You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by "wangkpot (via GitHub)" <gi...@apache.org> on 2023/05/22 07:02:58 UTC

[GitHub] [apisix] wangkpot opened a new issue, #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

wangkpot opened a new issue, #9525:
URL: https://github.com/apache/apisix/issues/9525

   ### Current Behavior
   
   In mTLS, clients can establish connection with server by expired cert in session resumption.
   
   ### Expected Behavior
   
   In mTLS, clients can't establish connection with server by expired cert in session resumption.
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   1. client with valid cert send request and receive response successfully in mTLS at first time;
   2. when the cert is expired,  clients still can establish connection with server in session resumption.
   
   ### Environment
   
   - APISIX version (run `apisix version`): 2.13.1
   - Operating system (run `uname -a`): Centos7
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): 1.21.4.1
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

Re: [I] bug: in mTLS, clients can establish connection with server by expired cert in session resumption. [apisix]

Posted by "wangkpot (via GitHub)" <gi...@apache.org>.

wangkpot commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1780256669

   fine.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1678692448

   Due to lack of the reporter's response this issue has been labeled with "no response". It will be close in 3 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] wangkpot commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "wangkpot (via GitHub)" <gi...@apache.org>.

wangkpot commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1608865167

   > > 
   > 
   > I considered for a while, even we don't change the Nginx core, we may need to tweak the way we set the session timeout, e.g., parsing the certificates (both the client and server), getting the certificate expiration time, and taking the shortest time (of course, also respect the `ssl_session_timeout` directive) as the timeout.
   
   yep, that's what I thought.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.

Sn0rt commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1633389430

   will reproduce in 2.13 @sn0rt


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.

Sn0rt commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1659869813

   @wangkpot 
   
   We are now using a fixed ssl_session_timeout:
   https://github.com/apache/apisix/blob/455d5bfac93ed1b16bc9d0209bb29143c22a5585/apisix/cli/ngx_tpl.lua#L626
   
   So it is indeed possible that the cert expires but the ssl session can still be reused.
   
   The solution is indeed as what @tokers said before, a measure of cert expiration is needed to dynamically change ssl_session_timeout, which requires a certain amount of work:
   
   https://github.com/apache/apisix/issues/9525#issuecomment-1608851793
   
   Based on the above reasons, it is concluded that:
   
   APISIX will ignore this issues.
   
   In a production environment, certificates are generally replaced 30 days before expiration.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.

Sn0rt commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1624639730

   14 july @Sn0rt
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1684909390

   This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "tokers (via GitHub)" <gi...@apache.org>.

tokers commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1558314750

   > By default, APISIX/Nginx won't verify the client strictly. If that the case you desire, try to enable `ssl_verify_client`.
   
   PS, we may consider to support a dynamic flag in the `client-control` plugin.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "tokers (via GitHub)" <gi...@apache.org>.

tokers commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1608851793

   > 
   
   I considered for a while, even we don't change the Nginx core, we may need to tweak the way we set the session timeout, e.g., parsing the certificates (both the client and server), getting the certificate expiration time, and taking the shortest time (of course, also respect the `ssl_session_timeout` directive) as the timeout.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] wangkpot commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "wangkpot (via GitHub)" <gi...@apache.org>.

wangkpot commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1560532033

   > By default, APISIX/Nginx won't verify the client strictly. If that the case you desire, try to enable `ssl_verify_client`.
   
   Even if enable `ssl_verify_client`, the above problem still occurs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] An-DJ commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "An-DJ (via GitHub)" <gi...@apache.org>.

An-DJ commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1564130822

   Hi @wangkpot , : )
   a new doc about how to configure mTLS between client and APISIX is published there:
   https://docs.api7.ai/apisix/how-to-guide/traffic-management/tls-and-mtls/configure-mtls-between-client-and-apisix
   
   Could you refer this doc and offer an example which can be easily reproduced? That may help to diagnose if it is a bug.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] github-actions[bot] closed issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.

github-actions[bot] closed issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.
URL: https://github.com/apache/apisix/issues/9525


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "tokers (via GitHub)" <gi...@apache.org>.

tokers commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1558314498

   By default, APISIX/Nginx won't verify the client strictly. If that the case you desire, try to enable `ssl_verify_client`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] wangkpot commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "wangkpot (via GitHub)" <gi...@apache.org>.

wangkpot commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1566706667

   > Hi @wangkpot , : ) a new doc about how to configure mTLS between client and APISIX is published there: https://docs.api7.ai/apisix/how-to-guide/traffic-management/tls-and-mtls/configure-mtls-between-client-and-apisix
   > 
   > Could you refer this doc and offer an example which can be easily reproduced? That may help to diagnose if it is a bug.
   
   ok. there are steps to reproduce：
   1. configure mTLS between client and APISIX correctly；
   2. client send request with client-cert which expires in five minutes, and client receive response successfully；
   3. five minutes later, client send request with **expired** client-cert  still receive response successfully(tls resumption happens here).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #9525: bug: in mTLS, clients can establish connection with server by expired cert in session resumption.

Posted by "tokers (via GitHub)" <gi...@apache.org>.

tokers commented on issue #9525:
URL: https://github.com/apache/apisix/issues/9525#issuecomment-1608793924

   As per the RFC 5426:
   
   > Sessions cannot be resumed unless both the client and server agree.
      If either party suspects that the session may have been compromised,
      or that certificates may have expired or been revoked, it should
      force a full handshake.
   
   It seems that APISIX should force a full handshake when the session is compromised. Currently, APISIX uses the built-in Nginx way to store and reuse TLS sessions. If we want to fix this behavior, we may need some effort to change the Nginx core.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org