Mutual TLS Authentication

Release date 2024/05/28

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2024/05/14

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2024/02/12

Bugfix

• Mtls-auth print notice log if revocation check fails with revocation_check_mode = IGNORE_CA_ERROR

Release date 2024/05/20

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2023/11/08

Bugfix

• mtls-auth should not cache the network failure when doing revocation check

Release date 2024/12/17

Bugfix

• Fixed an issue where a 500 error occurs when the configuration changes with the mTLS plugin enabled.

Release date 2024/03/21

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2023/09/28

Bugfix

• mtls-auth should not cache the network failure when doing revocation check

Release date 2023/08/09

Bugfix

• Fixed several revocation verification issues:

  • If revocation_check_mode=IGNORE_CA_ERROR, then the CRL revocation failure will be ignored.
  • Once a CRL is added into the store, it will always do CRL revocation check with this CRL file.
  • OCSP verification failed with no issuer certificate in chain error if the client only sent a leaf certificate.
  • http_timeout wasn’t correctly set.

• If revocation_check_mode=IGNORE_CA_ERROR, then the CRL revocation failure will be ignored.

• Once a CRL is added into the store, it will always do CRL revocation check with this CRL file.

• OCSP verification failed with no issuer certificate in chain error if the client only sent a leaf certificate.

• http_timeout wasn’t correctly set.

• Optimized CRL revocation verification.

• Fixed an issue that would cause an unexpected error when skip_consumer_lookup is enabled and authenticated_group_by is set to null.

Release date 2023/10/12

Bugfix

• Fixed an issue that caused the plugin to cache network failures when running certificate revocation checks.

Release date 2023/01/24

Bugfix

• Fixed an issue where the plugin used the old route caches after routes were updated.

Release date 2022/12/06

Feature

• The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.

• Added the config.send_ca_dn configuration parameter to support sending CA DNs in the CertificateRequest message during SSL handshakes.

• Added the allow_partial_chain configuration parameter to allow certificate verification with only an intermediate certificate.

Release date 2022/09/09

Feature

• Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: http_proxy_host, http_proxy_port, https_proxy_host, and https_proxy_port.

Breaking Change

• Updated the priority for some plugins.: mtls-auth changed from 1006 to 1600

Release date 2023/11/28

Bugfix

• mtls-auth should not cache the network failure when doing revocation check

Release date 2023/03/28

Bugfix

• Fixed an issue where the plugin used the old route caches after routes were updated.

Release date 2022/11/21

Bugfix

• Fixed an issue where the plugin was causing requests to silently fail on Kong Gateway data planes.

Release date 2022/05/27

Feature

• Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: http_proxy_host, http_proxy_port, https_proxy_host, and https_proxy_port.

Release date 2022/03/02

Bugfix

• Fixed attempt to index local 'workspace' error, which occurred when accessing Routes or Services using TLS.