Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2765

Permissive mTLS works in 2.4 but doesn't work in 2.5 of our envoy proxy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • maistra-2.2.0
    • envoy
    • None
    • False
    • None
    • False

      We have found an issue when implementing Permissive mTLS where 1 port
      can be used to serve mTLS and TLS connections. This uses the Envoy feature

      https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto.html#envoy-v3-api-msg-config-route-v3-routematch-tlscontextmatchoptions

      By configuring a route to have presented and validated we can enforce mTLS just on specific routes.

      What we have observed is that this feature works with 2.4 but doesn't work in 2.5
      We also tested with OpenSSL3 version which also works.
      Since we need support for RHEL8 we can't use the OpenSSL 3 version so we have to
      stick to RHEL8.

      The enclosed tar file (mtls_issue.tar.gz) has simple certs keys and an mtls test script based on curl.

        Envoy files
        -----------
          * dynamic.yml is the config file for envoy
          * lds.yml is the listener discovery file which has the route with presented/validated
          * validation_context_sds_secret.yaml is the dynamic trusted ca file loader

          * cert.pem
          * key.pem
          * cacert.pem is the trusted CA file which has the cert from client

      To test this
         - Extract the tar file into a directory

           mkdir ~/testing
           cd ~/testing
           tar -xvfz mtls_issue.tar.gz

         - Start up the either the 2.4 or 2.5 Envoy server using podman

           # 2.5 version fails when we try to do mTLS
           podman run -ti -p 10000:10000 --rm -v `pwd`:/tmp --entrypoint='["/usr/local/bin/envoy", "-c", "/tmp/dynamic.yml"]' registry.redhat.io/openshift-service-mesh/proxyv2-rhel8:2.5.5-6

          # 2.4 works when we try to do mTLS
          podman run -ti -p 10000:10000 --rm -v `pwd`:/tmp --entrypoint='["/usr/local/bin/envoy", "-c", "/tmp/dynamic.yml"]' registry.redhat.io/openshift-service-mesh/proxyv2-rhel8:2.4.11-5

      Once the server is started you can run the test from the mtls_client directory

          - Bring up a new terminal window
            cd ~/testing/mtls_client
            # client.cert is the same as the cacert.pem
            *curl -k -v --cert client.cert --key client.key https://localhost:10000/*

      Since the client.cert is the same as the cacert.pem we should let this connection
      thru and get a message back in the payload

         Hello permissive mTLS

       

      mtls_issue.tar.gz

       

       

      What we noticed is that this works with 2.4 but is broken with 2.5

        1. mtls_issue.tar.gz
          13 kB
          Madhu Kanoor

              Unassigned Unassigned
              mkanoor Madhu Kanoor
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: