Stack Overflow
Stack Overflow

Questions tagged [mtls]

Use for mutual TLS, a technology to enhance network security.

mTLS, or mutual TLS is common on Zero Trust Networking architectures to increase security in internal networks, especially when deployed in a cloud environment.

mTLS is often implemented with a Service Mesh in a Kubernetes cluster.

222 questions
9
votes
1 answer

mTLS setup using self-signed cert in Kubernetes and NGINX

I have a Kubernetes cluster (AKS) that is hosting a REST echo service. The service runs fine via HTTP. I am using NGINX ingress to route traffic. I now want to set up this service via HTTPS and with mTLS, so forcing the client to specify a…
wntrsux
  • 123
  • 1
  • 1
  • 4
7
votes
1 answer

K8s Readiness Probes with HTTPS and Certificates

I have a spring boot application hosted on k8s and enforced mTLS on the App itself. I am able to do the mTLS on the connectivity by doing a SSL termination on the Ingress level and then again forwarding the certificates to the springboot pod as…
nischay goyal
  • 3,206
  • 12
  • 23
7
votes
0 answers

Istio mtls misconfiguration causes inconsistent behavior

I have deployed 2 istio enabled services on a GKE cluster. istio version is 1.1.5 and GKE is on v1.15.9-gke.24 istio has been installed with global.mtls.enabled=true serviceA communicates properly serviceB apparently has TLS related issues. I spin…
pkaramol
  • 16,451
  • 43
  • 149
  • 324
6
votes
1 answer

How to increase the TLS handshake size in .NET?

I'm experiencing connection negotiations failure while trying to establish two way authentication with .NET clients. This happens after the remote server increased significantly the list of authorized CA. While this issue can be easily resolved in…
Perfect28
  • 11,089
  • 3
  • 25
  • 45
5
votes
1 answer

In mTLS does the client CN name actually matter?

For normal TLS the client will check that the server I am communicating with is actually on the FQDN matching the CN, hence if the certificate is for a different domain the TLS should not work by default as the certificate is not for this site. For…
othane
  • 558
  • 5
  • 15
5
votes
2 answers

Use Envoy to setup a tunnel between networks

For a hybrid-cloud use-case we are looking into the suitability of EnvoyProxy to act as a solution to move data across an on-premise firewall. The intended setup is as follows: App A is located in an on premise network with no direct outbound or…
Joost Reuzel
  • 308
  • 1
  • 10
5
votes
3 answers

How to configure TLS origination in ISTIO?

Istio does not route to external HTTPs service via TLS origination. I have a pod containing two containers: - Application - ISTIO Proxy Application makes a call to external third party API which resides on…
vikp
  • 151
  • 1
  • 9
4
votes
2 answers

Kubernetes postStart lifecycle always failing

Trying to solve dependency between pods using postStart lifecycle. Use case: micro service A should start after the start of micro service B. For that we have added one container (curl) which will check if dependent service is up or not using curl…
Ankita Sawant
  • 181
  • 2
  • 10
4
votes
2 answers

mTLS between two kubernetes clusters

I'm trying to get mTLS between two applications in two kubernetes clusters without the way Istio does it (with its ingress gateway), and I was wondering if the following would work (for Istio, for Likerd, for Consul...). Let's say we have a k8s…
JGG
  • 41
  • 4
3
votes
1 answer

What mTLS certificates are required when the client is also the server?

I am looking to connect a server and a number of clients using mTLS in golang. On my server I would like to be able to generate certificates to put on all the clients so clients can talk to the server but clients cannot talk to each other. My…
Maggie
  • 223
  • 4
  • 8
3
votes
1 answer

Kafka cluster using KRaft, mTLS and StandardAuthorizer not starting up, getting AuthorizerNotReadyException

I'm trying to create a new Kafka cluster using the new KRaft mode and using SSL certificates for authentication and authorization (along with the new StandardAuthorizer). I'm using the Bitnami Kafka image, version 3.3.1. This is the relevant part of…
jdias
  • 45
  • 6
3
votes
1 answer

Websocket API authenticated with mTLS in AWS Api Gateway

Does anyone know if it is possible to have a Websocket Api Gateway support mTLS authentication? According to the documentation it is not supported…
DavidHospital
  • 31
  • 3
3
votes
1 answer

Postman returns "Error: passed a null parameter" when using Client Certificate

I requested certificate from my CA (on a MAC) then exported the private key as p12 file. In Postman preferences I configured Client Certificates by PFX file/passphrase: I know it's reading it since I get incorrect passphrase error if set a wrong…
Ben
  • 495
  • 1
  • 7
  • 17
3
votes
1 answer

CURL showing "No required SSL certificate was sent" eve

I am using a CURL command from WINDOWS. I have posted the command below. I have also posted the results of the command. It appears to me, the server is terminating the connection before sending the certificate. But I could wrong. Any ideas why the…
Caroline Much
  • 43
  • 1
  • 3
3
votes
2 answers

MTLS and http client connection pool usage

Background I am required to connect to a server for various clients. Each client connection should use a unique TLS cert. MTLS is in place on the server. I want to use connection pooling to improve latency. Using the following http…
Paul Whelan
  • 16,574
  • 12
  • 50
  • 83
1
2 3
14 15