SPIFFE validator + "mtls_authenticated" do not support session resumption · envoyproxy/envoy#42668

(4 评论) (0 反应) (0 负责人)C++ (27,997 star) (5,373 fork)batch import

area/tlsbughelp wanted

描述

On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.

贡献者指南

技术栈: cpp
领域: securitybackend
议题类型: bug
难度: 4
预计时间: 1-2 days
活动状态: fresh
清晰度: clear
前置要求: Understanding of TLS session resumptionFamiliarity with Envoy proxyC++ development experienceKnowledge of SPIFFE validator
新手友好度: 35
研究方向: Investigate the SPIFFE validator implementation to understand why peer certificate validation is not triggered on session resumption. Focus on the authentication filter and TLS handshake handling in the Envoy source code. Check the relevant test files for session resumption behavior. Consider whether the fix should update the validation state on resumption or ensure the validator callback is invoked.