envoyproxy/envoy

TLS: Improve story with intermediate and/or multiple CAs

Open

#1,220 opened on 2017年7月7日

GitHub で見る
 (19 comments) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
area/tlsenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (平均マージ 8d) (30d で 378 merged PRs)

説明

(forked from #615)

Currently, Envoy assumes that:

  • there is single CA in ca_cert_file (at least when it comes to client certificates, displaying CA information and calculating expiration dates),
  • there are no intermediates in cert_chain_file (at least for the purpose of calculating expiration dates).

@mattklein123 How useful is the expiration date tracking in practice? Are you using this in production?

@timperrett Could you verify that this fixes the issues you described in #615?

diff --git a/source/common/ssl/context_impl.cc b/source/common/ssl/context_impl.cc
index 1ca93c4b7..aa94ba32f 100644
--- a/source/common/ssl/context_impl.cc
+++ b/source/common/ssl/context_impl.cc
@@ -45,9 +45,12 @@ ContextImpl::ContextImpl(ContextManagerImpl& parent, Stats::Scope& scope, Contex
           fmt::format("Failed to load verify locations file {}", config.caCertFile()));
     }
 
-    // This will send an acceptable CA list to browsers which will prevent pop ups.
-    rc = SSL_CTX_add_client_CA(ctx_.get(), ca_cert_.get());
-    RELEASE_ASSERT(1 == rc);
+    bssl::UniquePtr<STACK_OF(X509_NAME)> list(SSL_load_client_CA_file(config.caCertFile().c_str()));
+    if (nullptr == list) {
+      throw EnvoyException(
+          fmt::format("Failed to load verify locations file {}", config.caCertFile()));
+    }
+    SSL_CTX_set_client_CA_list(ctx_.get(), list.release());
 
     verify_mode = SSL_VERIFY_PEER;
   }

コントリビューターガイド