envoyproxy/envoy

SPIFFE validator + "mtls_authenticated" do not support session resumption

Open

#42,668 opened on 2025年12月17日

GitHub で見る
 (4 comments) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
area/tlsbughelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (平均マージ 8d) (30d で 378 merged PRs)

説明

On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.

コントリビューターガイド