Enabling router.ssl_skip_validation
should not cause route integrity to stop working
#180
Labels
scheduled
We agree this change makes sense and plan to work on it ourselves at some point.
Issue
When the gorouter spec property
router.ssl_skip_validation
set totrue
, it currently causes the TLS-based route integrity feature to stop working, as mentioned in the description of that property: "Warning: If this is set to true Gorouter will not validate the backend identity which could result in misrouting. For more information see https://docs.cloudfoundry.org/concepts/http-routing.html#consistency"Affected Versions
All current versions of routing-release and cf-deployment
Context
Setting
ssl_skip_validation
is generally not recommended, and in most cases one chooses to configure this, they could instead configurerouter.ca_certs
with any certificates they need to trust. However, folks do set this sometimes in non-production environments. While there is a warning on the spec property about this breaking the route integrity feature, there have been enough questions about this over the past couple years that we think resolving this issue would reduce that maintenance burden and source of confusion.Steps to Reproduce
On a cf-deployment environment with a single cell and
router.ssl_skip_validation: true
:Expected result
At step (8) instead of some-other-app responding, an error should be returned
Current result
At step (8), some-other-app responds
Possible Fix
After exploring the various TLS configs used in Gorouter, we are pretty certain that this issue can be fixed by removing this one line:
https://github.com/cloudfoundry/gorouter/blob/10018ac76cda7506bb5633b1be7a589703b3099b/main.go#L167
backendTLSConfig := &tls.Config{ CipherSuites: c.CipherSuites, - InsecureSkipVerify: c.SkipSSLValidation, RootCAs: c.CAPool, Certificates: []tls.Certificate{c.Backends.ClientAuthCertificate}, }
A separate TLS config is used for connections to Route Services, where the setting can remain in effect. This would better match the spec description.
The spec description also indicates that this setting is used in connections to UAA, which is configured here. It's not clear to me at the moment why that is the case, but it makes it even less concerning to remove the line from the
backendTlsConfig
The text was updated successfully, but these errors were encountered: