New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Envoy's peerCertificateValidated() appears to behave inconsistently #4396
Comments
I think this may be related to TLS session resumption. I'm unable to reproduce this issue when connecting to Pomerium via
However, if I add the option
|
There's an open upstream issue for this problem (only with a route match based on the client certificate validation status, rather than a Lua filter): envoyproxy/envoy#21235. Disabling ticket-based session resumption by setting Some options:
|
I've begun to discuss an upstream fix on envoyproxy/envoy#21235, but I'll plan to proceed with option (1) for now. |
@desimone and I discussed another option today, which I previously hadn't given much consideration:
My understanding is that this should completely disable TLS session resumption (and so avoid the Envoy issue). The downside is that Pomerium would no longer support TLS 1.2 whenever downstream mTLS is enabled. It's unclear to me whether any Pomerium users have a hard requirement on TLS 1.2 support. I've prototyped this approach here: defe0fd. Initial testing appears promising: I haven't observed a spurious 495 error page so far, and I've been unable to resume a session with |
Envoy has accepted a new configuration option Together with the existing Once this new version of Envoy is released, I propose we:
(Note that fully removing these checks requires that we also complete the removal of the deprecated Footnotes |
What happened?
For #4352, I thought I had configured Envoy to perform client certificate validation (as a prerequisite to #4353). I believed we could rely on the result of Envoy's peerCertificateValidated() Lua method in order to determine whether a request was made over a connection with a trusted client certificate. However, the behavior of this method appears to be inconsistent. For initial requests with a valid client certificate, this method returns true, but for some subsequent requests, this method may return false. Consequently Pomerium may return a 495 error page even for requests even with a valid client certificate.
What did you expect to happen?
Pomerium should not return a 495 error page for requests with a valid client certificate.
How'd it happen?
tls_downstream_client_ca
setting, to enable client certificate validation for that particular route.What's your environment like?
pomerium --version
):pomerium: v0.20.0-430-g6c1416fc+6c1416fc
envoy: 1.25.5+ecf50a958e5c053e5016b994943d8e77710b8c7ddeef5bc6ca32b8ca09e7bcbc
What's your config.yaml?
What did you see in the logs?
Additional context
n/a
The text was updated successfully, but these errors were encountered: