This is an automated email from the ASF dual-hosted git repository.
Baoyuantop pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 9d3c66d24 fix(upstream): use `cert` and `key` instead of stale `ok` in
mTLS error checks (#13442)
9d3c66d24 is described below
commit 9d3c66d246d43f7b8f8eb15fd04fb18da99cfc22
Author: okaybase <[email protected]>
AuthorDate: Thu Jun 11 09:21:20 2026 +0800
fix(upstream): use `cert` and `key` instead of stale `ok` in mTLS error
checks (#13442)
---
apisix/upstream.lua | 4 +-
t/node/upstream-mtls.t | 100 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+), 2 deletions(-)
diff --git a/apisix/upstream.lua b/apisix/upstream.lua
index 37bf25720..1c77543a9 100644
--- a/apisix/upstream.lua
+++ b/apisix/upstream.lua
@@ -281,12 +281,12 @@ function _M.set_by_route(route, api_ctx)
-- the sni here is just for logging
local sni = api_ctx.var.upstream_host
local cert, err = apisix_ssl.fetch_cert(sni, client_cert)
- if not ok then
+ if not cert then
return 503, err
end
local key, err = apisix_ssl.fetch_pkey(sni, client_key)
- if not ok then
+ if not key then
return 503, err
end
diff --git a/t/node/upstream-mtls.t b/t/node/upstream-mtls.t
index 998543e25..fc7ba8144 100644
--- a/t/node/upstream-mtls.t
+++ b/t/node/upstream-mtls.t
@@ -783,3 +783,103 @@ passed
GET /hello
--- response_body
hello world
+
+
+
+=== TEST 23: invalid cert (fetch_cert failure at runtime)
+This test writes an invalid cert directly to etcd to bypass Admin API
+validation, and verifies that fetch_cert failure returns 503 at runtime.
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local ssl_key = t.read_file("t/certs/mtls_client.key")
+ local invalid_cert = string.rep("x", 200)
+ local res, err = core.etcd.set("/routes/1", {
+ upstream = {
+ scheme = "https",
+ type = "roundrobin",
+ nodes = {
+ ["127.0.0.1:1983"] = 1,
+ },
+ tls = {
+ client_cert = invalid_cert,
+ client_key = ssl_key,
+ }
+ },
+ uri = "/hello"
+ })
+
+ if not res or res.status >= 300 then
+ ngx.status = res and res.status or 500
+ ngx.say(err)
+ return
+ end
+ ngx.say("passed")
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 24: hit with invalid cert
+--- request
+GET /hello
+--- error_code: 503
+--- error_log
+PEM_read_bio_X509_AUX() failed
+--- wait_etcd_sync: 0.3
+
+
+
+=== TEST 25: invalid key (fetch_pkey failure at runtime)
+This test writes a valid cert but an invalid key directly to etcd to bypass
+Admin API validation, and verifies that fetch_pkey failure returns 503 at
runtime.
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local ssl_cert = t.read_file("t/certs/mtls_client.crt")
+ local invalid_key = string.rep("!", 100)
+ local res, err = core.etcd.set("/routes/1", {
+ upstream = {
+ scheme = "https",
+ type = "roundrobin",
+ nodes = {
+ ["127.0.0.1:1983"] = 1,
+ },
+ tls = {
+ client_cert = ssl_cert,
+ client_key = invalid_key,
+ }
+ },
+ uri = "/hello"
+ })
+
+ if not res or res.status >= 300 then
+ ngx.status = res and res.status or 500
+ ngx.say(err)
+ return
+ end
+ ngx.say("passed")
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 26: hit with invalid key
+--- request
+GET /hello
+--- error_code: 503
+--- error_log
+base64 decode ssl key failed
+--- wait_etcd_sync: 0.3
