Configured upstream certificates not always used, depending on certificates presented by the server.

[rhyswilliamsza]

Branch/Environment/Version

• Branch/Version: All Versions

Describe the bug Due to the golang tls implementation for client certificates, the configured upstream mTLS certificate for a particular app will not always be used. This is dependent on the certificates offered by the server.

Reproduction steps Steps to reproduce the behavior:

1. Configure upstream_certificates for a particular app.
2. Point towards a server implementing mTLS that requires a specific client keypair be offered, however does not present the corresponding private key as part of it's Server Hello (i.e. separate accepted certificates keystore vs presented certificates keystore).
3. Notice that Tyk/golang will not present the configured client certificate.

Actual behavior Even though a specific client certificate is configured, this certificate is only offered in specific circumstances, preventing a complete TLS handshake in some extraordinary configurations.

Expected behavior Regardless of the server hello, Tyk should always present the configured upstream client certificate to the server.

[rhyswilliamsza]

Example fix, that may have cascading effects. Not sure if this should also be applied to global certificates, perhaps only to specific upstream certificates. For example, if someone specifies a * upstream_cert, this may be a breaking change.

https://github.com/rhyswilliamsza/tyk/commit/1a5b189b0f87f66b2fd07ac72e6dec57b8cb6e2a

[vverbani]

Hi @rhyswilliamsza,

Thank you for taking the time to submit this issue. I'll relay to our internal engineers for the next steps. We will continue to provide updates here as updates come through.