apisix icon indicating copy to clipboard operation
apisix copied to clipboard
verified publisher icon apache

change: sni无法匹配ssl证书的时候,使用默认证书,而不是错误终止

Open caiwenhao opened this issue 3 years ago • 4 comments

场景: ssl for saas业务场景下,网关层不配置证书,https请求在CF层拦截。CF回源到网关层,使用默认的证书。只要证书在有效期,CF会忽略证书域名的检查。目前的问题是, apisix sni无法匹配证书的时直接终止了。

期望: apisix sni无法匹配证书的时候,使用默认证书,使请求可以进行下去。

caiwenhao avatar Aug 30 '22 09:08 caiwenhao

Does the fallback_sni satisfy your need?

tokers avatar Aug 30 '22 10:08 tokers

fallback_sni无法满足需求,SNI 并不为空。

caiwenhao avatar Aug 30 '22 10:08 caiwenhao

I do not accept this violent modification. You can keep this modification in your version and do not feed it back upstream.

tzssangglass avatar Aug 30 '22 11:08 tzssangglass

Like you said, this change applies in the ssl for saas scenario. As a general API gateway, APISIX introduces this change, which will increase security risks.

soulbird avatar Aug 31 '22 01:08 soulbird

Very urgent feature, is it possible to add a feat flag to choose whether to enable this feature?

exfly avatar Oct 10 '22 03:10 exfly

Very urgent feature, is it possible to add a feat flag to choose whether to enable this feature?

Try to describe your design elaborately and let's discuss it. Or if it's quite emergent, hack APISIX by yourself.

tokers avatar Oct 10 '22 09:10 tokers

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the [email protected] list. Thank you for your contributions.

github-actions[bot] avatar Dec 09 '22 10:12 github-actions[bot]

This pull request/issue has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time.

github-actions[bot] avatar Jan 06 '23 10:01 github-actions[bot]