envoyproxy/envoy
在 GitHub 查看SPIFFE validator + "mtls_authenticated" do not support session resumption
Open
#42,668 创建于 2025年12月17日
area/tlsbughelp wanted
仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.