Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

envoyconfig: disable validation context when no client certificates are required #4151

Merged
merged 1 commit into from May 4, 2023
Merged

envoyconfig: disable validation context when no client certificates are required #4151

merged 1 commit into from May 4, 2023

Conversation

calebdoxsey
Copy link
Contributor

@calebdoxsey calebdoxsey commented May 4, 2023
edited

Summary

If a ValidationContextType is set for downstream TLS contexts, it will result in the server sending a client certificate request during the TLS handshake. This may prompt the user to choose a client certificate (though it doesn't always result in this behavior).

This PR updates the code to only set the validation context if the global config requires a client certificate, or any of the routes do.

Related issues

Fixes #4150

Checklist

  • reference any related issues
  • updated unit tests
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@calebdoxsey calebdoxsey added bug Something isn't working backport 0-22-0 labels May 4, 2023
@calebdoxsey calebdoxsey requested a review from a team as a code owner May 4, 2023 20:48
@calebdoxsey calebdoxsey requested a review from wasaga May 4, 2023 20:48
@coveralls
Copy link

Coverage Status

Coverage: 63.671% (+0.03%) from 63.644% when pulling 26ac706 on cdoxsey/disable-validation-context into be0104b on main.

@calebdoxsey calebdoxsey merged commit 3325dac into main May 4, 2023
15 checks passed
@calebdoxsey calebdoxsey deleted the cdoxsey/disable-validation-context branch May 4, 2023 21:32
@backport-actions-token backport-actions-token bot mentioned this pull request May 4, 2023
Merged
backport-actions-token bot pushed a commit that referenced this pull request May 4, 2023
@calebdoxsey @github-actions
envoyconfig: disable validation context when no client certificates a…
c73ce02 
…re required (#4151)
calebdoxsey added a commit that referenced this pull request May 4, 2023
@backport-actions-token @calebdoxsey
envoyconfig: disable validation context when no client certificates a…
66dadf7 
…re required (#4152)

envoyconfig: disable validation context when no client certificates are required (#4151)

Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
@wasaga wasaga mentioned this pull request May 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@desimone desimone desimone approved these changes

@wasaga wasaga Awaiting requested review from wasaga wasaga is a code owner automatically assigned from pomerium/dev-backend

Assignees
No one assigned
Labels
backport 0-22-0 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pomerium v0.22.0 asking users for Certs
3 participants
@calebdoxsey @coveralls @desimone