emissary-ingress / emissary

open source Kubernetes-native API gateway for microservices built on the Envoy Proxy
https://www.getambassador.io
Apache License 2.0
4.37k stars 685 forks source link

backend's certificates validation in TLS origination #1646

Open rafaeloening-barigui opened 5 years ago

rafaeloening-barigui commented 5 years ago

Please describe your use case / problem. The SSL negotiation to a backend application with a generic certificate is accepted. The ambassador does not verify the CN or SubjectAltName of the application certificate. In the documentation there is the follow information:

Ambassador will assume it can trust the services in your cluster so will default to not validating the backend's certificates. This allows for your backend services to use self-signed certificates with ease. https://www.getambassador.io/reference/core/tls/#tls-origination

Describe the solution you'd like I would like a configuration parameter to change this default behavior to enable this SSL verification.

Describe alternatives you've considered None.

Additional context None.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

dwj300 commented 1 year ago

not state. Can we pass through a validation_context to support this? See https://www.envoyproxy.io/docs/envoy/latest/start/quick-start/securing#start-quick-start-securing-validation

cindymullins-dw commented 1 year ago

Thanks, @dwj300 , for your comment. I came across this blog for context. Does this address the functionality in Ambassador that you're looking for? Are you open to contributing to this change?

aburan28 commented 1 year ago

I can take a stab at adding this functionality @cindymullins-dw