Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: the client verify flag might not be set #6906

Merged
merged 4 commits into from
Apr 22, 2022

Conversation

spacewander
Copy link
Member

@spacewander spacewander commented Apr 22, 2022

A more suitable way is to reject client TLS handshake directly, just
like what Go has done.

Signed-off-by: spacewander [email protected]

Description

Fixes #6896

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

A more suitable way is to reject client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <[email protected]>
@spacewander spacewander marked this pull request as ready for review April 22, 2022 02:51
Signed-off-by: spacewander <[email protected]>
apisix/init.lua Show resolved Hide resolved
apisix/init.lua Show resolved Hide resolved
membphis
membphis previously approved these changes Apr 22, 2022
Copy link
Member

@membphis membphis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

apisix/init.lua Outdated
-- always fetch table from the table pool, we don't need a reused api_ctx
local api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
ngx_ctx.api_ctx = api_ctx

if not verify_tls_client(ngx_ctx.api_ctx) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can use api_ctx here

apisix/init.lua Outdated
if not api_ctx then
api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
ngx_ctx.api_ctx = api_ctx
end

if not verify_tls_client(ngx_ctx.api_ctx) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Signed-off-by: spacewander <[email protected]>
@tokers
Copy link
Contributor

tokers commented Apr 22, 2022

Anyway to test the fix?

@spacewander
Copy link
Member Author

Anyway to test the fix?

Not so easy to do it.

@spacewander spacewander merged commit bf5585a into apache:master Apr 22, 2022
spacewander added a commit to spacewander/incubator-apisix that referenced this pull request May 18, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <[email protected]>
spacewander added a commit that referenced this pull request May 18, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix #6896
Signed-off-by: spacewander <[email protected]>
tzssangglass pushed a commit to tzssangglass/apisix that referenced this pull request May 19, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <[email protected]>
spacewander added a commit that referenced this pull request May 20, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix #6896
Signed-off-by: spacewander <[email protected]>
Liu-Junlin pushed a commit to Liu-Junlin/apisix that referenced this pull request May 20, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <[email protected]>
spacewander added a commit to spacewander/incubator-apisix that referenced this pull request May 27, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <[email protected]>
spacewander added a commit that referenced this pull request Jun 30, 2022
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix #6896
Signed-off-by: spacewander <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

bug: mtls does not take effect
3 participants