3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-02 00:10:45 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: do not rely on Envoy client cert validation (#4438)

Browse source 
Partially revert #4374: do not record the peerCertificateValidated()
result as reported by Envoy, as this does not work correctly for resumed
TLS sessions. Instead always record the certificate chain as presented
by the client. Remove the corresponding ClientCertificateInfo Validated
field, and update affected code accordingly. Skip the CRL integration
test case for now.
This commit is contained in:
Kenneth Jenkins 2023-08-03 10:45:55 -07:00 committed by GitHub
parent 465de43e67
commit e91600c158
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 12 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

2
integration/policy_test.go
View file

@ -393,6 +393,8 @@ func TestDownstreamClientCA(t *testing.T) {
assert.Equal(t, "/", result.Path)
})
t.Run("revoked client cert", func(t *testing.T) {
t.Skip("CRL support must be reimplemented first")
// Configure an http.Client with a revoked client certificate.
cert := loadCertificate(t, "downstream-1-client-revoked")
client, transport := getClientWithTransport(t)