From 7aa2362f9ccbe96dbbf5558f9ecc2a4ddcc1fa8c Mon Sep 17 00:00:00 2001 From: An Tran Date: Tue, 27 Aug 2024 23:53:01 +1000 Subject: [PATCH 1/8] [conf] Add new environment variable to toggle verification of client certificates --- doc/parameters.md | 9 ++++ gateway/http.d/apicast.conf.liquid | 2 +- t/mutual-ssl.t | 80 ++++++++++++++++++++++++++++-- 3 files changed, 86 insertions(+), 5 deletions(-) diff --git a/doc/parameters.md b/doc/parameters.md index 083fa4df3..34abc7f2b 100644 --- a/doc/parameters.md +++ b/doc/parameters.md @@ -402,6 +402,15 @@ Path to a file with the X.509 certificate secret key in the PEM format. Defines the maximum length of the client certificate chain. If this parameter has `1` as its value, it is possible to include an additional certificate in the client certificate chain. For example, root certificate authority. +### `APICAST_HTTPS_VERIFY_CLIENT` + +**Default:** `optional_no_ca` +**Values:** +- `off`: Don't request client certificates and don't do client certificate verification. +- `optional_no_ca`: Requests the client certificate, but does not fail the request when the client certificate is not signed by a trusted CA certificate. + +Enables verification of client certificates. The client certificates can be verified with TLS Client Certificate Validation policy + ### `all_proxy`, `ALL_PROXY` **Default:** no value diff --git a/gateway/http.d/apicast.conf.liquid b/gateway/http.d/apicast.conf.liquid index 93d607757..3a76f9c09 100644 --- a/gateway/http.d/apicast.conf.liquid +++ b/gateway/http.d/apicast.conf.liquid @@ -110,7 +110,7 @@ server { {{ "conf/server.key" | filesystem | first }} {%- endif %}; - ssl_verify_client optional_no_ca; + ssl_verify_client {{ env.APICAST_HTTPS_VERIFY_CLIENT | default: "optional_no_ca" }}; ssl_certificate_by_lua_block { require('apicast.executor'):ssl_certificate() } ssl_verify_depth {{ env.APICAST_HTTPS_VERIFY_DEPTH | default: 1 }}; {%- endif %} diff --git a/t/mutual-ssl.t b/t/mutual-ssl.t index caec8cab2..d12bb214e 100644 --- a/t/mutual-ssl.t +++ b/t/mutual-ssl.t @@ -4,8 +4,7 @@ use Test::APIcast::Blackbox 'no_plan'; env_to_apicast( 'APICAST_PROXY_HTTPS_CERTIFICATE' => "$Test::Nginx::Util::ServRoot/html/client.crt", 'APICAST_PROXY_HTTPS_CERTIFICATE_KEY' => "$Test::Nginx::Util::ServRoot/html/client.key", - 'APICAST_PROXY_HTTPS_PASSWORD_FILE' => "$Test::Nginx::Util::ServRoot/html/passwords.file", - 'APICAST_PROXY_HTTPS_SESSION_REUSE' => 'on', + 'APICAST_PROXY_HTTPS_SESSION_REUSE' => 'on' ); run_tests(); @@ -13,8 +12,11 @@ run_tests(); __DATA__ === TEST 1: Mutual SSL with password file ---- ssl random_port ---- configuration +--- env eval +( + 'APICAST_PROXY_HTTPS_PASSWORD_FILE' => "$Test::Nginx::Util::ServRoot/html/passwords.file" +) +--- configuration random_port env { "services": [ { @@ -59,3 +61,73 @@ ssl_client_i_dn: CN=localhost,OU=APIcast,O=3scale --- no_error_log [error] --- user_files fixture=mutual_ssl.pl eval + + + +=== TEST 2: Do not request client certificate when APICAST_HTTPS_VERIFY_CLIENT=off +--- env eval +( + 'APICAST_HTTPS_PORT' => "$Test::Nginx::Util::ServerPortForClient", + 'APICAST_HTTPS_CERTIFICATE' => "$Test::Nginx::Util::ServRoot/html/server.crt", + 'APICAST_HTTPS_CERTIFICATE_KEY' => "$Test::Nginx::Util::ServRoot/html/server.key", + 'APICAST_HTTPS_VERIFY_CLIENT' => "off", + 'BACKEND_ENDPOINT_OVERRIDE' => '' # disable override by Test::APIcast::Blackbox +) +--- backend random_port env + listen $TEST_NGINX_RANDOM_PORT; + location /transactions/oauth_authrep.xml { + content_by_lua_block { + ngx.exit(200) + } + } + + location /t { + content_by_lua_block { + print('client certificate subject: ', ngx.var.ssl_client_s_dn) + print('client certificate: ', ngx.var.ssl_client_raw_cert) + ngx.say(ngx.var.ssl_client_verify) + } + } +--- configuration random_port env +{ + "services": [ + { + "id": 42, + "backend_version": 1, + "backend_authentication_type": "service_token", + "backend_authentication_value": "token-value", + "proxy": { + "hosts": ["test"], + "api_backend": "http://test_backend:$TEST_NGINX_RANDOM_PORT/", + "backend": { + "endpoint": "http://test_backend:$TEST_NGINX_RANDOM_PORT/", + "host": "localhost" + }, + "proxy_rules": [ + { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 1 } + ], + "policy_chain": [ + { "name": "apicast.policy.apicast" } + ] + } + } + ] +} +--- test env +proxy_ssl_verify on; +proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt; +proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt; +proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key; +proxy_pass https://$server_addr:$apicast_port/t?user_key=; +proxy_set_header Host test; +log_by_lua_block { collectgarbage() } +--- response_body +nil +--- error_log +client certificate subject: nil +client certificate: nil +--- no_error_log +[error] +[alert] +[crit] +--- user_files fixture=CA/files.pl eval From 219c79f23bbe310e45db8c4cd2c4e580fd8d1220 Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 28 Aug 2024 11:49:26 +1000 Subject: [PATCH 2/8] [tls_validation] Request client certificate if the policy is in the chain Adding support to request client certificate in `ssl_certificate` phase when `APICAST_HTTPS_VERIFY_CLIENT` is set to `off` --- .../apicast/policy/tls_validation/README.md | 23 +++++++++++ .../policy/tls_validation/tls_validation.lua | 14 +++++++ t/apicast-policy-tls_validation.t | 40 +++++++++++++++++++ 3 files changed, 77 insertions(+) diff --git a/gateway/src/apicast/policy/tls_validation/README.md b/gateway/src/apicast/policy/tls_validation/README.md index aee61667e..ec302a4e9 100644 --- a/gateway/src/apicast/policy/tls_validation/README.md +++ b/gateway/src/apicast/policy/tls_validation/README.md @@ -5,3 +5,26 @@ This policy can validate TLS Client Certificate against a whitelist. Whitelist expects PEM formatted CA or Client certificates. It is not necessary to have the full certificate chain, just partial matches are allowed. For example you can add to the whitelist just leaf client certificates without the whole bundle with a CA certificate. + +## Configuration + +For this policy to work, APIcast need to be setup to listen for TLS connection. + +By default, client certificates are requested during the TLS handshake, however, APIcast will not verify the certificate or terminate the request unless a TLS Validation Policy is in the chain. In most cases, the client not presenting a client certificate will not affect a service that does not have TLS Validation policy configured. The only exception is when the service is used by a browser or front-end application, which will cause the browser to always prompt the end user to select a client certificate to send if they have ANY client certificates configured when browsing the service. + +To work around this, the environment variable `APICAST_HTTPS_VERIFY_CLIENT` can be set to `off` to instruct APIcast to request a client certificate ONLY when the policy is in the chain. + +NOTE: This policy is not compatible with `APICAST_PATH_ROUTING` or `APICAST_PATH_ROUTING_ONLY` when `APICAST_HTTPS_VERIFY_CLIENT` is set to `off`. + +## Example + +``` +{ + "name": "apicast.policy.tls_validation", + "configuration": { + "whitelist": [ + { "pem_certificate": ""-----BEGIN CERTIFICATE----- XXXXXX -----END CERTIFICATE-----"} + ] + } +} +``` diff --git a/gateway/src/apicast/policy/tls_validation/tls_validation.lua b/gateway/src/apicast/policy/tls_validation/tls_validation.lua index d9daff062..fb6338472 100644 --- a/gateway/src/apicast/policy/tls_validation/tls_validation.lua +++ b/gateway/src/apicast/policy/tls_validation/tls_validation.lua @@ -4,6 +4,7 @@ local policy = require('apicast.policy') local _M = policy.new('tls_validation') local X509_STORE = require('resty.openssl.x509.store') local X509 = require('resty.openssl.x509') +local ngx_ssl = require "ngx.ssl" local ipairs = ipairs local tostring = tostring @@ -45,6 +46,19 @@ function _M.new(config) return self end +function _M:ssl_certificate() + -- Request client certificate + -- + -- We don't validate the certificate during the handshake, thus set `depth` to 0 (default is 1) + -- value here in order to save CPU cycles + -- + -- TODO: + -- provide ca_certs: See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#verify_client + -- handle verify_depth + -- + return ngx_ssl.verify_client() +end + function _M:access() local cert = X509.parse_pem_cert(ngx.var.ssl_client_raw_cert) local store = self.x509_store diff --git a/t/apicast-policy-tls_validation.t b/t/apicast-policy-tls_validation.t index 4bb95b727..dd1bc0b65 100644 --- a/t/apicast-policy-tls_validation.t +++ b/t/apicast-policy-tls_validation.t @@ -201,3 +201,43 @@ GET /t HTTP/1.0 --- no_error_log [error] --- user_files fixture=CA/files.pl eval + + + +=== TEST 6: TLS Client Certificate request client certificate when "APICAST_HTTPS_VERIFY_CLIENT: off" +and the policy is in the chain +--- configuration eval +use JSON qw(to_json); +use File::Slurp qw(read_file); + +to_json({ + services => [{ + proxy => { + hosts => ['test'], + policy_chain => [ + { name => 'apicast.policy.tls_validation', + configuration => { + whitelist => [ + { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) } + ] + } + }, + { name => 'apicast.policy.echo' }, + ] + } + }] +}); +--- test env +proxy_ssl_verify on; +proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt; +proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt; +proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key; +proxy_pass https://$server_addr:$apicast_port/t; +proxy_set_header Host test; +log_by_lua_block { collectgarbage() } +--- response_body +GET /t HTTP/1.0 +--- error_code: 200 +--- no_error_log +[error] +--- user_files fixture=CA/files.pl eval From 68a45ce954abddcdf93f39ba2ce8abd7fdfbf7ee Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 28 Aug 2024 11:52:41 +1000 Subject: [PATCH 3/8] [resty.openssl] Free X509_STORE object Initially the X509_STORE object was free in _gc metamethod. However the previously patch remove this and potentially cause memory leak. --- gateway/src/resty/openssl/x509/store.lua | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gateway/src/resty/openssl/x509/store.lua b/gateway/src/resty/openssl/x509/store.lua index 4ebc6176f..6d14eb090 100644 --- a/gateway/src/resty/openssl/x509/store.lua +++ b/gateway/src/resty/openssl/x509/store.lua @@ -1,6 +1,7 @@ local base = require('resty.openssl.base') local X509_STORE_CTX = require('resty.openssl.x509.store.ctx') local ffi = require('ffi') +local ffi_gc = ffi.gc ffi.cdef([[ // https://www.openssl.org/docs/man1.1.0/crypto/X509_STORE_new.html @@ -45,7 +46,7 @@ local function X509_VERIFY_PARAM(flags) -- https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_get_depth.html#example ffi_assert(C.X509_VERIFY_PARAM_set_flags(verify_param, flags)) - return ffi.gc(verify_param, C.X509_VERIFY_PARAM_free) + return ffi_gc(verify_param, C.X509_VERIFY_PARAM_free) end local _M = {} @@ -73,9 +74,8 @@ end function _M.new() local store = ffi_assert(C.X509_STORE_new()) + ffi_gc(store, C.X509_STORE_free) - -- @TODO cleanup here - -- ffi_gc(store, C.X509_STORE_free) -- enabling partial chains allows us to trust leaf certificates local verify_param = X509_VERIFY_PARAM(X509_V_FLAG_PARTIAL_CHAIN) From 6cd73e76d305b1ebe51d1059880480bc459d1327 Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 28 Aug 2024 12:01:07 +1000 Subject: [PATCH 4/8] [tls_validation] Return early if no client certificate is presented --- .../src/apicast/policy/tls_validation/tls_validation.lua | 6 ++++++ t/apicast-policy-tls_validation.t | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/gateway/src/apicast/policy/tls_validation/tls_validation.lua b/gateway/src/apicast/policy/tls_validation/tls_validation.lua index fb6338472..16d0289d5 100644 --- a/gateway/src/apicast/policy/tls_validation/tls_validation.lua +++ b/gateway/src/apicast/policy/tls_validation/tls_validation.lua @@ -61,6 +61,12 @@ end function _M:access() local cert = X509.parse_pem_cert(ngx.var.ssl_client_raw_cert) + if not cert then + ngx.status = self.error_status + ngx.say("No required TLS certificate was sent") + return ngx.exit(ngx.status) + end + local store = self.x509_store local ok, err = store:validate_cert(cert) diff --git a/t/apicast-policy-tls_validation.t b/t/apicast-policy-tls_validation.t index dd1bc0b65..032227b28 100644 --- a/t/apicast-policy-tls_validation.t +++ b/t/apicast-policy-tls_validation.t @@ -154,7 +154,7 @@ proxy_pass https://$server_addr:$apicast_port/t; proxy_set_header Host test; log_by_lua_block { collectgarbage() } --- response_body -Invalid certificate verification context +No required TLS certificate was sent --- error_code: 400 --- no_error_log [error] From cc090de5b71c125925ff9bf3777329a77adb3fd1 Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 28 Aug 2024 12:06:25 +1000 Subject: [PATCH 5/8] [tls_validation] Return generic error For security reason, omit internal SSL verification error and return a generic error instead. The details are shown in the log --- .../src/apicast/policy/tls_validation/tls_validation.lua | 8 +++++--- spec/policy/tls_validation/tls_validation_spec.lua | 8 +++++--- t/apicast-policy-tls_validation.t | 2 +- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/gateway/src/apicast/policy/tls_validation/tls_validation.lua b/gateway/src/apicast/policy/tls_validation/tls_validation.lua index 16d0289d5..07a6c619d 100644 --- a/gateway/src/apicast/policy/tls_validation/tls_validation.lua +++ b/gateway/src/apicast/policy/tls_validation/tls_validation.lua @@ -69,15 +69,17 @@ function _M:access() local store = self.x509_store - local ok, err = store:validate_cert(cert) + -- err is printed inside validate_cert method + -- so no need capture the err here + local ok, _ = store:validate_cert(cert) if not ok then ngx.status = self.error_status - ngx.say(err) + ngx.say("TLS certificate validation failed") return ngx.exit(ngx.status) end - return ok, err + return ok, nil end return _M diff --git a/spec/policy/tls_validation/tls_validation_spec.lua b/spec/policy/tls_validation/tls_validation_spec.lua index fd7f39f19..9dc438617 100644 --- a/spec/policy/tls_validation/tls_validation_spec.lua +++ b/spec/policy/tls_validation/tls_validation_spec.lua @@ -33,7 +33,7 @@ describe('tls_validation policy', function() policy:access() assert.stub(ngx.exit).was_called_with(400) - assert.stub(ngx.say).was_called_with('unable to get local issuer certificate') + assert.stub(ngx.say).was_called_with([[TLS certificate validation failed]]) end) it('rejects certificates that are not valid yet', function() @@ -43,7 +43,8 @@ describe('tls_validation policy', function() policy:access() - assert.stub(ngx.say).was_called_with('certificate is not yet valid') + assert.stub(ngx.exit).was_called_with(400) + assert.stub(ngx.say).was_called_with([[TLS certificate validation failed]]) end) it('rejects certificates that are not longer valid', function() @@ -53,7 +54,8 @@ describe('tls_validation policy', function() policy:access() - assert.stub(ngx.say).was_called_with([[certificate has expired]]) + assert.stub(ngx.exit).was_called_with(400) + assert.stub(ngx.say).was_called_with([[TLS certificate validation failed]]) end) it('accepts whitelisted certificate', function() diff --git a/t/apicast-policy-tls_validation.t b/t/apicast-policy-tls_validation.t index 032227b28..22fd78d54 100644 --- a/t/apicast-policy-tls_validation.t +++ b/t/apicast-policy-tls_validation.t @@ -119,7 +119,7 @@ proxy_pass https://$server_addr:$apicast_port/t; proxy_set_header Host test; log_by_lua_block { collectgarbage() } --- response_body -unable to get local issuer certificate +TLS certificate validation failed --- error_code: 400 --- no_error_log [error] From 2850210f145d46cec12a3779361d1e3155686c5d Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 28 Aug 2024 16:50:07 +1000 Subject: [PATCH 6/8] Update CHANGELOG.md --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1288bff4f..4f69cb4d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Added the `APICAST_PROXY_BUFFER_SIZE` variable to allow configuration of the buffer size for handling response from the proxied servers. [PR #1473](https://github.com/3scale/APIcast/pull/1473), [THREESCALE-8410](https://issues.redhat.com/browse/THREESCALE-8410) +- Added the `APICAST_HTTPS_VERIFY_CLIENT` variable to allow configuration of the `ssl_verify_client` directive. [PR #1491](https://github.com/3scale/APIcast/pull/1491) [THREESCALE-10156](https://issues.redhat.com/browse/THREESCALE-10156) + ## [3.15.0] 2024-04-04 ### Fixed From e85a9ce3b2105db9bc108ae9ed13f48b5b2d0a68 Mon Sep 17 00:00:00 2001 From: An Tran Date: Thu, 29 Aug 2024 14:45:03 +1000 Subject: [PATCH 7/8] [t] Add tests for TLS Client Certification with path routing --- t/apicast-policy-tls_validation.t | 112 ++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/t/apicast-policy-tls_validation.t b/t/apicast-policy-tls_validation.t index 22fd78d54..15b2c66ab 100644 --- a/t/apicast-policy-tls_validation.t +++ b/t/apicast-policy-tls_validation.t @@ -241,3 +241,115 @@ GET /t HTTP/1.0 --- no_error_log [error] --- user_files fixture=CA/files.pl eval + + + +=== TEST 7: TLS Client Certificate request client certificate with path routing enabled +--- env eval +('APICAST_PATH_ROUTING' => '1') +--- configuration eval +use JSON qw(to_json); +use File::Slurp qw(read_file); + +to_json({ + services => [{ + id => 2, + backend_version => 1, + proxy => { + hosts => ['test'], + policy_chain => [ + { name => 'apicast.policy.tls_validation', + configuration => { + whitelist => [ + { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) } + ] + } + }, + { name => 'apicast.policy.echo' }, + ] + } + }, { + id => 3, + backend_version => 1, + proxy => { + hosts => ['test'], + policy_chain => [ + { name => 'apicast.policy.echo', configuration => { status => 404 }} + ] + } + }] +}); +--- test env +proxy_ssl_verify on; +proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt; +proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt; +proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key; +proxy_pass https://$server_addr:$apicast_port/t; +proxy_set_header Host test; +log_by_lua_block { collectgarbage() } +--- response_body +GET /t HTTP/1.0 +--- error_code: 200 +--- no_error_log +[error] +--- user_files fixture=CA/files.pl eval + + + +=== TEST 8: TLS Client Certificate request client certificate with "APICAST_HTTPS_VERIFY_CLIENT: off" +and path routing enabled +When path routing is enabled, APIcast will not able to select the correct service and build the +corresponding policy chain during the TLS handshake. It will then fallback to the setting defined by +`ssl_client_verify` and with `APICAST_HTTPS_VERIFY_CLIENT` is set to `off`, no client certificate will +be requested. +--- env eval +( + 'APICAST_PATH_ROUTING' => '1', + 'APICAST_HTTPS_VERIFY_CLIENT' => 'off' +) +--- configuration eval +use JSON qw(to_json); +use File::Slurp qw(read_file); + +to_json({ + services => [{ + id => 2, + backend_version => 1, + proxy => { + hosts => ['test'], + policy_chain => [ + { name => 'apicast.policy.tls_validation', + configuration => { + whitelist => [ + { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) } + ] + } + }, + { name => 'apicast.policy.echo' }, + ] + } + }, { + id => 3, + backend_version => 1, + proxy => { + hosts => ['test'], + policy_chain => [ + { name => 'apicast.policy.echo', configuration => { status => 404 }} + ] + } + }] +}); +--- test env +proxy_ssl_verify on; +proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt; +proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt; +proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key; +proxy_pass https://$server_addr:$apicast_port/t; +proxy_set_header Host test; +log_by_lua_block { collectgarbage() } +--- response_body +No required TLS certificate was sent +--- error_code: 400 +--- no_error_log +[error] +--- user_files fixture=CA/files.pl eval From c7f735b2c891b1e4dc3c4063aa73bbc8e472bdb0 Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 2 Oct 2024 13:37:08 +1000 Subject: [PATCH 8/8] Adjust docs based on PR review feedback --- doc/parameters.md | 4 ++-- gateway/src/apicast/policy/tls_validation/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/parameters.md b/doc/parameters.md index 34abc7f2b..3565d9556 100644 --- a/doc/parameters.md +++ b/doc/parameters.md @@ -406,10 +406,10 @@ If this parameter has `1` as its value, it is possible to include an additional **Default:** `optional_no_ca` **Values:** -- `off`: Don't request client certificates and don't do client certificate verification. +- `off`: Do not request client certificates or perform client certificate verification. - `optional_no_ca`: Requests the client certificate, but does not fail the request when the client certificate is not signed by a trusted CA certificate. -Enables verification of client certificates. The client certificates can be verified with TLS Client Certificate Validation policy +Enables verification of client certificates. You can verify client certificates TLS Client Certificate Validation policy. ### `all_proxy`, `ALL_PROXY` diff --git a/gateway/src/apicast/policy/tls_validation/README.md b/gateway/src/apicast/policy/tls_validation/README.md index ec302a4e9..97adb15d2 100644 --- a/gateway/src/apicast/policy/tls_validation/README.md +++ b/gateway/src/apicast/policy/tls_validation/README.md @@ -10,9 +10,9 @@ For example you can add to the whitelist just leaf client certificates without t For this policy to work, APIcast need to be setup to listen for TLS connection. -By default, client certificates are requested during the TLS handshake, however, APIcast will not verify the certificate or terminate the request unless a TLS Validation Policy is in the chain. In most cases, the client not presenting a client certificate will not affect a service that does not have TLS Validation policy configured. The only exception is when the service is used by a browser or front-end application, which will cause the browser to always prompt the end user to select a client certificate to send if they have ANY client certificates configured when browsing the service. +By default, during the TLS handshake, APIcast requests client certificates, but will not verify the certificate or terminate the request unless a TLS Validation Policy is in the chain. In most cases, the client not presenting a client certificate will not affect a service that does not have TLS Validation policy configured. The only exception is when a browser or front-end application uses the service. In this case, the browser will always prompt the user to choose a client certificate to send if they have any client certificates set up while accessing the service. -To work around this, the environment variable `APICAST_HTTPS_VERIFY_CLIENT` can be set to `off` to instruct APIcast to request a client certificate ONLY when the policy is in the chain. +To work around this, set the environment variable `APICAST_HTTPS_VERIFY_CLIENT` to `off`. This instructs APIcast to request a client certificate only when the policy is in the chain. NOTE: This policy is not compatible with `APICAST_PATH_ROUTING` or `APICAST_PATH_ROUTING_ONLY` when `APICAST_HTTPS_VERIFY_CLIENT` is set to `off`.