envoyproxy/envoy

TLS: Improve story with intermediate and/or multiple CAs

Open

#1 220 ouverte le 7 juil. 2017

Voir sur GitHub
 (19 commentaires) (0 réactions) (0 assignés)C++ (5 373 forks)batch import
area/tlsenhancementhelp wanted

Métriques du dépôt

Stars
 (27 997 stars)
Métriques de merge PR
 (Merge moyen 8j) (378 PRs mergées en 30 j)

Description

(forked from #615)

Currently, Envoy assumes that:

  • there is single CA in ca_cert_file (at least when it comes to client certificates, displaying CA information and calculating expiration dates),
  • there are no intermediates in cert_chain_file (at least for the purpose of calculating expiration dates).

@mattklein123 How useful is the expiration date tracking in practice? Are you using this in production?

@timperrett Could you verify that this fixes the issues you described in #615?

diff --git a/source/common/ssl/context_impl.cc b/source/common/ssl/context_impl.cc
index 1ca93c4b7..aa94ba32f 100644
--- a/source/common/ssl/context_impl.cc
+++ b/source/common/ssl/context_impl.cc
@@ -45,9 +45,12 @@ ContextImpl::ContextImpl(ContextManagerImpl& parent, Stats::Scope& scope, Contex
           fmt::format("Failed to load verify locations file {}", config.caCertFile()));
     }
 
-    // This will send an acceptable CA list to browsers which will prevent pop ups.
-    rc = SSL_CTX_add_client_CA(ctx_.get(), ca_cert_.get());
-    RELEASE_ASSERT(1 == rc);
+    bssl::UniquePtr<STACK_OF(X509_NAME)> list(SSL_load_client_CA_file(config.caCertFile().c_str()));
+    if (nullptr == list) {
+      throw EnvoyException(
+          fmt::format("Failed to load verify locations file {}", config.caCertFile()));
+    }
+    SSL_CTX_set_client_CA_list(ctx_.get(), list.release());
 
     verify_mode = SSL_VERIFY_PEER;
   }

Guide contributeur