envoyproxy/envoy

SPIFFE validator + "mtls_authenticated" do not support session resumption

Open

#42.668 aperta il 17 dic 2025

Vedi su GitHub
 (4 commenti) (0 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/tlsbughelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.

Guida contributor