New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
downstream_mtls.match_subject_alt_names does not work on "policy" enforcement. #4614
Comments
Hi @calderonth, the
Note that the example policy you provided does not have any such Recall the policy action semantics: "a user will have access to a route if at least one allow rule matches and no deny rules match." Let's consider the example policy you provided: policy:
- allow:
or:
- authenticated_user: true
- client_certificate:
fingerprint:
- '3bdf2e5eee6e4a124664cee8c7b910ef20dc6d625075113017dfaa011950fe44'
- '214407b8123eac731d2d06f3c17156b9189fd726c4cdd16892bb49268d7484ef' This policy has one To modify this policy so that it requires a trusted client certificate in all cases, you could add an explicit policy:
- allow:
or:
- authenticated_user: true
- client_certificate:
fingerprint:
- '3bdf2e5eee6e4a124664cee8c7b910ef20dc6d625075113017dfaa011950fe44'
- '214407b8123eac731d2d06f3c17156b9189fd726c4cdd16892bb49268d7484ef'
- deny:
or:
- invalid_client_certificate: true With this policy, all requests must be accompanied by a trusted client certificate, which given the Or, if you wish to apply the client certificate requirements to all routes, please use the default |
What happened?
When configuring a Pomerium instance with mTLS enabled and setting the enforcement mode to "policy" the SAN matching does not happen and allows valid certificate missing the required SANs to access a route.
What did you expect to happen?
This does not happen when setting the enforcement mode to
reject_connection
.The behavior should be consistent across enforcement modes for the SAN logic.
How'd it happen?
What's your environment like?
What's your config.yaml?
What did you see in the logs?
The text was updated successfully, but these errors were encountered: