Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with AccesValidationPlugin HasClientCertValidator #876

Closed
Luc-Bonade opened this issue Jun 18, 2021 · 3 comments
Closed

Issue with AccesValidationPlugin HasClientCertValidator #876

Luc-Bonade opened this issue Jun 18, 2021 · 3 comments

Comments

@Luc-Bonade
Copy link

Luc-Bonade commented Jun 18, 2021
edited by mathieuancelin
Loading

It seems there is an issue when using "cp:otoroshi.plugins.clientcert.HasClientCertValidator" with Otoroshi 1.5.0-alapha.18.

When I configurer my Service Descriptor with

  plugins:
    enabled: {{ default .Values.apiLibHelm.forceIncommingCertificat .Values.forceIncommingCertificat }}
    refs:
      - cp:otoroshi.plugins.clientcert.HasClientCertValidator
    config: {}
    excluded:
      - ^/actuator/healthfull$
      - /actuator/prometheus
  accessValidator:
    enabled: false
    refs: []
    config: {}
    excludedPatterns: []

Evry query to the service i get the folowing answer :

HTTP/1.1 400 Bad Request
Otoroshi-Error: true
Otoroshi-Error-Msg: bad request
Otoroshi-State-Resp: --
Date: Fri, 18 Jun 2021 12:27:17 GMT
Content-Type: application/json
Content-Length: 32

{"Otoroshi-Error":"bad request"}

It append on excluded or not path and with and without certificat.

I first try the mTLS AccesValidator with Otoroshi 1.5.0.alpha.14, and I had à similar issue with the slight différence that using excluded pattern disable entirely the AccesValidator. As it's a behavior on an old version it may be irrevelant but usefull for the issue analysis.

Of course the service is exposed by Otoroshi on htttps.
@Luc-Bonade
Copy link
Author

Since i open the issue, i manager to have GatewayEvent on request, the client cert part is empty.
I have the issue with the vip and also when calling the worker directely.

Using curl directly on a worker i get the folowing the handshake log

{code}

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / XXXXXXXX
    {code}

If i am wright It seems that the worker doesn't ask for the ClientCert.
Perhaps i have missed a configuration Option, on the Otoroshi cluster or on the service descriptor.

@mathieuancelin
Copy link
Member

Hello @Luc-Bonade

my first guess is that you did not enable mtls on your otoroshi instance. It is not enabled by default as it makes the TLS handshake way heavier. Just add in your env :

HTTPS_WANT_CLIENT_AUTH=true 
SSL_OUTSIDE_CLIENT_AUTH=Want

@Luc-Bonade
Copy link
Author

@mathieuancelin, for other users who may have the same issue, adding the two environnement variable solve my issue.

Thanks

@mathieuancelin mathieuancelin mentioned this issue Jul 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mathieuancelin @Luc-Bonade