[I] bug: mTLS stream data to external server, APISIX not sending client certificate [apisix]

[via GitHub]

bharanitharanm opened a new issue, #12472:
URL: https://github.com/apache/apisix/issues/12472

   ### Current Behavior
   
   Issue: mTLS is enabled on the external server. APISIX is configured as a 
client to send the data  along with client certificate, But the external server 
is reporting client certificate is not part of the request
   
   ### Expected Behavior
   
   APISIX sends the configured client certificate to external server which has 
mTLS enabled (TLS Verify ON)
   
   ### Error Logs
   
   Error in TLS server,
   ```
   ERROR
   40A764BDA57F0000:error:0A0000C7:SSL 
routines:tls_process_client_certificate:peer did not return a 
certificate:../ssl/statem/statem_srvr.c:3509:
   shutting down SSL
   CONNECTION CLOSED
   ```
   
   Error in APISIX
   ```
   2025/07/29 10:10:16 [crit] 51#51: *4363 SSL_read() failed (SSL: 
error:0A00045C:SSL routines::tlsv13 alert certificate required:SSL alert number 
116) while proxying and reading from upstream, client: 100.64.64.1, server: 
0.0.0.0:9100, upstream: "10.12.135.120:4433", bytes from/to client:10/0, bytes 
from/to upstream:0/10
   ```
   
   ### Steps to Reproduce
   
   
   - Enabled stream on port 9100
   
   ```
     stream:
       enabled: true
       tcp:
       - addr: 9100 # Port for TCP proxy to tcp-server
   ```
   - Configure stream route for mTLS using below API
   
   ```
   curl http://127.0.0.1:9180/apisix/admin/stream_routes/1   -H "X-API-KEY: 
edd1c9f034335f136f87ad84b625c8f1"   -X PUT   -d '{
       "server_port": 9100,
       "upstream": {
         "scheme": "tls",
         "type": "roundrobin",
         "nodes": {
           "10.12.135.120:4433": 1
         },
         "tls": {
           "client_cert": "'"$(cat client.cer)"'",
           "client_key": "'"$(cat client.key)"'",
           "ca_cert": "'"$(cat ca.cer)"'",
           "verify": true
         }
       }
     }'
   ```
   
   Start the TLS server,
   
   ```
   openssl s_server -accept 4433 -cert server.cer -key server.key -CAfile 
ca.cer -Verify 1
   ```
   
   Send data,
   ```
   echo "mTLS test" | nc 10.177.193.251 9100
   ```
   
   APISIX version - 3.11
   
   ### Environment
   
   - APISIX version (run `apisix version`):  3.11
   - Operating system (run `uname -a`): Helm Charts deployed in K3S
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx 
version: openresty/1.25.3.2
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`): 10.1.0
   - APISIX Dashboard version, if relevant: NA
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org