envoyproxy/envoy
Vedi su GitHubSPIFFE validator + "mtls_authenticated" do not support session resumption
Open
#42.668 aperta il 17 dic 2025
area/tlsbughelp wanted
Metriche repository
- Star
- (27.997 star)
- Metriche merge PR
- (Merge medio 8g) (378 PR mergiate in 30 g)
Descrizione
On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.