Verification of certificate SPKI and hash #7239
-
SummaryHey, I'm looking for the equivalent of https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings and Is it possible to configure Kong? Envoy is also using BoringSSL which is based on OpenSSL and I think both settings are not specific to BoringSSL. If Kong does not support it, how can we implement it? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
@jakubdyszkiewicz I think the most close feature those options are in mtls-auth plugin. If I understand correctly |
Beta Was this translation helpful? Give feedback.
@jakubdyszkiewicz I think the most close feature those options are in mtls-auth plugin. If I understand correctly
verifyCertificateHashlooks for the SHA-256 digest for client cert, whileverifyCertificateSpkilooks forSHA-256 digest for client cert's public key (https://github.com/envoyproxy/envoy/blob/a12869fa9e9add4301a700978d5489e6a0cc0526/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc#L330-L367). Those are currently not supported by the mtls-auth plugin,
it supports the
subjectAltNamesoption in Envoy though.There's an EE ticket planned for
verifyCertificateHashequivalent, we can prioritize it if needed.