Skip to content

0.283.0

Choose a tag to compare

View all tags
@tas-runtime-bot tas-runtime-bot released this 20 Oct 15:34
· 3887 commits to develop since this release
v0.283.0
6f7eaae

Changes

  • Adds missing timings to non-http backend requests, e.g. websockets. (cloudfoundry/gorouter#363) (Fixes: #278)
  • Adds ability for gorouter to verify mTLS Client Certificate metadata (#355)
  • CI Enhancements and updates
  • Package Dependency bumps

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 2bb394e9..e9a9dd73 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -415,7 +415,7 @@ properties:
     default: 5
   websocket_dial_timeout_in_seconds:
     description: |
-      Maximum time in seconds for gorouter to establish a websocket upgrade for the websocket ForwardIO connection with a backend. 
+      Maximum time in seconds for gorouter to establish a websocket upgrade for the websocket ForwardIO connection with a backend.
       This timeout comes before `tls_handshake_timeout_in_seconds` and `request_timeout_in_seconds`. When not set, defaults to `endpoint_dial_timeout_in_seconds`.
     default: endpoint_dial_timeout_in_seconds
   tls_handshake_timeout_in_seconds:
@@ -518,6 +518,36 @@ properties:
     description: "The number of file descriptors a router can have open at one time"
     default: 100000
 
+  router.enable_verify_client_certificate_metadata:
+    description: |
+        Enable additional client certificate verification via verify_client_certificate_metadata (see below).
+    default: false
+  router.verify_client_certificate_metadata:
+    description: |
+      Additional client certificate verification, after the certificate was validated using the regular mTLS mechanism and is issued using one of the CAs in `client_ca_certs`.
+      The additional verification limits the allowed client certificates for a given signing CA (identified by its distinguished name) to certificates with subjects provided in the list of valid subjects. Within the certificate chain there may be more than one CA certificates (e.g. intermediate CA certificates). The `issuer_in_chain` must match one of the CA certificates in the chain.
+      Each list entry contains an issuer_in_chain with a corresponding list of valid subjects. Each issuer_in_chain must match one of the certificates in `client_ca_certs`. When an issuer_in_chain is defined that does not match, this raises an error during templating time and at startup in gorouter.
+      - issuer_in_chain:
+          common_name: ""
+          serial_number: ""
+          country: []
+          organization: []
+          organizational_unit: []
+          locality: []
+          province: []
+          street_address: []
+          postal_code: []
+        valid_cert_subjects:
+          - common_name: ""
+            serial_number: ""
+            country: []
+            organization: []
+            organizational_unit: []
+            locality: []
+            province: []
+            street_address: []
+            postal_code: []
+    default: []
   healthchecker.failure_counter_file:
     description: "File used by the healthchecker to monitor consecutive failures."
     default: /var/vcap/data/gorouter/counters/consecutive_healthchecker_failures.count

✨ Built with go 1.21.3

Full Changelog: v0.282.0...v0.283.0

Resources

Contributors

peanball and domdom82
Assets 3
Loading