Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always set SSL verify depth #4165

Merged
merged 1 commit into from Jan 9, 2019

Conversation

Projects
None yet
3 participants
@rainest
Copy link
Contributor

commented Jan 8, 2019

Summary

The existing template will only set lua_ssl_verify_depth if lua_ssl_trusted_certificate is set also. It should be possible to set verification depth regardless of whether custom CAs are in use. Note that this change will always include this directive, even if using the default (1). This should be the case, as Kong's default depth may diverge from OpenResty's in the future.

Full changelog

  • Modify nginx_kong.lua template to always include lua_ssl_verify_depth directive.
  • Modify tests to check lua_ssl_verify_depth and lua_ssl_trusted_certificates settings independently.

Background

0b180bf originally added this. It looks like it was originally only intended for use with Cassandra when Cassandra's certs are signed by several intermediates before a custom CA, but the setting in question applies to any OpenResty TLS socket. It's necessary to apply this, for example, if the identity provider used with OIDC uses a chain longer than the default, as Azure AD does.

@rainest rainest requested a review from thibaultcha Jan 8, 2019

Show resolved Hide resolved kong/templates/nginx_kong.lua
Show resolved Hide resolved spec/01-unit/003-prefix_handler_spec.lua Outdated
feat(templates) always set 'lua_ssl_verify_depth' directive
The existing template will only set `lua_ssl_verify_depth` if
`lua_ssl_trusted_certificate` is also set. It should be possible to set
verification depth regardless of whether custom CAs are in use.

Note that this change will always include this directive, even if using
the default (1). This should be the case, as Kong's default depth may
diverge from OpenResty's in the future.

This change is non-breaking since `1` is the default value of this
directive (when unset) as of the current version of OpenResty.

From #4165

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>

@thibaultcha thibaultcha force-pushed the fix/always-honor-verify-depth branch from 401645d to fe02b21 Jan 9, 2019

@thibaultcha thibaultcha merged commit 0886c23 into master Jan 9, 2019

2 of 3 checks passed

continuous-integration/travis-ci/push The Travis CI build is in progress
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
license/cla All CLA requirements met.

@thibaultcha thibaultcha deleted the fix/always-honor-verify-depth branch Jan 9, 2019

@hishamhm hishamhm added this to the 1.0.1 milestone Jan 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.