CN checks in certificates have been deprecated by rfc2818 section-3.1 for over 20 years. Unfortunately this is not widely known and catches many people by surprise
As a result more and more software no longer allowings CN entries to validate host names. Instead the SANs (Subject Alternate Names) are used.
Golang itself from version 1.15 will no longer use CN to validate certificates by default and from golang version 1.17 it's no longer possible at all.
Gateway versions 4.x and 5.0.x used golang 1.15 and 1.16 respectively so setting GODEBUG=x509ignoreCN=0
will enable CNs again.
Gateway versions greater than 5.0.x use later versions of golang so cannot be made to work with CNs
As a result all certificates which are used upstream of Tyk must have a valid SAN for the hostname or IP address used to access them.
If this isn't possible it will be necessary to disable upstream certificate validation with one of the following options.
- proxy_ssl_insecure_skip_verify might be set to true in the gateway config. This would disable all certificate validation of all of the the upstream certificates.
- proxy.transport.ssl_insecure_skip_verify might be set in that API's definition. This would disable certificate validation of the upstream certificate for just that API.
Please note that many versions of curl still allow validation via CN so curl often works when Tyk will not.
Comments
0 comments
Please sign in to leave a comment.