TykTechnologies / tyk / 3074
47%
master: %

LAST BUILD BRANCH: v2.9.4.8
DEFAULT BRANCH: master
Ran
Jobs 1
Files 0
Run time
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
3074

push

travis-ci

buger 
Mutual TLS protection on API Level

Mutual TLS authorization happens on handshake level, so we can make it
our regular middleware. Whole idea of mutual TLS auth is that our
server acts as certification authority and store list of allowed client
certificates, discarding the rest.

Go 1.8 added handy helper for tls.Config called `GetConfigForClient`,
which allow loading different TLS configurations for each client based
on handshake `hello` info. The only attribute of hello payload can be
used for our case is `ServerName`. Note: TLS is separate protocol from
HTTP, so it does not include notion of hostname, and `ServerName` we
have is actually SNI extension added quite long ago, and supported by
most of the clients.

By having access to ServerName we can enable Mutual TLS per API, based
on APISpec.Domain. The only requirement is that each API which use
Mutual TLS should have own domain.

API spec now include 2 new fields `use_mutual_tls_auth` and
`mutual_tls_certificate` with actual certificate. Certificate should be
PEM encoded. Note that Certificate is not the same as public/private
key, but it is based on them.

You can create self-signed client and server certificates with this
command: `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out
cert.pem -days 365`

For the server in common name specify domain, or just pass `-subj
'/CN=localhost’` to openssl command. After follow
https://www.tyk.io/docs/security/tls-and-ssl/ guide.

If you testing using `curl` command may look like:
`curl  —cert client_cert.pem --key client_key.pem
https://localhost:8181`

First part of #357

gofmt

Add new mutual tls configuration (doc to be extended)

Add new mutual tls configuration (doc to be extended)
Jobs
ID Job ID Ran Files Coverage
2 3074.2 (LATEST_GO=true) 0
Travis Job 3074.2
Source Files on build 3074
Detailed source file information is not available for this build.