TLS Client Certificate validation policy [THREESCALE-1671] #966
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
|
Hi @mikz. |
mikz
commented
Dec 13, 2018
mikz
commented
Dec 13, 2018
|
@y-tabata yes, this policy enables validation of TLS Client certificates used by clients when connecting to APIcast. |
mikz
added a commit
to mikz/apicast-tls-validation-policy
that referenced
this pull request
Jan 15, 2019
Extracted from 3scale/APIcast#966
mikz
force-pushed
the
tls-validation-poc
branch
6 times, most recently
from
52f7c1b to
777a66e
Compare
mikz
changed the title
mikz
added a commit
to mikz/apicast-tls-validation-policy
that referenced
this pull request
Jan 16, 2019
Extracted from 3scale/APIcast#966
davidor
reviewed
Jan 17, 2019
| proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key; | ||
| proxy_pass https://$server_addr:$apicast_port/t; | ||
| proxy_set_header Host localhost; | ||
| log_by_lua_block { collectgarbage() } |
There was a problem hiding this comment.
To run the Test::Nginx memory leak test mode. I was worried that there are some memory leaks in the OpenSSL wrapper, so I was running the memory leak checker.
davidor
reviewed
Jan 17, 2019
|
|
||
| policy:access() | ||
|
|
||
| assert.stub(ngx.exit).was_called_with(400) |
There was a problem hiding this comment.
Would 403 be more appropriate?
There was a problem hiding this comment.
I think I got the 400 from testing normal nginx certificate veritifation.
davidor
approved these changes
Jan 17, 2019
mikz
added a commit
to mikz/apicast-tls-validation-policy
that referenced
this pull request
Jan 21, 2019
Extracted from 3scale/APIcast#966
mikz
added a commit
to mikz/apicast-tls-validation-policy
that referenced
this pull request
Jan 22, 2019
Extracted from 3scale/APIcast#966
mikz
added a commit
to mikz/apicast-tls-validation-policy
that referenced
this pull request
Jan 22, 2019
Extracted from 3scale/APIcast#966
BIO, EVP, X509, X509 Store and CTX to read, print and validate certificates.
Validate TLS Client Certiticate against a whitelist of individual certificates or CAs.
mikz
force-pushed
the
tls-validation-poc
branch
from
777a66e to
31e6c22
Compare
mikz
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Experiment with FFI and OpenSSL to validate client certificates.
rover exec bin/busted spec/resty/openssl --repeat=10000 --no-auto-insulatewithout memory leaksIn case of expired or not yet valid certificate nginx rejects the client certificate right away before applying any policies.