Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: the client verify flag might not be set #6906

Merged
merged 4 commits into from
Apr 22, 2022
Merged

fix: the client verify flag might not be set #6906

merged 4 commits into from
Apr 22, 2022

Conversation

spacewander
Copy link
Member

@spacewander spacewander commented Apr 22, 2022
edited
Loading

A more suitable way is to reject client TLS handshake directly, just
like what Go has done.

Signed-off-by: spacewander spacewanderlzx@gmail.com

Description

Fixes #6896

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@spacewander
fix: the client verify flag might not be set
be966df 
A more suitable way is to reject client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
@spacewander spacewander marked this pull request as ready for review April 22, 2022 02:51
@spacewander
the previous fix is incorrect
b372b7c 
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
@spacewander
fix wrong param
13825e2 
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
membphis
membphis reviewed Apr 22, 2022
View reviewed changes
apisix/init.lua Show resolved Hide resolved
apisix/init.lua Show resolved Hide resolved
membphis
membphis previously approved these changes Apr 22, 2022
View reviewed changes
Copy link
Member

@membphis membphis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

membphis
membphis reviewed Apr 22, 2022
View reviewed changes
apisix/init.lua Outdated
-- always fetch table from the table pool, we don't need a reused api_ctx
local api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
ngx_ctx.api_ctx = api_ctx

if not verify_tls_client(ngx_ctx.api_ctx) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can use api_ctx here

membphis
membphis reviewed Apr 22, 2022
View reviewed changes
apisix/init.lua Outdated
if not api_ctx then
api_ctx = core.tablepool.fetch("api_ctx", 0, 32)
ngx_ctx.api_ctx = api_ctx
end

if not verify_tls_client(ngx_ctx.api_ctx) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

@spacewander
tweak
f27ba1b 
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
@tokers
Copy link
Contributor

tokers commented Apr 22, 2022

Anyway to test the fix?

@spacewander
Copy link
Member Author

Anyway to test the fix?

Not so easy to do it.

@spacewander spacewander merged commit bf5585a into apache:master Apr 22, 2022
spacewander added a commit to spacewander/incubator-apisix that referenced this pull request May 18, 2022
@spacewander
fix: the client verify flag might not be set (apache#6906)
3748570 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
spacewander added a commit that referenced this pull request May 18, 2022
@spacewander
fix: the client verify flag might not be set (#6906)
80b6b2d 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix #6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
tzssangglass pushed a commit to tzssangglass/apisix that referenced this pull request May 19, 2022
@spacewander @tzssangglass
fix: the client verify flag might not be set (apache#6906)
83153d1 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
spacewander added a commit that referenced this pull request May 20, 2022
@spacewander
fix: the client verify flag might not be set (#6906)
c2eff65 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix #6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
Liu-Junlin pushed a commit to Liu-Junlin/apisix that referenced this pull request May 20, 2022
@spacewander @Liu-Junlin
fix: the client verify flag might not be set (apache#6906)
94f798e 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
spacewander added a commit to spacewander/incubator-apisix that referenced this pull request May 27, 2022
@spacewander
fix: the client verify flag might not be set (apache#6906)
2b0260f 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix apache#6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
@hahayyum hahayyum mentioned this pull request Jun 14, 2022
Closed
spacewander added a commit that referenced this pull request Jun 30, 2022
@spacewander
fix: the client verify flag might not be set (#6906)
819278a 
A more suitable way is to reject the client TLS handshake directly, just
like what Go has done.

Fix #6896
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tokers tokers tokers approved these changes

@membphis membphis membphis approved these changes

@bzp2010 bzp2010 Awaiting requested review from bzp2010

@leslie-tsang leslie-tsang Awaiting requested review from leslie-tsang

@tzssangglass tzssangglass Awaiting requested review from tzssangglass

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: mtls does not take effect
3 participants
@spacewander @tokers @membphis