You are browsing documentation for an outdated plugin version.
Looking for the plugin's configuration parameters? You can find them in the Mutual TLS Authentication configuration reference doc.
This plugin lets you add mutual TLS authentication based on a client-supplied or a server-supplied certificate, and on the configured trusted certificate authority (CA) list.
The mTLS plugin automatically maps certificates to consumers based on the common name field.
How does the mTLS plugin work?
To authenticate a consumer with mTLS, it must provide a valid certificate and complete a mutual TLS handshake with Kong Gateway.
The plugin validates the certificate provided against the configured CA list based on the requested route or service:
- If the certificate is not trusted or has expired, the response is
HTTP 401 TLS certificate failed verification
. - If consumer did not present a valid certificate (this includes requests not
sent to the HTTPS port), then the response is
HTTP 401 No required TLS certificate was sent
. The exception is if theconfig.anonymous
option is configured on the plugin, in which case the anonymous consumer is used and the request is allowed to proceed.
Client certificate request
Client certificates are requested in the ssl_certificate_by_lua
phase where Kong Gateway does not
have access to route
and workspace
information. Due to this information gap, Kong Gateway asks for
the client certificate by default on every handshake if the mtls-auth
plugin is configured on any route or service.
In most cases, the failure of the client to present a client certificate is not going to affect subsequent
proxying if that route or service does not have the mtls-auth
plugin applied. The exception is where
the client is a desktop browser, which prompts the end user to choose the client cert to send and
lead to user experience issues rather than proxy behavior problems.
To improve this situation, Kong Gateway builds an in-memory map of SNIs from the configured Kong Gateway routes that should present a client certificate. To limit client certificate requests during handshake while ensuring the client certificate is requested when needed, the in-memory map is dependent on the routes in Kong Gateway having the SNIs attribute set. If any routes don’t have SNIs set, Kong Gateway must request the client certificate during every TLS handshake:
- Plugin is applied globally: mTLS auth is applied on every request irrespective of workspace
- Plugin is applied at the service level: If one or more of the routes do not have SNIs set, mTLS auth is applied on every request irrespective of workspace.
- Plugin is applied at the route level: If one or more of the routes do not have SNIs set, applied on every request irrespective of workspace.
- Plugin is applied at the route level and all routes have SNIs set: mTLS is applied on specific requests only.
SNIs must be set for all routes that mutual TLS authentication uses.
Troubleshooting
When authentication fails, the client does not have access to any details that explain the
failure. The security reason for this omission is to prevent malicious reconnaissance.
Instead, the details are recorded inside Kong’s error logs under the [mtls-auth]
filter.
Get started with the mTLS Authentication plugin
- Add certificate authorities: To use this plugin, you must add certificate authority (CA) certificates. Set them up before configuring the plugin.
- Configuration reference
- Basic configuration example
- Create manual mappings between certificate and consumer objects