Open rhyswilliamsza opened 2 years ago
Example fix, that may have cascading effects. Not sure if this should also be applied to global certificates, perhaps only to specific upstream certificates. For example, if someone specifies a *
upstream_cert
, this may be a breaking change.
https://github.com/rhyswilliamsza/tyk/commit/1a5b189b0f87f66b2fd07ac72e6dec57b8cb6e2a
Hi @rhyswilliamsza,
Thank you for taking the time to submit this issue. I'll relay to our internal engineers for the next steps. We will continue to provide updates here as updates come through.
Branch/Environment/Version
Describe the bug Due to the golang tls implementation for client certificates, the configured upstream
mTLS
certificate for a particular app will not always be used. This is dependent on the certificates offered by the server.Reproduction steps Steps to reproduce the behavior:
upstream_certificates
for a particular app.mTLS
that requires a specific client keypair be offered, however does not present the corresponding private key as part of it's Server Hello (i.e. separate accepted certificates keystore vs presented certificates keystore).Actual behavior Even though a specific client certificate is configured, this certificate is only offered in specific circumstances, preventing a complete TLS handshake in some extraordinary configurations.
Expected behavior Regardless of the server hello, Tyk should always present the configured upstream client certificate to the server.