Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7363

Upstream Mutual TLS (mTLS) between APIcast and the Backend API fails when more than a single certificate is used

XMLWordPrintable

    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • No
    • +
    • Undefined
    • Hide

      The steps below could be reproduced using both the "embedded" and "path" options from the "Upstream Mutual TLS" Policy:

      1. Send a mTLS request from a file containing a chain of certificates (e.g. Client, Intermediate and Root).
      2. APIcast sends a Certificate.
      3. The Server responds with a failure (unable to validate the client's identity).
      4. It's possible to narrow down that a Certificate has been sent (e.g. it's not a "no client certificate was sent" error), however we suspect that APIcast is not sending it correctly (more details on "Description").
      Show
      The steps below could be reproduced using both the "embedded" and "path" options from the "Upstream Mutual TLS" Policy: Send a mTLS request from a file containing a chain of certificates (e.g. Client, Intermediate and Root). APIcast sends a Certificate. The Server responds with a failure (unable to validate the client's identity). It's possible to narrow down that a Certificate has been sent (e.g. it's not a "no client certificate was sent" error), however we suspect that APIcast is not sending it correctly (more details on "Description").

      NOTE: Red Hat Support has confirmed that the "Upstream Mutual TLS" Policy works properly when sending a single client level certificate. Hence, this issue is limited to when a chain of certificates (including Intermediates and CA) needs to be sent.

      The order of the certificates on the tested chain is: Client, Intermediates and CA.

      A 'curl' level call from the 'apicast-staging' pod works:

      $ oc rsh dc/apicast-staging

sh-4.4$ curl --cert /path/to/file.crt --key /path/to/file.key https://<MTLS Backend API>

      (The above returns either 200/OK or the expected answer from the Backend API, without any mTLS validation errors or issues)

      While a call from APIcast with the "Upstream Mutual TLS" Policy containing exactly the same files mounted in the pod (or them attached as "embedded") fails. We currently suspect that this is happening because it's not sending the Intermediate and Root CA when a chain containing them is used, only the first (Client level) one.

              Unassigned Unassigned
              rhn-support-ekonecsn Estevao Konecsni
              David Rajnoha David Rajnoha (Inactive)
              Eloy Coto Eloy Coto
              Eloy Coto Eloy Coto
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: