[GitHub] [apisix] whioue opened a new issue #6418: bug: apisix failed to verify the validity of the server certificate

Mon, 21 Feb 2022 23:49:29 -0800 


whioue opened a new issue #6418:
URL: https://github.com/apache/apisix/issues/6418


   ### Issue description
   
   配置 ssl 资源,同时配置了 client.ca 和 client.depth 
参数、在上游中配置了客户端证书和密钥、在运行开启了双向认证的服务端。我通过抓包进行分析,发现客户端与apisix之间是进行一个完整且正常的双向认证,但是apisix作为客户端与服务端进行双向认证时,apisix未校验服务端证书的合法性,当服务端配置不合法的证书和密钥时,apisix未终止请求而是直接返回了服务端的响应结果。
   
   ### Environment
   
   - apisix version (cmd: `apisix version`):v2.8
   - OS (cmd: `uname -a`):linux centos
   - OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
   - etcd version, if have (cmd: run `curl 
http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
   - apisix-dashboard version, if have:
   - the plugin runner version, if the issue is about a plugin runner (cmd: 
depended on the kind of runner):
   - luarocks version, if the issue is about installation (cmd: `luarocks 
--version`):
   
   
   ### Steps to reproduce
   
   {
       "uris": ["/*"],
       "hosts": ["www.testCa.com"],
       "methods": ["PUT", "GET"],
       "upstream": {
           "type": "roundrobin",
               "nodes": {
                   "192.168.32.2:8089": 1
               },
               "scheme": "https",
               "tls": {
                   "client_cert": "-----BEGIN 
CERTIFICATE-----\nMIIC3........DCCA==\n-----END CERTIFICATE-----",
                   "client_key": "-----BEGIN RSA PRIVATE 
KEY-----\nHrMHU.......vE9EsvnO==\n-----END RSA PRIVATE KEY-----"
               },
               "hash_on": "vars",
               "pass_host": "pass"
       }
   }
   
   ssl:
   {
        "snis": ["www.testCa.com"],
        "cert": "-----BEGIN CERTIFICATE-----\nMIIC+jCCA........pMg==\n-----END 
CERTIFICATE-----",
        "client": {
                           "ca": "-----BEGIN 
CERTIFICATE-----\nMIIC......Ot7Tl89Pz\nYic=\n-----END CERTIFICATE-----",
                           "depth": 1
                       },
         "key": "-----BEGIN RSA PRIVATE 
KEY-----\nHrMHU.......vRFEWCGnO==\n-----END RSA PRIVATE KEY-----",
         "status": 1
   }
   
   
   ### Actual result
   
   upstream中配置正确的客户端证书和密钥、服务端配置正确的ca证书和不合法/不匹配的服务端证书和密钥,访问后apisix未终止请求而是返回后端响应。
   
   ### Error log
   
   无
   
   ### Expected result
   
   希望apisix可以校验服务端证书合法性,满足完整的双向认证过程。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to