New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mutual TLS failure #149
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was hoping to be able to authenticate with this proxy using client tls auth. So I generated a server cert+key from my custom ca, and generated a client+key from the same custom ca. I then started the application which the following args:
I then connected using openssl's s_client, using the client cert and key, and saw that it worked.
I then removed the client and key to get rid of the client auth and repeated the experiment with s_client. It still worked. It was not denying my access due to the lack of client TLS.
So I re-read the docs and noticed that you're supposed to supply a crl file too. So I generated one for the CA using
easyrsa gencrl
and restarted the server with the args:No difference. It still allowed proxying whether or not I do client tls. However, this time it spits out an extra error that the CRL doesn't match the CA at startup:
You'll notice that the two hashes are the same and that the CRL error comes before the "Loaded CA" log. Not sure if that's relevant. I tried changing the order of the command line args and it made no difference.
Now, I could be misunderstanding what these args do, or there could be a bug, I'm not sure. I just want to be able to tell the server to only allow proxying when client tls has occurred and the clients cert is signed by the provided CA. Is that an option?
The text was updated successfully, but these errors were encountered: