laz-xyr commented on issue #12641: URL: https://github.com/apache/apisix/issues/12641#issuecomment-3707922296
> This is a feature-request issue, not a bug. APISIX's health check module was not designed with mTLS in mind: > > 1. Schema level: The health check configuration lacks client certificate-related configuration fields. > 2. Implementation level: The `create_checker` function in `healthcheck_manager.lua` does not read and pass the upstream mTLS certificate configuration to the underlying `resty.healthcheck` library. > > The underlying library already has full mTLS capabilities; however, APISIX does not read the upstream TLS configuration and pass the ssl_cert and ssl_key parameters when calling healthcheck.new @YapWC @Baoyuantop The official recommendation for the mtls handshake is tcpsock:setclientcert and tcpsock:sslhandshake. The resty.healthcheck library is also implemented using this method. However, apisix additionally implements the tcpsock:tlshandshake(https://github.com/api7/apisix-nginx-module/pull/1) method. Local test result: Method tcpsock:tlshandshake can handle the mtls handshake, while tcpsock:sslhandshake will fail. But sslhandshake(in the above test 2) can mtls handshake in the original openresty environment, I don't know where apisix broke this function -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
