Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-2205

APIcast reuses the same HTTPS session for requests on different domains

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.3 GA, 2.4 GA, SaaS
    • Fix Version/s: 2.5.1
    • Component/s: Gateway
    • Labels:
    • Target Release:
    • QE Test Coverage:
      +

      Description

      When OpenID connect is used, and there are multiple OpenID Connect issuers with different subdomains, but using the same IP, APIcast reuses the same HTTPS session, which results in SNI check fail, because the hostname provided via SNI and hostname sent in HTTP Host header are different.

      The logs in APIcast look as follows:

      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-one.example.com finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to  ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-one.example.com:443 established, reused times: 0
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:633: send_request(): 
      GET /auth/realms/realm-name/.well-known/openid-configuration HTTP/1.1
      >>> Request successful
      
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-one.example.com finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to  ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-one.example.com:443 established, reused times: 1
      2019/03/29 12:22:32 [debug] 27#27: *2 [lua] http.lua:633: send_request(): 
      GET /auth/realms/realm-name/protocol/openid-connect/certs HTTP/1.1
      >>> Request successful
      
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for sudomain-two.example.com finished with 1 answers
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:328: lookup(): resolver query: 213.214.215.216
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:333: lookup(): host is ip address: 213.214.215.216
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:348: lookup(): resolver query: 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] resolver.lua:388: get_servers(): query for 213.214.215.216 finished with 1 answers
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] http.lua:50: connect(): connected to  ip:213.214.215.216 host: 213.214.215.216 port: 443 ok: 1 err: nil
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] proxy.lua:24: new(): connection to sudomain-two.example.com:443 established, reused times: 2
      2019/03/29 12:22:35 [debug] 27#27: *2 [lua] http.lua:633: send_request(): 
      GET /auth/realms/realm-name/.well-known/openid-configuration HTTP/1.1
      >>> Request successful
      

      Note that in the 3rd request the request to sudomain-two.example.com reuses the connection of sudomain-one.example.com (reused times: 2)

      This is reproduced in APIcast v3.3 and v3.4.

        Attachments

          Activity

            People

            Assignee:
            ecotoper Eloy Coto
            Reporter:
            mayorova Daria Mayorova
            Developer:
            David Ortiz David Ortiz
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: