Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make TLS Mutual Authentication relative instead of absolute #2286

Closed
jaychris opened this issue Oct 19, 2017 · 1 comment
Closed

make TLS Mutual Authentication relative instead of absolute #2286

jaychris opened this issue Oct 19, 2017 · 1 comment
Labels
area/tls kind/enhancement a new or improved feature. status/5-frozen-due-to-age
Milestone
1.5

Comments

@jaychris
Copy link

jaychris commented Oct 19, 2017
edited by ldez

Do you want to request a feature or report a bug?

I am requesting a feature.

What did you do?

Currently, TLS Mutual Authentication is an "all or nothing" switch - if I have multiple SNI's and set ClientCAFiles (at the entrypoint definition level), then every SNI requires client auth. I think it would make sense to make the entry relative, so that I can have some SSL entrypoints require tls mutual auth and some that do not.

Here is a simple example of what I am thinking:

[entryPoints]
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    clientCAFiles = ["certs/clientca.crt"]
    certFile = "certs/server.crt"
    keyFile = "certs/server.key"
    [[entryPoints.https.tls.certificates]]
    certFile = "certs/server2.crt"
    keyFile = "certs/server2.key"

In the config above, clientCAFiles would apply only to the first SNI (server1), but not the 2nd (server2).

What did you expect to see?

I would expect to be able to use ClientCAFiles in a way that is not an "all or nothing" switch.

What did you see instead?

using ClientCAFiles means that everything in that entrypoint uses it, or nothing does.

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.4.0-rc4
Codename:     roquefort
Go version:   go1.9
Built:        2017-10-02_02:19:32PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

[entryPoints]
  [entryPoints.https]
  address = ":443"
  clientCAFiles = ["certs/clientca.crt"]
  [entryPoints.https.tls]
    [[entryPoints.https.tls.certificates]]
    certFile = "certs/server.crt"
    keyFile = "certs/server.key"
    [[entryPoints.https.tls.certificates]]
    certFile = "certs/server2.crt"
    keyFile = "certs/server2.key"

[web]
address = ":8080"

[consulCatalog]
endpoint = "172.17.0.1:8500"
exposedByDefault = false
prefix = "traefik"
@nmengin nmengin added the kind/enhancement a new or improved feature. label Oct 20, 2017
@nmengin nmengin mentioned this issue Oct 20, 2017
Closed
@nmengin
Copy link
Contributor

nmengin commented Oct 20, 2017
edited

Hello @jaychris. Many thanks for you interest in the project.

I understand you have problem because of setting clientCAFile on an entrypoint force all its clients to provide a CAFile.

Unfortunately, the GO handshake method does not allow using a TLS Mutual Authentication only for named domains.

However, I think this use case can be resolved by the modification described in the proposal #2288.

That's why I close this issue and let you re-open it if necessary.

@nmengin nmengin closed this as completed Oct 20, 2017
@nmengin nmengin mentioned this issue Oct 24, 2017
Merged
@traefiker traefiker added this to the 1.5 milestone Nov 10, 2017
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/tls kind/enhancement a new or improved feature. status/5-frozen-due-to-age
Projects
None yet
Milestone
1.5
Development

No branches or pull requests
4 participants
@ldez @jaychris @nmengin @traefiker