Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support client certificate verification #4034

Merged
merged 3 commits into from
Apr 22, 2021
Merged

feat: support client certificate verification #4034

merged 3 commits into from
Apr 22, 2021

Conversation

spacewander
Copy link
Member

Signed-off-by: spacewander spacewanderlzx@gmail.com

What this PR does / why we need it:

Pre-submission checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?
  • Have you added corresponding test cases?
  • Have you modified the corresponding document?
  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

@spacewander
feat: support client certificate verification
ccc5d21 
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
@spacewander spacewander marked this pull request as ready for review April 12, 2021 13:05
tokers
tokers reviewed Apr 13, 2021
View reviewed changes
apisix/ssl/router/radixtree_sni.lua Outdated
@@ -194,6 +195,24 @@ function _M.match_and_set(api_ctx)
end
end

if matched_ssl.value.client then
local client_cert = matched_ssl.value.client.ca
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The name client_cert is confusing, actually, it's the CA cert(s) to verify the client cert. What about ca_cert.

apisix/schema_def.lua Show resolved Hide resolved
apisix/admin/ssl.lua Show resolved Hide resolved
@spacewander
better name
beff4e2 
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
Firstsawyou
Firstsawyou reviewed Apr 13, 2021
View reviewed changes
docs/en/latest/admin-api.md
Comment on lines +787 to +788
| client.ca | False | Certificate| set the CA certificate which will use to verify client. This feature requires OpenResty 1.19+. | |
| client.depth | False | Certificate| set the verification depth in the client certificates chain, default to 1. This feature requires OpenResty 1.19+. | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first letter should be capitalized. set --> Set

set the CA certificate which will use to verify client.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the description in this table start with uppercase letter.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it.

t/node/client-mtls.t Outdated
Comment on lines 208 to 210
local ssl_ca_cert = t.read_file("t/certs/mtls_ca.crt")
local ssl_cert = t.read_file("t/certs/mtls_client.crt")
local ssl_key = t.read_file("t/certs/mtls_client.key")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These certificates were not used in this test, I think they can be removed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Firstsawyou
Updated.

@spacewander
tweak
9787cb7 
Signed-off-by: spacewander <spacewanderlzx@gmail.com>
@spacewander spacewander merged commit 544ab52 into apache:master Apr 22, 2021
@spacewander spacewander deleted the cca branch April 22, 2021 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Firstsawyou Firstsawyou Firstsawyou left review comments

@membphis membphis membphis approved these changes

@tokers tokers tokers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@spacewander @membphis @tokers @Firstsawyou