Support for "-partial_chain" openssl option while verifying client certificate chain against configured CA #4496
Comments
|
@vipingoel this will possible (verify_depth) in the next feature #4327 |
|
I was wondering is --enable-ssl-chain-completion=false flag for this purpose only? Basically we want to disable complete chain verification and verify only upto the CA which is configured in the ingress irrespective of whether it is rootCA or not. |
No. Enabling this flag requires an Internet connection, something is not enabled in restricted environments. Also, a complete chain is required for OCSP. |
@aledbf : looking at #4327, it looks like they are for proxy-ssl annotations which is different from what I was looking for. Could you point me to code changes which support this if possible? |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):No
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
partial_chain
Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST
NGINX Ingress controller version:
Release: 0.24.1
Build: git-ce418168f
Kubernetes version (use
kubectl version):Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.1", GitCommit:"b7394102d6ef778017f2ca4046abbaa23b88c290", GitTreeState:"clean", BuildDate:"2019-04-08T17:11:31Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.8-eks-a977ba", GitCommit:"a977bab148535ec195f12edc8720913c7b943f9c", GitTreeState:"clean", BuildDate:"2019-07-29T20:47:04Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Environment:
uname -a):What happened:
Setting auth-tls-secret as one of the CA cert which is not the root is failing with below error:
Client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers
What you expected to happen:
I am looking for an option similar to "-partial_chain" in open ssl which should make it work. Let me know if this is already supported?
How to reproduce it (as minimally and precisely as possible):
Create a self signed cert and cert chain as follows:
root <-- a <-- b <-- c <-- d
Set "b" as CA in auth-tls-secret and present client cert with "d" as leaf with "c" as intermediate.
Anything else we need to know:
Above scenario works when I set -partial_chain option in openssl
openssl verify -partial_chain -verify_depth 5 -verbose -CAfile ~/b.crt -untrusted ~/c.crt ~/d.crt
If I remove -partial_chain option than it respond with below error which is same as what nginx-ingress reported:
error 2 at 2 depth lookup:unable to get issuer certificate
The text was updated successfully, but these errors were encountered: