envoyproxy/envoy

SPIFFE validator + "mtls_authenticated" do not support session resumption

Open

#42,668 创建于 2025年12月17日

在 GitHub 查看
 (4 评论) (0 反应) (0 负责人)C++ (5,373 fork)batch import
area/tlsbughelp wanted

仓库指标

Star
 (27,997 star)
PR 合并指标
 (平均合并 8天) (30 天内合并 378 个 PR)

描述

On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.

贡献者指南