Enabling router.ssl_skip_validation should not cause route integrity to stop working
#180
Labels
scheduled
We agree this change makes sense and plan to work on it ourselves at some point.
Comments
ryanhallware
added
the
scheduled
mcwumbly
pushed a commit
to cloudfoundry/gorouter
that referenced
this issue
Sep 29, 2020
When the gorouter spec property `router.ssl_skip_validation` set to `true`, it previously caused the TLS-based route integrity feature to stop working, as mentioned in the description of that property: "Warning: If this is set to true Gorouter will not validate the backend identity which could result in misrouting. For more information see https://docs.cloudfoundry.org/concepts/http-routing.html#consistency" This fixes that issue. cloudfoundry/routing-release#180 [#164261690](https://www.pivotaltracker.com/story/show/164261690)
|
Hi 👋 A fix for this issue was released in Routing Release 0.208.0. Thanks! |
stefanlay
pushed a commit
to stefanlay/gorouter
that referenced
this issue
Jan 29, 2021
When the gorouter spec property `router.ssl_skip_validation` set to `true`, it previously caused the TLS-based route integrity feature to stop working, as mentioned in the description of that property: "Warning: If this is set to true Gorouter will not validate the backend identity which could result in misrouting. For more information see https://docs.cloudfoundry.org/concepts/http-routing.html#consistency" This fixes that issue. cloudfoundry/routing-release#180 [#164261690](https://www.pivotaltracker.com/story/show/164261690)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue
When the gorouter spec property
router.ssl_skip_validationset totrue, it currently causes the TLS-based route integrity feature to stop working, as mentioned in the description of that property: "Warning: If this is set to true Gorouter will not validate the backend identity which could result in misrouting. For more information see https://docs.cloudfoundry.org/concepts/http-routing.html#consistency"Affected Versions
All current versions of routing-release and cf-deployment
Context
Setting
ssl_skip_validationis generally not recommended, and in most cases one chooses to configure this, they could instead configurerouter.ca_certswith any certificates they need to trust. However, folks do set this sometimes in non-production environments. While there is a warning on the spec property about this breaking the route integrity feature, there have been enough questions about this over the past couple years that we think resolving this issue would reduce that maintenance burden and source of confusion.Steps to Reproduce
On a cf-deployment environment with a single cell and
router.ssl_skip_validation: true:Expected result
At step (8) instead of some-other-app responding, an error should be returned
Current result
At step (8), some-other-app responds
Possible Fix
After exploring the various TLS configs used in Gorouter, we are pretty certain that this issue can be fixed by removing this one line:
https://github.com/cloudfoundry/gorouter/blob/10018ac76cda7506bb5633b1be7a589703b3099b/main.go#L167
backendTLSConfig := &tls.Config{ CipherSuites: c.CipherSuites, - InsecureSkipVerify: c.SkipSSLValidation, RootCAs: c.CAPool, Certificates: []tls.Certificate{c.Backends.ClientAuthCertificate}, }A separate TLS config is used for connections to Route Services, where the setting can remain in effect. This would better match the spec description.
The spec description also indicates that this setting is used in connections to UAA, which is configured here. It's not clear to me at the moment why that is the case, but it makes it even less concerning to remove the line from the
backendTlsConfigThe text was updated successfully, but these errors were encountered: