Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authorize: allow client certificate intermediates #4451

Merged
merged 1 commit into from Aug 10, 2023
Merged

authorize: allow client certificate intermediates #4451

merged 1 commit into from Aug 10, 2023

Conversation

kenjenkins
Copy link
Contributor

Summary

Update the isValidClientCertificate() method to consider any client-supplied intermediate certificates. Previously, in order to trust client certificates issued by an intermediate CA, users would need to include that intermediate CA's certificate directly in the client_ca setting. After this change, only the trusted root CA needs to be set: as long as the client can supply a set of certificates that chain back to this trusted root, the client's certificate will validate successfully.

This is in preparation for adding a max_verify_depth option, which otherwise wouldn't make sense, as the effective maximum is currently fixed at 1.

Rework the previous CRL checking logic to now consider CRLs for all issuers in the verified chains.

Related issues

Fixes #4256, related to #4353.

User Explanation

Checklist

  • reference any related issues
  • updated docs
  • updated unit tests
  • updated UPGRADING.md
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@kenjenkins kenjenkins requested a review from a team as a code owner August 9, 2023 21:44
@coveralls
Copy link

coveralls commented Aug 9, 2023
edited

Coverage Status

coverage: 63.905% (+0.03%) from 63.874% when pulling ae8b639 on kenjenkins/mtls-intermediates into ac475f4 on main.

@kenjenkins
authorize: allow client certificate intermediates
ae8b639 
Update the isValidClientCertificate() method to consider any
client-supplied intermediate certificates. Previously, in order to trust
client certificates issued by an intermediate CA, users would need to
include that intermediate CA's certificate directly in the client_ca
setting. After this change, only the trusted root CA needs to be set: as
long as the client can supply a set of certificates that chain back to
this trusted root, the client's certificate will validate successfully.

Rework the previous CRL checking logic to now consider CRLs for all
issuers in the verified chains.
@kenjenkins kenjenkins force-pushed the kenjenkins/mtls-intermediates branch from 92455a5 to ae8b639 Compare August 9, 2023 22:13
@kenjenkins kenjenkins merged commit 0fcc3f1 into main Aug 10, 2023
9 checks passed
@kenjenkins kenjenkins deleted the kenjenkins/mtls-intermediates branch August 10, 2023 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calebdoxsey calebdoxsey calebdoxsey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Client certificates issued by an intermediate CA are not trusted
3 participants
@kenjenkins @coveralls @calebdoxsey