[tls_validation] Make sure the client cert is present

3scale · Oct 29, 2024 · cd1d70e · cd1d70e
1 parent cd09664
commit cd1d70e
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/gateway/src/apicast/policy/tls_validation/tls_validation.lua b/gateway/src/apicast/policy/tls_validation/tls_validation.lua
@@ -60,13 +60,21 @@ function _M:ssl_certificate()
 end
 
 function _M:access()
-  local cert = X509.new(ngx.var.ssl_client_raw_cert)
-  if not cert then
+  local client_cert = ngx.var.ssl_client_raw_cert
+  if not client_cert then
     ngx.status = self.error_status
     ngx.say("No required TLS certificate was sent")
     return ngx.exit(ngx.status)
   end
 
+  local cert, err = X509.new(client_cert)
+  if not cert then
+    ngx.status = self.error_status
+    ngx.log(ngx.WARN, "Invalid TLS certificate, err: ", err)
+    ngx.say("Invalid TLS certificate")
+    return ngx.exit(ngx.status)
+  end
+
   local store = self.x509_store
   store:set_flags(store.verify_flags.X509_V_FLAG_PARTIAL_CHAIN)