I am configuring mTLS for an API Gateway, my trustore.pem only has one cert.
I've created another CA, signed a cert with that CA and issued the curl request with --key
and --cert
params, and it went through. I already disabled the default endpoint.
I am wondering if this is the expected behaviour, its not safe, its just bollocks cause anyone can create a self-signed cert and bypass the mTLS.
What I did:
# ca
openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem
# client john
openssl genrsa -out john.key 2048
openssl req -new -key john.key -out john.csr
openssl x509 -req -in john.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out john.pem -days 3650 -sha256
# create trustore (copy of RootCA.pem) and upload it to S3.
cp RootCA.pem truststore.pem
aws s3 cp truststore.pem s3://...
If I issue:
curl --cert john.csr --key john.key myapi.com/test
healthy
But if I create another CA
# ca
openssl genrsa -out RootCA-2.key 4096
openssl req -new -x509 -days 3650 -key RootCA-2.key -out RootCA-2.pem
# client marta
openssl genrsa -out marta.key 2048
openssl req -new -key marta.key -out marta.csr
openssl x509 -req -in marta.csr -CA RootCA-2.pem -CAkey RootCA-2.key -set_serial 01 -out marta.pem -days 3650 -sha256
And issue
curl --cert marta.csr --key marta.key myapi.com/test
healthy
It responds with healthy
which should deny the request cause the RootCA-2 is not on the truststore, right?
I was issuing /ping whereas /ping and /sping are reserved endpoints for api gateway, thus always anwsering with healthy...
Attacking any other endpoint works good, segregating by certs and allowing/denying if a cert comes from trusted CA.