Skip to content

feat(tls): add SANs support for both DNS-names and URIs #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 21, 2025
Merged

feat(tls): add SANs support for both DNS-names and URIs #110

merged 2 commits into from
May 21, 2025

Conversation

lucab
Copy link
Contributor

@lucab lucab commented May 15, 2025
edited
Loading

This adds two new Lua functions (and the corresponding C logic) to configure custom SANs validation in nginx:

  • resty.kong.tls.set_upstream_ssl_sans_dnsnames()
  • resty.kong.tls.set_upstream_ssl_sans_uris()

Part of KAG-6247.

Notes:

  • This requires a corresponding nginx patch implementing the additional TLS-name validation logic.
  • Testing for this change (and the above nginx patch) is done at the integration level in Kong, see linked PR.

@lucab
feat(tls): add SANs support for both DNS-names and URIs
8fcb808 
This adds two new Lua functions (and the corresponding C logic)
to configure custom SANs validation in nginx:
 * `resty.kong.tls.set_upstream_ssl_sans_dnsnames()`
 * `resty.kong.tls.set_upstream_ssl_sans_uris()`

Part of KAG-6247.
@CLAassistant
Copy link

CLAassistant commented May 15, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@lucab lucab requested review from bungle and samugi May 16, 2025 14:32
@lucab lucab marked this pull request as ready for review May 16, 2025 14:32
bungle
bungle approved these changes May 20, 2025
View reviewed changes
Copy link
Member

@bungle bungle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lucab, very good. I approve.

samugi
samugi approved these changes May 20, 2025
View reviewed changes
Copy link
Member

@samugi samugi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Is this testable? Should we have something in t/?

@lucab
Copy link
Contributor Author

lucab commented May 20, 2025

Is this testable? Should we have something in t/?

I think this is not testable in isolation (at least not in a meaningful way), as it works in tandem with the related nginx patch wrt. TLS-name validation logic.
However, the composite result of those patches is covered by a new integration test in Kong.

@lucab
Copy link
Contributor Author

lucab commented May 21, 2025
edited
Loading

@bungle @samugi Thanks for the reviews! Two additional notes on this:

  • I just realized the new functions should be documented in the README as well. I added a commit on top with doc entries only.
  • Even if green, I can't self-merge in this repository. Can you please merge this for me?

@samugi samugi merged commit feb1787 into master May 21, 2025
6 checks passed
@samugi samugi deleted the feat/ssl-sans branch May 21, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bungle bungle bungle approved these changes

@samugi samugi samugi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lucab @CLAassistant @bungle @samugi