TLS docs do not mention that the subject alt name is not verified by default #7312
Comments
|
Agreed we can/should do better here. Doc PRs appreciated to add warnings, links, etc. |
mattklein123
added a commit
that referenced
this issue
Oct 19, 2019
Merged
mattklein123
added a commit
that referenced
this issue
Oct 21, 2019
mattklein123
pushed a commit
to envoyproxy/data-plane-api
that referenced
this issue
Oct 21, 2019
Fixes envoyproxy/envoy#8190 Fixes envoyproxy/envoy#7420 Fixes envoyproxy/envoy#7331 Fixes envoyproxy/envoy#7312 Fixes envoyproxy/envoy#7284 Signed-off-by: Matt Klein <mklein@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 8e0b240b0e0abcda07b7b259178bdad60a699019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title: TLS docs do not mention that the subject alt name is not verified by default
Description:
https://www.envoyproxy.io/docs/envoy/v1.8.0/intro/arch_overview/ssl#enabling-certificate-verification
The documentation is a little confusing and leads people to believe that if they only enable trusted_ca, they'll actually be verifying the alternative name on the cert.
See:
"/etc/ssl/certs/ca-certificates.crt is the default path for the system CA bundle on Debian systems. This makes Envoy verify the server identity of 127.0.0.2:1234 in the same way as e.g. cURL does on standard Debian installations."
from https://www.envoyproxy.io/docs/envoy/v1.8.0/intro/arch_overview/ssl#enabling-certificate-verification
However, the default behavior for curl is to verify that the subject name matches the DNS name connected to, which this example does not. Instead, it's only verifying that the cert presented can be validated against the entire Debian CA bundle. I think the example should be updated to add verify_subject_alt_name and mention that otherwise anyone can present any publicly signed cert and Envoy will accept it.
The text was updated successfully, but these errors were encountered: