area/tlsenhancementhelp wanted
倉庫指標
- Star
- (27,997 star)
- PR 合併指標
- (平均合併 8天) (30 天內合併 378 個 PR)
描述
(forked from #615)
Currently, Envoy assumes that:
- there is single CA in
ca_cert_file(at least when it comes to client certificates, displaying CA information and calculating expiration dates), - there are no intermediates in
cert_chain_file(at least for the purpose of calculating expiration dates).
@mattklein123 How useful is the expiration date tracking in practice? Are you using this in production?
@timperrett Could you verify that this fixes the issues you described in #615?
diff --git a/source/common/ssl/context_impl.cc b/source/common/ssl/context_impl.cc
index 1ca93c4b7..aa94ba32f 100644
--- a/source/common/ssl/context_impl.cc
+++ b/source/common/ssl/context_impl.cc
@@ -45,9 +45,12 @@ ContextImpl::ContextImpl(ContextManagerImpl& parent, Stats::Scope& scope, Contex
fmt::format("Failed to load verify locations file {}", config.caCertFile()));
}
- // This will send an acceptable CA list to browsers which will prevent pop ups.
- rc = SSL_CTX_add_client_CA(ctx_.get(), ca_cert_.get());
- RELEASE_ASSERT(1 == rc);
+ bssl::UniquePtr<STACK_OF(X509_NAME)> list(SSL_load_client_CA_file(config.caCertFile().c_str()));
+ if (nullptr == list) {
+ throw EnvoyException(
+ fmt::format("Failed to load verify locations file {}", config.caCertFile()));
+ }
+ SSL_CTX_set_client_CA_list(ctx_.get(), list.release());
verify_mode = SSL_VERIFY_PEER;
}