envoyproxy/envoy

SPIFFE validator + "mtls_authenticated" do not support session resumption

Open

#42668 opened on Dec 17, 2025

View on GitHub
 (4 comments) (0 reactions) (0 assignees)C++ (27,997 stars) (5,373 forks)batch import
area/tlsbughelp wanted

Description

On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.

Contributor guide

Tech stack
cpp
Domain
securitybackend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Understanding of TLS session resumptionFamiliarity with Envoy proxyC++ development experienceKnowledge of SPIFFE validator
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
35
Research direction
Investigate the SPIFFE validator implementation to understand why peer certificate validation is not triggered on session resumption. Focus on the authentication filter and TLS handshake handling in the Envoy source code. Check the relevant test files for session resumption behavior. Consider whether the fix should update the validation state on resumption or ensure the validator callback is invoked.