/apisix/issues/6418#issuecomment-1047723879
> @whioue “服务端配置不合法的证书和密钥时”具体是什么意思,你有试过通过curl访问你的后端吗?
启动后置服务时加载ca证书和服务端证书、服务端密钥,但是服务端证书和私钥并不是此ca证书所签发的,正常来说apisix作为客户端来访问此服务时,双向认证时服务端会将此证书和密钥发送给apisix,而apisix并未校验出此证书和密钥不合法而终止请求,而是继续请求获取到了服务响应。当使用curl进行访问此服务时提示证书验证失败,不能正常访问获取请求。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6418:
URL: https://github.com/apache/apisix/issues/6418#issuecomment-1047695160
@whioue What's the specific meaning of "服务端配置不合法的证书和密钥时",have you ever tried to access your backend by curl?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] whioue commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
Posted by GitBox <gi...@apache.org>.
whioue commented on issue #6418:
URL: https://github.com/apache/apisix/issues/6418#issuecomment-1047723879
> @whioue “服务端配置不合法的证书和密钥时”具体是什么意思,你有试过通过curl访问你的后端吗?
启动后置服务时加载ca证书和服务端证书、服务端密钥,但是服务端证书和私钥并不是此ca证书所签发的,正常来说apisix作为客户端来访问此服务时,双向认证时服务端会将此证书和密钥发送给apisix,而apisix并未校验出此证书和密钥不合法而是直接获取到了响应。当使用curl进行访问此服务时提示证书验证失败,不能正常访问获取请求。
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org