This repository has been archived by the owner on Feb 6, 2022. It is now read-only.
Differentiate "allow-all" and "allow-none" in ssl_context:verify_subject_alt_name #66
Assignees
Milestone
Comments
|
This should be addressed by envoyproxy/envoy#615 |
|
envoyproxy/envoy#648 fixes this issue in Envoy upstream |
|
Please note that envoyproxy/envoy#648 was reverted in Envoy (see: envoyproxy/envoy#615, envoyproxy/envoy#668). |
|
@lookuptable , is this issue solved? I think currently we enforce client cert now. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
"allow-all": No secure naming is checked.
"all-none": Secure naming is checked against an empty list of service accounts. So it always fails.
We need to verify whether Envoy supports the two cases through config. Ideally, an undefined verify_subject_alt_name field should mean "allow-all" and a defined but empty verify_subject_alt_name field should mean "allow-none".
The text was updated successfully, but these errors were encountered: