Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-10156

Make ssl_verify_client directive configurable

XMLWordPrintable

    • RHOAM Sprint 63, RHOAM Sprint 64, RHOAM Sprint 65

      Because APIcast has `ssl_verify_client optional_no_ca;`, it will always request Client Certificates. Normally this behavior is fine, but in the case that the API is used to serve a frontend application, it results in browsers always prompting the user to select a Client Certificate if they have ANY client certificates configured when browsing to the service. In this scenario it would be useful to make this option configurable. 

      Developer Notes:

      Because this option was specifically selected to support the TLS Client Certificate policy [1], changing this setting may make the gateway incompatible with this policy so a proper warning should be in place. Similar to our "path routing is not compatible with TLS" [2] message.

       [1]https://github.com/3scale/APIcast/pull/966

       [2]https://github.com/3scale/APIcast/blob/32b8f077e3fde559bded7ff8cd25406236e4ef6a/gateway/src/apicast/policy/find_service/find_service.lua#L58

              Unassigned Unassigned
              rhn-support-spoole Shannon Poole
              Darren Fennessy Darren Fennessy
              Matej Dujava Matej Dujava
              An Tran An Tran
              Votes:
              4 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: