[THREESCALE-11404] Support Client Certificate revocation in APIcast

Type: Feature Request
Resolution: Unresolved
Priority: Major
Fix Version/s: 2.16.0 GA
Affects Version/s: SaaS, 2.14.3 GA
Component/s: Gateway
Labels:

Blocked:
False
Blocked Reason:
None
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Target Release:

2.16.0 GA
Intelligence Requested:
Market:

Sprint:
RHOAM Sprint 66, RHOAM Sprint 67, RHOAM Sprint 68, RHOAM Sprint 69, RHOAM Sprint 70, RHOAM Sprint 71

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

NGINX provides a couple of different ways to validate if client certificates have been revoked.

The first is through the ssl_crl directive (Certificate Revocation List)
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_crl

The second is through the ssl_ocsp* directives (Online Certificate Status Protocol)
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ocsp

Currently there is no way to configure these in APIcast and ideally these could be configured in the TLS Client Certificate Validation policy

is blocked by

THREESCALE-11038 Extend apicast-nginx-module with new ffi function to retrieve TLS certificates from the request

Closed

is documented by

THREESCALE-10156 Make ssl_verify_client directive configurable

To Test (QE)

mentioned on

Merge request - Updated US source to: 5f7cb92 Merge pull request #1503 from tkan145/THREESCALE-11404-crl-and-ocsp

GitLab CEE Bot added a comment - 2025/03/10 7:14 PM

CPaaS Service Account mentioned this issue in merge request !534 of 3scale / Apicast Midstream on branch 3scale-amp-2_upstream_af4eb28a053e3ce7db5eb9cb49b05a66:

Updated US source to: 5f7cb92 Merge pull request #1503 from tkan145/THREESCALE-11404-crl-and-ocsp

GitLab CEE Bot added a comment - 2025/03/10 7:14 PM CPaaS Service Account mentioned this issue in merge request !534 of 3scale / Apicast Midstream on branch 3scale-amp-2_ upstream _af4eb28a053e3ce7db5eb9cb49b05a66 : Updated US source to: 5f7cb92 Merge pull request #1503 from tkan145/ THREESCALE-11404 -crl-and-ocsp

An Tran added a comment - 2024/10/09 4:19 AM

Yes we can do this.

We can just simply call ffi function from APIcast.
- https://github.com/3scale/APIcast/blob/master/gateway/src/resty/openssl/x509/store.lua#L15
Openresty supports ocsp out of the box

- https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ocsp.md

rhn-support-spoole can you please attach the case number?

An Tran added a comment - 2024/10/09 4:19 AM Yes we can do this. We can just simply call ffi function from APIcast. https://github.com/3scale/APIcast/blob/master/gateway/src/resty/openssl/x509/store.lua#L15 Openresty supports ocsp out of the box https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ocsp.md rhn-support-spoole can you please attach the case number?

Assignee:: Unassigned

Reporter:: Shannon Poole

Developer:: An Tran

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/10/08 2:34 PM

Updated:: 2025/03/12 11:50 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: GitLab CEE Bot added a comment - 2025/03/10 7:14 PM

Expand comment: GitLab CEE Bot added a comment - 2025/03/10 7:14 PM

Collapse comment: An Tran added a comment - 2024/10/09 4:19 AM

Expand comment: An Tran added a comment - 2024/10/09 4:19 AM

People

Dates