Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7363

Upstream Mutual TLS (mTLS) between APIcast and the Backend API fails when more than a single certificate is used

    XMLWordPrintable

Details

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • No
    • +
    • Undefined
    • Hide

      The steps below could be reproduced using both the "embedded" and "path" options from the "Upstream Mutual TLS" Policy:

      1. Send a mTLS request from a file containing a chain of certificates (e.g. Client, Intermediate and Root).
      2. APIcast sends a Certificate.
      3. The Server responds with a failure (unable to validate the client's identity).
      4. It's possible to narrow down that a Certificate has been sent (e.g. it's not a "no client certificate was sent" error), however we suspect that APIcast is not sending it correctly (more details on "Description").
      Show
      The steps below could be reproduced using both the "embedded" and "path" options from the "Upstream Mutual TLS" Policy: Send a mTLS request from a file containing a chain of certificates (e.g. Client, Intermediate and Root). APIcast sends a Certificate. The Server responds with a failure (unable to validate the client's identity). It's possible to narrow down that a Certificate has been sent (e.g. it's not a "no client certificate was sent" error), however we suspect that APIcast is not sending it correctly (more details on "Description").

    Description

      NOTE: Red Hat Support has confirmed that the "Upstream Mutual TLS" Policy works properly when sending a single client level certificate. Hence, this issue is limited to when a chain of certificates (including Intermediates and CA) needs to be sent.

      The order of the certificates on the tested chain is: Client, Intermediates and CA.

      A 'curl' level call from the 'apicast-staging' pod works:

      $ oc rsh dc/apicast-staging

sh-4.4$ curl --cert /path/to/file.crt --key /path/to/file.key https://<MTLS Backend API>

      (The above returns either 200/OK or the expected answer from the Backend API, without any mTLS validation errors or issues)

      While a call from APIcast with the "Upstream Mutual TLS" Policy containing exactly the same files mounted in the pod (or them attached as "embedded") fails. We currently suspect that this is happening because it's not sending the Intermediate and Root CA when a chain containing them is used, only the first (Client level) one.

      Attachments

        Issue Links

          is related to

          Feature Request - Feature requests from customers and/or users THREESCALE-7362 Improve the APIcast "debug" logs from when using "Mutual TLS"

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              Unassigned Unassigned
              rhn-support-ekonecsn Estevao Konecsni
              David Rajnoha David Rajnoha (Inactive)
              Eloy Coto Eloy Coto (Inactive)
              Eloy Coto Eloy Coto (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: