tyk
tyk copied to clipboard
Configured upstream certificates not always used, depending on certificates presented by the server.
Branch/Environment/Version
- Branch/Version: All Versions
Describe the bug
Due to the golang tls implementation for client certificates, the configured upstream mTLS
certificate for a particular app will not always be used. This is dependent on the certificates offered by the server.
Reproduction steps Steps to reproduce the behavior:
- Configure
upstream_certificates
for a particular app. - Point towards a server implementing
mTLS
that requires a specific client keypair be offered, however does not present the corresponding private key as part of it's Server Hello (i.e. separate accepted certificates keystore vs presented certificates keystore). - Notice that Tyk/golang will not present the configured client certificate.
Actual behavior Even though a specific client certificate is configured, this certificate is only offered in specific circumstances, preventing a complete TLS handshake in some extraordinary configurations.
Expected behavior Regardless of the server hello, Tyk should always present the configured upstream client certificate to the server.
Example fix, that may have cascading effects. Not sure if this should also be applied to global certificates, perhaps only to specific upstream certificates. For example, if someone specifies a *
upstream_cert
, this may be a breaking change.
https://github.com/rhyswilliamsza/tyk/commit/1a5b189b0f87f66b2fd07ac72e6dec57b8cb6e2a
Hi @rhyswilliamsza,
Thank you for taking the time to submit this issue. I'll relay to our internal engineers for the next steps. We will continue to provide updates here as updates come through.