lura icon indicating copy to clipboard operation
lura copied to clipboard
verified publisher icon luraproject

Question: CA certificates used for client certificate verification

Open jandelgado opened this issue 3 years ago • 1 comments

When mTLS is used, the set of valid CA certificates is initialized from the systems certificate pool:

https://github.com/luraproject/lura/blob/1f33ebaccd6185a97eb98c424b62a18386329c11/transport/http/server/server.go#L145-L157

If my understanding is correct, these are the certificates stored in e.g. /etc/ssl/certs. On my system there are 138 CA certificates installed.

My questions is: is potentially any client certificate signed by one of those 138 CAs accepted by default? If so, what is the proposed way to narrow the list down to only use my issuing CA?

jandelgado avatar Aug 08 '22 16:08 jandelgado

Hi @jandelgado ,

This should be fixed in #613

Thanks for reporting!

taik0 avatar Sep 20 '22 09:09 taik0

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.

github-actions[bot] avatar Jan 15 '23 00:01 github-actions[bot]