Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7363

Upstream Mutual TLS (mTLS) between APIcast and the Backend API fails when more than a single certificate is used

    XMLWordPrintable

Details

    • No
    • Hide

      The steps below could be reproduced using both the "embedded" and "path" options from the "Upstream Mutual TLS" Policy:

      1. Send a mTLS request from a file containing a chain of certificates (e.g. Client, Intermediate and Root).
      2. APIcast sends a Certificate.
      3. The Server responds with a failure (unable to validate the client's identity).
      4. It's possible to narrow down that a Certificate has been sent (e.g. it's not a "no client certificate was sent" error), however we suspect that APIcast is not sending it correctly (more details on "Description").
      Show
      The steps below could be reproduced using both the "embedded" and "path" options from the "Upstream Mutual TLS" Policy: Send a mTLS request from a file containing a chain of certificates (e.g. Client, Intermediate and Root). APIcast sends a Certificate. The Server responds with a failure (unable to validate the client's identity). It's possible to narrow down that a Certificate has been sent (e.g. it's not a "no client certificate was sent" error), however we suspect that APIcast is not sending it correctly (more details on "Description").
    • +

    Description

      NOTE: Red Hat Support has confirmed that the "Upstream Mutual TLS" Policy works properly when sending a single client level certificate. Hence, this issue is limited to when a chain of certificates (including Intermediates and CA) needs to be sent.

      The order of the certificates on the tested chain is: Client, Intermediates and CA.

      A 'curl' level call from the 'apicast-staging' pod works:

      $ oc rsh dc/apicast-staging
      
      sh-4.4$ curl --cert /path/to/file.crt --key /path/to/file.key https://<MTLS Backend API>
      

      (The above returns either 200/OK or the expected answer from the Backend API, without any mTLS validation errors or issues)

      While a call from APIcast with the "Upstream Mutual TLS" Policy containing exactly the same files mounted in the pod (or them attached as "embedded") fails. We currently suspect that this is happening because it's not sending the Intermediate and Root CA when a chain containing them is used, only the first (Client level) one.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rhn-support-ekonecsn Estevao Konecsni
              Eloy Coto Eloy Coto
              Eloy Coto Eloy Coto
              David Rajnoha David Rajnoha
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: