Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

If certificate reloading is enabled, mTLS stop functioning after the reload #45565

Closed
ynojima opened this issue Jan 14, 2025 · 5 comments · Fixed by #45578
Closed

If certificate reloading is enabled, mTLS stop functioning after the reload #45565

ynojima opened this issue Jan 14, 2025 · 5 comments · Fixed by #45578
Labels
area/security kind/bug Something isn't working
Milestone
3.18 - main

Comments

@ynojima
Copy link
Member

ynojima commented Jan 14, 2025
edited
Loading

Describe the bug

If certificate reloading is enabled with quarkus.http.ssl.certificate.reload-period option, mTLS stop functioning after the reload even when the certificate file is not updated.

This is caused by mishandling of trustOptions here:

        if (configuration.certificate.trustStoreFile.isPresent()) {
            var opts = ((KeyStoreOptions) copy.getKeyCertOptions());
            opts.setValue(Buffer.buffer(getFileContent(configuration.certificate.trustStoreFile.get())));
            copy.setTrustOptions(opts);
        }

https://github.com/quarkusio/quarkus/blob/3.17.6/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/options/TlsCertificateReloader.java#L214-L218

the opts value should be taken from copy.getTrustOptions() but copy.getKeyCertOptions.
Because of this mishandling, trust store config is overwritten by key store config.

Expected behavior

Even after the reload, mTLS should continue to work.

Actual behavior

mTLS stop functioning

How to Reproduce?

Reproducer:

  1. Setup quarkus to serve with mTLS
  2. Enable certificate reloading with quarkus.http.ssl.certificate.reload-period=3m option
  3. Wait the certificate reload, and access the quarkus server with HTTPS.
  4. You will encounter TLS connection issue.

Quarkus version or git rev

3.17.6
@ynojima ynojima added the kind/bug Something isn't working label Jan 14, 2025
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Jan 14, 2025

/cc @pedroigor (bearer-token), @sberyozkin (bearer-token,jwt,security)

@geoand
Copy link
Contributor

geoand commented Jan 14, 2025

cc @cescoffier

@geoand
Copy link
Contributor

geoand commented Jan 14, 2025

@ynojima thanks for reporting.

As you seem to have analyzed the situation, would you like to contribute a fix?

@cescoffier
Copy link
Member

Ah yes, thanks for reporting this. Fancy a pull request?

@ynojima ynojima mentioned this issue Jan 14, 2025
Merged
@ynojima
Copy link
Member Author

ynojima commented Jan 14, 2025

Just created a pull request! Hope the test case meets the requirement! #45578

@quarkus-bot quarkus-bot bot added this to the 3.18 - main milestone Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/bug Something isn't working
Projects
None yet
Milestone
3.18 - main
3 participants
@cescoffier @ynojima @geoand