envoyproxy/envoy

TLS: Improve story with intermediate and/or multiple CAs

Open

#1.220 geöffnet am 7. Juli 2017

Auf GitHub ansehen
 (19 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/tlsenhancementhelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

(forked from #615)

Currently, Envoy assumes that:

  • there is single CA in ca_cert_file (at least when it comes to client certificates, displaying CA information and calculating expiration dates),
  • there are no intermediates in cert_chain_file (at least for the purpose of calculating expiration dates).

@mattklein123 How useful is the expiration date tracking in practice? Are you using this in production?

@timperrett Could you verify that this fixes the issues you described in #615?

diff --git a/source/common/ssl/context_impl.cc b/source/common/ssl/context_impl.cc
index 1ca93c4b7..aa94ba32f 100644
--- a/source/common/ssl/context_impl.cc
+++ b/source/common/ssl/context_impl.cc
@@ -45,9 +45,12 @@ ContextImpl::ContextImpl(ContextManagerImpl& parent, Stats::Scope& scope, Contex
           fmt::format("Failed to load verify locations file {}", config.caCertFile()));
     }
 
-    // This will send an acceptable CA list to browsers which will prevent pop ups.
-    rc = SSL_CTX_add_client_CA(ctx_.get(), ca_cert_.get());
-    RELEASE_ASSERT(1 == rc);
+    bssl::UniquePtr<STACK_OF(X509_NAME)> list(SSL_load_client_CA_file(config.caCertFile().c_str()));
+    if (nullptr == list) {
+      throw EnvoyException(
+          fmt::format("Failed to load verify locations file {}", config.caCertFile()));
+    }
+    SSL_CTX_set_client_CA_list(ctx_.get(), list.release());
 
     verify_mode = SSL_VERIFY_PEER;
   }

Contributor Guide