envoyproxy/envoy

SPIFFE validator + "mtls_authenticated" do not support session resumption

Open

#42,668 建立於 2025年12月17日

在 GitHub 查看
 (4 留言) (0 反應) (0 負責人)C++ (5,373 fork)batch import
area/tlsbughelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.

貢獻者指南