Skip to content

fix: reject TLS secret when certificate and private key do not match#9487

Open
zhaohuabing wants to merge 5 commits into
envoyproxy:release/v1.8from
zhaohuabing:fix-key-cert-mismatch-bp
Open

fix: reject TLS secret when certificate and private key do not match#9487
zhaohuabing wants to merge 5 commits into
envoyproxy:release/v1.8from
zhaohuabing:fix-key-cert-mismatch-bp

Conversation

@zhaohuabing

@zhaohuabing zhaohuabing commented Jul 14, 2026

Copy link
Copy Markdown
Member

Simplified, backport-safe version of #9480 fixing the TLS regressions in #9473, #9463 and #9225. Validates TLS Secrets at translation and isolates failures to the affected listener instead of pushing a broken chain that Envoy NACKs with KEY_VALUES_MISMATCH (which stalls all Gateways under mergeGateways): rejects mismatched key/cert pairs, and rejects serving chains containing an expired/malformed cert instead of silently dropping the member. CA bundles still drop expired CAs. #9480's broader validation could break existing v1.8 use cases.

Related: #9225 #9473 #9463

@zhaohuabing zhaohuabing requested a review from a team as a code owner July 14, 2026 02:40
@zhaohuabing zhaohuabing force-pushed the fix-key-cert-mismatch-bp branch from 41dde4c to ff272ee Compare July 14, 2026 02:44
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 97.14286% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.95%. Comparing base (30d3918) to head (b267569).

Files with missing lines Patch % Lines
internal/gatewayapi/tls.go 97.10% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@               Coverage Diff                @@
##           release/v1.8    #9487      +/-   ##
================================================
- Coverage         74.99%   74.95%   -0.04%     
================================================
  Files               251      251              
  Lines             40619    40639      +20     
================================================
  Hits              30462    30462              
- Misses             8092     8107      +15     
- Partials           2065     2070       +5     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing zhaohuabing force-pushed the fix-key-cert-mismatch-bp branch 2 times, most recently from ff272ee to ec77845 Compare July 14, 2026 03:08
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
cnvergence
cnvergence previously approved these changes Jul 14, 2026
@cnvergence

Copy link
Copy Markdown
Member

Thanks for splitting!

@zhaohuabing

Copy link
Copy Markdown
Member Author

/retest

@zhaohuabing zhaohuabing requested a review from a team July 14, 2026 08:15
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Comment thread go.mod
module github.com/envoyproxy/gateway

go 1.26.4
go 1.26.5

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is required to fix the go-benchmark-test.

Comment thread internal/gatewayapi/tls.go Outdated
// mergeGateways enabled that NACKs the whole SDS push, breaking TLS for all
// Gateways sharing the proxy. Reject the bad Secret here so it never reaches
// Envoy and only the affected listener degrades.
if _, err := tls.X509KeyPair(validData, pem.EncodeToMemory(keyBlock)); err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this might cause a false error to be reported, see comment here: #9473 (comment).

@zhaohuabing zhaohuabing Jul 15, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

I've updated this PR. validateServingCertificateChain no longer filters individual certificates. Instead, it rejects the entire TLS serving certificate Secret if the certificate chain contains an invalid/expired certificate. CA bundles still drop expired CAs.

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the fix-key-cert-mismatch-bp branch from b071ec4 to 770052b Compare July 15, 2026 02:19
@zhaohuabing zhaohuabing requested a review from guydc July 15, 2026 02:27
@zhaohuabing

Copy link
Copy Markdown
Member Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

Reviewed commit: 770052b6d3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@zhaohuabing zhaohuabing requested a review from a team July 15, 2026 02:38
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lVU3JTYktMZjBiTEVHb2dXeC9nQ3cyR0N0dnhFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0V6RVJNQThHQTFVRUF3d0lWR1Z6ZENCSmJtTXdIaGNOTWpRd01qSTVNRGt6TURFd1doY05NelF3TWpJMgpNRGt6TURFd1dqQVRNUkV3RHdZRFZRUUREQWhVWlhOMElFbHVZekNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBSzFKempQSWlXZzNxb0hTckFkZGtlSmphTVA5aXlNVGkvQlBvOWNKUG9SRThaaTcKV2FwVXJYTC85QTlyK2pITXlHSVpOWk5kY1o1Y1kyWHYwTFA4WnhWeTJsazArM3d0WXpIbnBHWUdWdHlxMnRldApEaEZzaVBsODJZUmpDMG16V2E0UU16NFNYekZITmdJRHBSZGhmcm92bXNldVdHUUU4cFY0VWQ5VUsvU0tpbE1PCnF0QjVKaXJMUDJWczVUMW9XaWNXTFF2ZmJHd3Y3c0ZEZHI5YkcwWHRTUXAxN0hTZ281MFNERTUrQmpTbXB0RncKMVZjS0xscWFoTVhCRERpb3Jnd2hJaEdHS3BFU2VNMFA3YkZoVm1rTTNhc2gyeFNUQnVGVUJEbEU0Sk9haHp3cwpEWHJ1cFVoRGRTMWhkYzJmUHJqaEZBbEpmV0VZWjZCbFpqeXNpVlVDQXdFQUFhTndNRzR3SFFZRFZSME9CQllFCkZCUXVmSzFMaWJ1Vm05VHMvVmpCeDhMM3VpTmVNQjhHQTFVZEl3UVlNQmFBRkJRdWZLMUxpYnVWbTlUcy9WakIKeDhMM3VpTmVNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdHd1lEVlIwUkJCUXdFb0lCS29JTktpNWxlR0Z0Y0d4bApMbU52YlRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWZQUzQxYWdldldNVjNaWHQwQ09GRzN1WWZQRlhuVnc2ClA0MXA5TzZHa2RZc3VxRnZQZVR5eUgyL2RBSUtLd1N6TS9wdGhnOEtuOExabG1KeUZObkExc3RKeG41WGRiVjEKcFBxajhVdllDQnp5ak1JcW1SeW9peUxpUWxib2hNYTBVZEVCS2NIL1BkTEU5SzhUR0pyWmdvR1hxcTFXbWl0RAozdmNQalNlUEtFaVVKVlM5bENoeVNzMEtZNUIraFVRRDBKajZucEZENFprMHhxZHhoMHJXdWVDcXE3dmpxRVl6CnBqNFB3cnVmbjFQQlRtZnhNdVYvVUpWNWViaWtldVpQMzVrV3pMUjdaV0FMN3d1RGRXcC82bzR5azNRTGFuRFEKQ3dnQ0ZjWCtzcyswVnl1TTNZZXJUT1VVOFFWSkp4NFVaQU5aeDYrNDNwZEpaT2NudFBaNENBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV1Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktRd2dnU2dBZ0VBQW9JQkFRQ1pTT21NUlBXWkFqN08KcVFrTVc2d3Bub3NmVCtRMzhmVWJ1U3crRXlablZ1eUNuYlVGZjhIeTVyYkx1K2dmbWszUW8xbnRBVTMzamprUQpXMGQzRHdCdWhKVUM0bkpVRks3cDk2dm9MQ2FTdmlPM0NQbytjUENPdkZ4K1ZrTzYxVkxXOEI2YW04UG5GWndhCmlGRGk0aUdyWXlIK3lsK2RUTmJoZlhIeEJ4T0E1M0IrcTI2K2ZmMFJXUWJKSWNiT1RzOENTSDZJWk1yeGNIcmsKOE1TdjFhWXlQdXpuT1BBQVFsNlRUdlEvNmhJZnF6bXJvd0RIRjRCMENFNUFvb2xFM0ZLT2kwaC9ieTJUN1dxbgo4NkdhdXA0VEtxVnV1Uk5hUU1CZDQ4azA4V3VTUENYSDBoWTVJbm1kdEMxRURKK3pQRk9NUjQycVA0THg5QWdICjNRZTBTMU5yQWdNQkFBRUNnZjk2Zy9QWXh2YVp5NEJuMU5ySkJkOExaT2djYlpjMmdueDZJa3YvVVhaME5obHgKRVlpS2plRmpWNkhXNW9FWHJaKy9tUGY0ZHVzVmFMNzRVOVZvanVQSmNlQWVScmpMM2VPaGJIdGN4KzBnY0dMZwpYeEY5VFJhcDY1VHVVZDFhaTA0aEd3WWY3NXNiUDdSS2JQaXZ3WmdVQWUwQ3BWdWZjaG5YcXJzWXI4cEpZNTFPCldWa1NxejRSWTlXbTBrNUcxSkZ5SXlFQzl1bURsdWpjSE50UlZtYWZrTmZBdENsaVByRktjL245bkpmTzZSRlAKN2c3Vi9JdnFudUlyN1BFM0duNlBhVCtCZ2c0NDh0ZDVKelBwVEE1WkJjQm8yb3J6L2t4WVBGcHIvZ1BVQnFRZApvNm5XcXc3Nlp4d1BsZHdMaEorWFlOWDdvdWN0VVNDTDl1NzdmeUVDZ1lFQXl2N0RseGYrS1FsZkR3bW8vcjFUCjBMMVpuSDQ3MmhpSWVkU2hleVZCSGJFVlRTbXI0MkJSbGpXNERiUmNRTTRWY3h4RGtHclI3NlJHZTlvZzZtemMKUnY4K1ZsQ1gyK3F5OXA1bTZaWHJiQXczMHpDLzVtUGtSV3ViaFVoaSs5ZUNNWmEvaEFJL1JGdjI2OURyQkQyLwo2a2cwRjhYME8vNndJK1dwYXRLM1cwY0NnWUVBd1U5QTZiSnBmYVhLS1hQR21PRy9uVXhUeXp5cVlqS05aSmQvCjlHaEVudUdqSzVDQUVWUEphOGtadmZRemxXbXdaYWZxMERocUk4dkxhRkNEZjhZOEU5OU1hbjNHV2hVYjNWL0oKcU5RUVMzNTZOQ2ZadzdseG9LS0JJdlQ2Y3dpaFRuc0UvUjRIQ3NhbDJ3d040Wmw5SFdOQmdhbVM3VExrejFMaApmd1JEa0wwQ2dZQlo0OWorNW53QTlncG5JVkw1Z3lORGN5WGtlNjNMVlVQU0YwdHV1YitOQTJhNFpiU2RHb0RtCmNHRlJpRVcxMk14OHpjNUpmRlA4dDVVU3NUUVVPeUtNT2VrRDFlcDVVd1B1MjVRYzZldDNUQzNJVW5VWDg3SVkKMzU3ZHRZRkhubFlqMldwemJYOVFxUnk5cmlUMEd0Z0tTZkR2ZWhRK0lQa2szRVZhYlhjT2J3S0JnR0d4QzcwTwp6UUVTcC9nSzZuS1lvNTE2MVY0QWFwcjFzVDhFMFVWUzdGcmU3UGMzTDRHU05saWlhTC8yaVpzWXJteXhUNW1xCjZQanVKUDJ5c3NJQURKeCtYTC8wa0NrMlFiNitpY3NvWUpQR2R6dWthQWpoenVxL05VUFZTanlZUCt6SmZ0dnMKTU9MaFFUQlNCekhidjc3NlNrQ2MwZ1BObEpTeDdnT2l4QUtCQW9HQUpCR1VuM2U1QWZDb21BMUUxRHhSeUxaagpUMFBrQUNlUGpEK3hrRkpod0RoQ2dzd2htNFVKZzFmQW8xaEJRUkZ0dHBWQy91QkxjazE4TUVBSTF2ZGZTeVB2CmtTZzVrVnFQanUzc2czOVRNZ09WZXdqUDNFM0FNUUd1ZzFQNzFZazJ6WUpQbGg5NWRMVTVISlZubzZvdkIrUG0KTHF5K016eDN3a0YwZDhlUFhRND0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQ3RTYzR6eUlsb042cUIKMHF3SFhaSGlZMmpEL1lzakU0dndUNlBYQ1Q2RVJQR1l1MW1xVksxeS8vUVBhL294ek1oaUdUV1RYWEdlWEdObAo3OUN6L0djVmN0cFpOUHQ4TFdNeDU2Um1CbGJjcXRyWHJRNFJiSWo1Zk5tRVl3dEpzMW11RURNK0VsOHhSellDCkE2VVhZWDY2TDVySHJsaGtCUEtWZUZIZlZDdjBpb3BURHFyUWVTWXF5ejlsYk9VOWFGb25GaTBMMzJ4c0wrN0IKUTNhL1d4dEY3VWtLZGV4MG9LT2RFZ3hPZmdZMHBxYlJjTlZYQ2k1YW1vVEZ3UXc0cUs0TUlTSVJoaXFSRW5qTgpEKzJ4WVZacEROMnJJZHNVa3diaFZBUTVST0NUbW9jOExBMTY3cVZJUTNVdFlYWE5uejY0NFJRSlNYMWhHR2VnClpXWThySWxWQWdNQkFBRUNnZ0VBSmpONGpTcmV1OFpWeE5QY0Q2MmRmUEpjUktTT3VUZFVhTEF0MXJoWGUxSTEKam0xeXlWMXNkVWNlbHcyL05KNUg2SFJWUHJ6aFVMOWVQRGtmWWFZNVZWMmg2L3VGbXl6b1NyYWRvODR1OU91SApYZmRzL0FOWXVPTkFrbkpCS1Vpcjh2Ym9UUDFBMWZ5MFY4SlU4VEFSZjFzQ1BKWGZMNEYxdHVTMDY4NUMrRi82CmRqclJxOGlqdzd3QmdmcHRYZWVjVkIxdXFyS2ZsS1U0aTg2Z0NYNmZDOUtJYTRZT0hVVXJSL2QxZXBlMUt1alcKNUpadGJnSXJzV1Q4WWsvbTQ3UjZBemsxVW90WlZ4S2JaeUNZc1FCOWlUZkxTWFU5bUlDN3VQdVl3OXF3QmlSbwpZUjAwQlZJM0J0VXJjdm9RdEwzUDdqV0EvZjBFSG1PS0NSTEdPYU5Ga1FLQmdRRHlCK01TU3FiV2h1d1hWYzJnClJWaU9VcVF0dGhxa3UrOWtaY2UxTzhOWlREakFvQ1A3SzVUSXM4Um9aTG5JUzEycjRWM1g5QjROa2t4RHdCdmoKbmdNMU1CcHBObEtyUnZHVExJcXRzdTlkc1N6ek51ZVpaTEF0b3ZJZzRhRVAyY0JMbW9jNFhjRFFpRGRVL0VqQgpUeXBUYkRtNDB6OXBCbDNFQlJYZEZDeGxhUUtCZ1FDM1NqZWpTUkMzdkF1QThRTmVYMlJ5T0I3cVU1TS81RU1KCkZlTkIzS056cGVyL2IxN2JndW1oRzhYRStmdzlPaHlXZzhraXBIYmljZGRPM1VzTllGNndPcFRmNVhVbVBoSkoKcnhYM2liQjNpbWp1TW5yQkJjOW9FUVlySFllN2U4aHFiOGU4dHNybDIzdDF6TlRZZkVBVi9tZ0dHdlNLTGtiKwp4NHprZkRUckRRS0JnUURodzFHZ29sbjJDbXozWjJZamRnd2cxaDJuTmhLc1QxSUN5SjM5QS80NHNjek9nWktPCm5CeHhDcDdPOGdZS082TG96WlFIK1FKL2psUHRicW1WTExPNVRXR1Zlc0txV2NiRmplcmVFK2NMOGxVSG1kTjMKVm1Dd2NTcUNXWFV2bitLcm96MDI2dDBNcDhOVlZ1OVd3azJzKzJyc2FNRGhhcnJVT2hvbTJzWis0UUtCZ1FDcApRWURsYVNobDh1RlFuYjkxbTNOZlFsSFNJNEU3bytiL2NkWGRVUWtqVjFrTnJtT1RJMjNwRjRObXBVNTNuNzBjCmhPL3M3S0RYOVRaVkhtY2JJQjN3Y1BoZlZUMzhKWit2cVY0SXEzNW90VWkyaGFqenJCRGVVYkkzaUZwNkdCRjMKc0dkcTdnV3BneWVjSFoyRG1DRjU3ZWRUay9xenk0NUY0akpLSUNTaDFRS0JnRG9IUk5CYzg0T2doQzNtbnBrcQpoL2RFUkhIaHNlQ3FGYTc5Wi80N2hHTTAyWU9obThQZGtJRkJ1YndHWllPOHNseCtPTEZtZzloZGYxdmFoSkJnCkczNnVOaWM1VmFyQ0w0eDNSc01pWkN3bW9rUDlBUjUyRC92dm54UjQ3amJQL3grNEIycWM2ZndKVkFRTmhGZzAKS3RPcXAwa1dlNjFvMkNPY05WL1BWeGozCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the mismatching key/cert in the test yaml files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants