You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/21 02:47:32 UTC
[GitHub] [apisix] lijian-sw opened a new issue #6393: request help: Mutual TLS with client san validation
lijian-sw opened a new issue #6393:
URL: https://github.com/apache/apisix/issues/6393
### Issue description
Hi,
I have seen and tested Apisix can successfully do client authentication based on client SSL certificates.
But what I miss in this client certificate authentication is the SAN validation.
So in other words, how to ensure Apisix validates the client ip with the value specified in the client certificate (SAN or CN).
For what I have tested this validation does not take place, which results in a client certificate which still can be shared and used by multiple clients, are there any options within Apisix to ensure such validation can take place?
Am I overlooking something here?
### Environment
- apisix version (cmd: `apisix version`): 2.11.0
- OS (cmd: `uname -a`): Linux 3.10.0
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): openresty/1.19.9.1
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API): 3.4.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6393: request help: Mutual TLS with client san validation
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6393:
URL: https://github.com/apache/apisix/issues/6393#issuecomment-1046747014
> AFAIK, we don't support san verification yet. But I have implemented a similar function, code like
>
> ```
> local ssl = require("ssl")
> local san = ssl.loadcertificate(raw_cert):extensions()
> ```
>
> by this way, we can get san, but it seems that this function is blocking.
The fetching result can be cached with the LRU.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6393: request help: Mutual TLS with client san validation
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6393:
URL: https://github.com/apache/apisix/issues/6393#issuecomment-1046461821
AFAIK, we don't support san verification yet. But I have implemented a similar function, code like
```
local ssl = require("ssl")
local san = ssl.loadcertificate(raw_cert):extensions()
```
by this way, we can get san, but it seems that this function is blocking.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org