[PR] fix: address TLS security vulnerabilities in SSL log, OIDC encryption, and K8s ssl_verify [apisix]

Thu, 09 Apr 2026 01:32:16 -0700 


AlinsRan opened a new pull request, #13190:
URL: https://github.com/apache/apisix/pull/13190

   ## Summary
   
   - **Remove debug log** in `apisix/ssl/router/radixtree_sni.lua` that logged 
the full SSL object including private keys via `core.log.info("debug - matched: 
...)`. This is a security vulnerability as private key material could be 
exposed in logs.
   - **Add `client_rsa_private_key` to `encrypt_fields`** in 
`openid-connect.lua` so it is stored encrypted in etcd, not in plaintext.
   - **Fix `ssl_verify` hardcoded to `false`** in Kubernetes discovery 
`informer_factory.lua`; now reads from `apiserver.ssl_verify` which is 
configured in `init.lua`.
   - **Add `ssl_verify` field to Kubernetes discovery schema** — allows users 
to explicitly enable TLS certificate verification for the Kubernetes API 
server. Defaults to `false` for backward compatibility.
   
   ## Changes
   
   - `apisix/ssl/router/radixtree_sni.lua` — Remove `debug - matched` log that 
leaked SSL private keys
   - `apisix/plugins/openid-connect.lua` — Add `client_rsa_private_key` to 
`encrypt_fields`
   - `apisix/discovery/kubernetes/informer_factory.lua` — Use 
`apiserver.ssl_verify` instead of hardcoded `false`
   - `apisix/discovery/kubernetes/init.lua` — Populate `apiserver.ssl_verify` 
from config (defaults to `false`)
   - `apisix/discovery/kubernetes/schema.lua` — Add `ssl_verify` boolean field 
to service schema
   
   ## Tests
   
   - `t/router/radixtree-sni3.t` — TEST 8: verifies `debug - matched` is no 
longer logged after SSL handshake
   - `t/plugin/openid-connect2.t` — TEST 20: verifies `client_rsa_private_key` 
is encrypted at rest in etcd
   - `t/discovery/kubernetes_ssl_verify.t` — 4 new tests verifying `ssl_verify` 
behavior for http/https schemes and explicit configuration
   - `t/kubernetes/discovery/kubernetes2.t` — Updated to explicitly set 
`ssl_verify: false` in test config


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to