Skip to content

[fix] Fix issue where cert chain is not taken into account in mTLS authentication #467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BewareMyPower merged 1 commit into from
Dec 19, 2024
Merged

[fix] Fix issue where cert chain is not taken into account in mTLS authentication #467

BewareMyPower merged 1 commit into from
Dec 19, 2024

Conversation

@massakam
Copy link
Contributor

@massakam massakam commented Dec 18, 2024
edited
Loading

Motivation

The C++ client has the same mTLS authentication issue as apache/pulsar#23644. That is, if a client's certificate is not directly signed by a root CA, but is signed by an intermediate CA, mTLS authentication will fail.

Modifications

  • When loading a client cert, use ssl::context::use_certificate_chain_file instead of ssl::context::use_certificate_file.
  • Added a test to check whether a PEM file containing a client cert and intermediate CA cert can be loaded and successfully connected to a broker. When issuing the intermediate CA cert, I did not know the private key of the root CA, so I reissued the root CA cert.

Verifying this change

  • Make sure that the change passes the CI checks.

Documentation

  • doc-not-needed

@massakam massakam added the bug Something isn't working label Dec 18, 2024
@massakam massakam added this to the 3.7.0 milestone Dec 18, 2024
@massakam massakam self-assigned this Dec 18, 2024
hrsakai
hrsakai approved these changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@hrsakai hrsakai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@massakam massakam modified the milestones: 3.7.0, 3.8.0 Dec 19, 2024
@BewareMyPower BewareMyPower modified the milestones: 3.8.0, 3.7.0 Dec 19, 2024
@BewareMyPower
Copy link
Contributor

BewareMyPower commented Dec 19, 2024

3.7.0 is currently blocked at the macOS release process, so I think it can be included in 3.7.0

@BewareMyPower BewareMyPower merged commit 4ba83e8 into apache:main Dec 19, 2024
14 checks passed
@massakam massakam deleted the tls-cert-chain branch December 19, 2024 06:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hrsakai hrsakai hrsakai approved these changes

Assignees

@massakam massakam

Labels

bug Something isn't working

Projects

None yet

Milestone

3.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@massakam @BewareMyPower @hrsakai