envoyproxy/envoy
Voir sur GitHubTLS: Improve story with intermediate and/or multiple CAs
Open
#1 220 ouverte le 7 juil. 2017
area/tlsenhancementhelp wanted
Métriques du dépôt
- Stars
- (27 997 stars)
- Métriques de merge PR
- (Merge moyen 8j) (378 PRs mergées en 30 j)
Description
(forked from #615)
Currently, Envoy assumes that:
- there is single CA in
ca_cert_file(at least when it comes to client certificates, displaying CA information and calculating expiration dates), - there are no intermediates in
cert_chain_file(at least for the purpose of calculating expiration dates).
@mattklein123 How useful is the expiration date tracking in practice? Are you using this in production?
@timperrett Could you verify that this fixes the issues you described in #615?
diff --git a/source/common/ssl/context_impl.cc b/source/common/ssl/context_impl.cc
index 1ca93c4b7..aa94ba32f 100644
--- a/source/common/ssl/context_impl.cc
+++ b/source/common/ssl/context_impl.cc
@@ -45,9 +45,12 @@ ContextImpl::ContextImpl(ContextManagerImpl& parent, Stats::Scope& scope, Contex
fmt::format("Failed to load verify locations file {}", config.caCertFile()));
}
- // This will send an acceptable CA list to browsers which will prevent pop ups.
- rc = SSL_CTX_add_client_CA(ctx_.get(), ca_cert_.get());
- RELEASE_ASSERT(1 == rc);
+ bssl::UniquePtr<STACK_OF(X509_NAME)> list(SSL_load_client_CA_file(config.caCertFile().c_str()));
+ if (nullptr == list) {
+ throw EnvoyException(
+ fmt::format("Failed to load verify locations file {}", config.caCertFile()));
+ }
+ SSL_CTX_set_client_CA_list(ctx_.get(), list.release());
verify_mode = SSL_VERIFY_PEER;
}