envoyproxy/envoy

Add verify_client_certificate.

Open

#5.501 aberto em 6 de jan. de 2019

Ver no GitHub
 (3 comments) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
area/tlshelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

From https://github.com/envoyproxy/envoy/pull/5207#issuecomment-447345279:

I think that we could simply add verify_client_certificate: true|check|false, where:

  • true would verify the client certificate and reject connection if the verification failed (what we have today),
  • check would verify the client certificate, but forward it and the verification status via x-forwarded-client-cert or another header (for easier matching), regardless of the verification status,
  • false would forward the client certificate to the backend via x-forwarded-client-cert without attempting to verify it (to avoid crypto operations, do access control at the backend, etc.).

Guia do colaborador