-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: the client verify flag might not be set #6906
Conversation
A more suitable way is to reject client TLS handshake directly, just like what Go has done. Fix apache#6896 Signed-off-by: spacewander <[email protected]>
Signed-off-by: spacewander <[email protected]>
Signed-off-by: spacewander <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
apisix/init.lua
Outdated
-- always fetch table from the table pool, we don't need a reused api_ctx | ||
local api_ctx = core.tablepool.fetch("api_ctx", 0, 32) | ||
ngx_ctx.api_ctx = api_ctx | ||
|
||
if not verify_tls_client(ngx_ctx.api_ctx) then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can use api_ctx
here
apisix/init.lua
Outdated
if not api_ctx then | ||
api_ctx = core.tablepool.fetch("api_ctx", 0, 32) | ||
ngx_ctx.api_ctx = api_ctx | ||
end | ||
|
||
if not verify_tls_client(ngx_ctx.api_ctx) then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
Signed-off-by: spacewander <[email protected]>
Anyway to test the fix? |
Not so easy to do it. |
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix apache#6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix #6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix apache#6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix #6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix apache#6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix apache#6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject the client TLS handshake directly, just like what Go has done. Fix #6896 Signed-off-by: spacewander <[email protected]>
A more suitable way is to reject client TLS handshake directly, just
like what Go has done.
Signed-off-by: spacewander [email protected]
Description
Fixes #6896
Checklist