tls: require trusted_ca when using verify_subject_alt_name. (#3550)

SAN-based verification without trusted CA is insecure, since provided values are easily spoofable. Becasue of how the existing verification code is structured, this was already enforced at run-time, and all certificates were rejected when trusted CA wasn't specified, but previously it wasn't obvious why. *Risk Level*: None *Testing*: bazel test //test/... *Docs Changes*: Added *Release Notes*: n/a Fixes #1268. Signed-off-by: Piotr Sikora <piotrsikora@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 72db143131c1030e7c448e034a1a08980dc826f9
7 years ago · 466c6ebf0e
parent b9cf0e88ed
commit 466c6ebf0e
1 changed files with 6 additions and 0 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -191,6 +191,12 @@ message CertificateValidationContext {

  // An optional list of Subject Alternative Names. If specified, Envoy will verify that the
  // Subject Alternative Name of the presented certificate matches one of the specified values.
+  //
+  // .. attention::
+  //
+  //   Subject Alternative Names are easily spoofable and verifying only them is insecure,
+  //   therefore this option must be used together with :ref:`trusted_ca
+  //   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
  repeated string verify_subject_alt_name = 4;

  // [#not-implemented-hide:] Must present a signed time-stamped OCSP response.