laz-xyr commented on issue #12641: URL: https://github.com/apache/apisix/issues/12641#issuecomment-3707788546
The official recommended mtls handshake is tcpsock:setclientcert and tcpsock:sslhandshake. The resty.healthcheck library is also implemented using this method. https://github.com/api7/lua-resty-healthcheck/blob/09a672e0784c75231ceca51e0a4cb39313c020f5/lib/resty/healthcheck.lua#L1062-L1073 But in patch.lua, through ```lua local params = { mode = "client", protocol = "any", verify = verify and "peer" or "none", certificate = options.client_cert_path, key = options.client_priv_key_path, options = { "all", "no_sslv2", "no_sslv3", "no_tlsv1" } } local sec_sock, err = ssl.wrap(self.sock, params) if not sec_sock then return false, err end ``` replaced setclientcert, requires passing the certificate when calling sslhandshake. In the above test unit, the resty.healthcheck library to read the incoming upstream mTLS certificate configuration and set the certificate through setclientcert, then call `sock:sslhandshake(nil, https_sni,self.checks.active.https_verify_certificate)` without the incoming certificate -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
