Revert "Require peer certificate to be present when ca_cert_file is s…

…et (envoyproxy#648)" (envoyproxy#668) This reverts commit 1687644.
vijayendrabvs · Apr 4, 2017 · 0e53dc2 · 0e53dc2
1 parent b598c25
commit 0e53dc2
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 45 deletions.
diff --git a/docs/configuration/cluster_manager/cluster_ssl.rst b/docs/configuration/cluster_manager/cluster_ssl.rst
@@ -34,8 +34,7 @@ private_key_file
 
 ca_cert_file
   *(optional, string)* A file containing certificate authority certificates to use in verifying
-  a presented server certificate. If specified, a server must present a valid certificate or the
-  connection will be rejected.
+  a presented server certificate.
 
 verify_certificate_hash
   *(optional, string)* If specified, Envoy will verify (pin) the hash of the presented server

diff --git a/docs/configuration/listeners/ssl.rst b/docs/configuration/listeners/ssl.rst
@@ -42,8 +42,7 @@ alt_alpn_protocols
 ca_cert_file
   *(optional, string)* A file containing certificate authority certificates to use in verifying
   a presented client side certificate. If not specified and a client certificate is presented it
-  will not be verified. If specified, a client must present a valid certificate or the
-  connection will be rejected.
+  will not be verified.
 
 verify_certificate_hash
   *(optional, string)* If specified, Envoy will verify (pin) the hash of the presented client

diff --git a/source/common/ssl/context_impl.cc b/source/common/ssl/context_impl.cc
@@ -229,11 +229,6 @@ bool ContextImpl::verifyPeer(SSL* ssl) const {
 
   if (!cert.get()) {
     stats_.no_certificate_.inc();
-
-    if (ca_cert_) {
-      // In case that ca_cert_ exists, reject the connection when peer certificate is not present.
-      verified = false;
-    }
   }
 
   if (!verify_subject_alt_name_list_.empty()) {

diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc
@@ -154,40 +154,4 @@ TEST(SslContextImplTest, TestNoCert) {
   EXPECT_EQ("", context->getCertChainInformation());
 }
 
-TEST(SslContextImplTest, TestVerifyPeer) {
-  std::string json = R"EOF(
-  {
-    "ca_cert_file": "test/common/ssl/test_data/ca.crt"
-  }
-  )EOF";
-
-  Json::ObjectPtr loader = TestEnvironment::jsonLoadFromString(json);
-  ContextConfigImpl cfg(*loader);
-  Runtime::MockLoader runtime;
-  ContextManagerImpl manager(runtime);
-  Stats::IsolatedStoreImpl store;
-  ClientContextPtr context(manager.createSslClientContext(store, cfg));
-  ClientContextImpl* contextImpl = dynamic_cast<ClientContextImpl*>(context.get());
-
-  SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
-  SSL* ssl = SSL_new(ctx);
-  SSL_SESSION* session = SSL_SESSION_new();
-  SSL_set_session(ssl, session);
-
-  // Test that verifyPeer returns false when peer certificate is not set.
-  EXPECT_FALSE(contextImpl->verifyPeer(ssl));
-
-  // Set peer certificate and make sure verifyPeer returns true.
-  FILE* fp = fopen("test/common/ssl/test_data/san_dns.crt", "r");
-  EXPECT_NE(fp, nullptr);
-  X509* cert = PEM_read_X509(fp, nullptr, nullptr, nullptr);
-  session->x509_peer = cert;
-  EXPECT_TRUE(contextImpl->verifyPeer(ssl));
-
-  fclose(fp);
-  SSL_SESSION_free(session);
-  SSL_free(ssl);
-  SSL_CTX_free(ctx);
-}
-
 } // Ssl