Skip to content

fix: when only tls.verify, skip the logic of judging client cert #12527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SkyeYoung merged 5 commits into from
Aug 22, 2025
Merged

fix: when only tls.verify, skip the logic of judging client cert #12527

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0dde705
fix: judge cert in tls to avoid only `tls.verify`
SkyeYoung Aug 15, 2025
c61ae73
docs(admin-api): add missing tls.verify
SkyeYoung Aug 15, 2025
a33c376
docs: typo
SkyeYoung Aug 15, 2025
bd2a746
test: add tls.verify only cases
SkyeYoung Aug 18, 2025
50d0378
test: adjust cases
SkyeYoung Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions apisix/upstream.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,8 +261,8 @@ function _M.set_by_route(route, api_ctx)
local checker = healthcheck_manager.fetch_checker(up_conf.resource_key, resource_version)
api_ctx.up_checker = checker
local scheme = up_conf.scheme
if (scheme == "https" or scheme == "grpcs") and up_conf.tls then

local tls_has_cert = up_conf.tls and (up_conf.tls.client_cert or up_conf.tls.client_cert_id)
if (scheme == "https" or scheme == "grpcs") and tls_has_cert then
local client_cert, client_key
if up_conf.tls.client_cert_id then
client_cert = api_ctx.upstream_ssl.cert
Expand Down
1 change: 1 addition & 0 deletions docs/en/latest/admin-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1019,6 +1019,7 @@ In addition to the equalization algorithm selections, Upstream also supports pas
| tls.client_cert | False, can't be used with `tls.client_cert_id` | HTTPS certificate | Sets the client certificate while connecting to a TLS Upstream. | |
| tls.client_key | False, can't be used with `tls.client_cert_id` | HTTPS certificate private key | Sets the client private key while connecting to a TLS Upstream. | |
| tls.client_cert_id | False, can't be used with `tls.client_cert` and `tls.client_key` | SSL | Set the referenced [SSL](#ssl) id. | |
| tls.verify | False, currently only kafka upstream is supported | Boolean | Turn on server certificate verification, currently only kafka upstream is supported. | |
| keepalive_pool.size | False | Auxiliary | Sets `keepalive` directive dynamically. | |
| keepalive_pool.idle_timeout | False | Auxiliary | Sets `keepalive_timeout` directive dynamically. | |
| keepalive_pool.requests | False | Auxiliary | Sets `keepalive_requests` directive dynamically. | |
Expand Down
1 change: 1 addition & 0 deletions docs/zh/latest/admin-api.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1027,6 +1027,7 @@ APISIX 的 Upstream 除了基本的负载均衡算法选择外,还支持对上
| tls.client_cert | 否,不能和 `tls.client_cert_id` 一起使用 | https 证书 | 设置跟上游通信时的客户端证书,详细信息请参考下文。 | |
| tls.client_key | 否,不能和 `tls.client_cert_id` 一起使用 | https 证书私钥 | 设置跟上游通信时的客户端私钥,详细信息请参考下文。 | |
| tls.client_cert_id | 否,不能和 `tls.client_cert`、`tls.client_key` 一起使用 | SSL | 设置引用的 SSL id,详见 [SSL](#ssl)。 | |
| tls.verify |否,目前仅支持 Kafka 上游。 | Boolean | 开启服务器证书验证功能,目前仅支持 Kafka 上游。 | |
|keepalive_pool.size | 否 | 辅助 | 动态设置 `keepalive` 指令,详细信息请参考下文。 |
|keepalive_pool.idle_timeout | 否 | 辅助 | 动态设置 `keepalive_timeout` 指令,详细信息请参考下文。 |
|keepalive_pool.requests | 否 | 辅助 | 动态设置 `keepalive_requests` 指令,详细信息请参考下文。 |
Expand Down
13 changes: 13 additions & 0 deletions t/core/schema_def.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,19 @@ passed
assert(not ok)
assert(err ~= nil)

upstream = {
nodes = {
["127.0.0.1:8080"] = 1
},
type = "roundrobin",
tls = {
verify = false
}
}
local ok, err = core.schema.check(schema_def.upstream, upstream)
assert(ok)
assert(err == nil)

ngx.say("passed")
}
}
Expand Down
101 changes: 101 additions & 0 deletions t/node/upstream-mtls.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -682,3 +682,104 @@ GET /hello
--- error_code: 502
--- error_log
failed to get ssl cert: ssl id [1] not exits



=== TEST 19: `tls.verify` only
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin")
local json = require("toolkit.json")
local ssl_cert = t.read_file("t/certs/mtls_client.crt")
local data = {
upstream = {
scheme = "https",
type = "roundrobin",
nodes = {
["127.0.0.1:1983"] = 1,
},
tls = {
verify = true
}
},
uri = "/hello"
}
local code, body = t.test('/apisix/admin/routes/1',
ngx.HTTP_PUT,
json.encode(data)
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed



=== TEST 20: hit
When only `tls.verify` is present, the matching logic related to
`client_cert`, `client_key` or `client_cert_id` should not be entered
--- request
GET /hello
--- response_body
hello world



=== TEST 21: set `verify` with `client_cert`, `client_key`
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin")
local json = require("toolkit.json")
local ssl_cert = t.read_file("t/certs/mtls_client.crt")
local ssl_key = t.read_file("t/certs/mtls_client.key")
local data = {
upstream = {
scheme = "https",
type = "roundrobin",
nodes = {
["127.0.0.1:1983"] = 1,
},
tls = {
client_cert = ssl_cert,
client_key = ssl_key,
verify = true
}
},
uri = "/hello"
}
local code, body = t.test('/apisix/admin/routes/1',
ngx.HTTP_PUT,
json.encode(data)
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed



=== TEST 22: hit
`tls.verify` does not affect the parsing of `client_cert`, `client_key`
--- upstream_server_config
ssl_client_certificate ../../certs/mtls_ca.crt;
ssl_verify_client on;
--- request
GET /hello
--- response_body
hello world
Loading