You are browsing documentation for an outdated plugin version.
Did you know that you can try this plugin without talking to anyone for just $5/month with Kong Konnect? Get started in under 5 minutes.
Looking for the plugin's configuration parameters? You can find them in the Mutual TLS Authentication configuration reference doc.
This plugin lets you add mutual TLS authentication based on a client-supplied or a server-supplied certificate,
and on the configured trusted certificate authority (CA) list.
The mTLS plugin automatically maps certificates to consumers based on the common name field.
How does the mTLS plugin work?
To authenticate a consumer with mTLS, it must provide a valid certificate and
complete a mutual TLS handshake with Kong Gateway.
The plugin validates the certificate provided against the configured CA list based on the
requested route or service:
- If the certificate is not trusted or has expired, the response is
HTTP 401 TLS certificate failed verification.
- If consumer did not present a valid certificate (this includes requests not
sent to the HTTPS port), then the response is
HTTP 401 No required TLS certificate was sent.
The exception is if the
config.anonymous option is configured on the plugin, in which
case the anonymous consumer is used and the request is allowed to proceed.
Client certificate request
Client certificates are requested in the
ssl_certificate_by_lua phase where Kong Gateway does not
have access to
workspace information. Due to this information gap, Kong Gateway asks for
the client certificate by default on every handshake if the
mtls-auth plugin is configured on any route or service.
In most cases, the failure of the client to present a client certificate is not going to affect subsequent
proxying if that route or service does not have the
mtls-auth plugin applied. The exception is where
the client is a desktop browser, which prompts the end user to choose the client cert to send and
lead to user experience issues rather than proxy behavior problems.
To improve this situation, Kong Gateway builds an in-memory map of SNIs from the configured Kong Gateway routes that should present a client certificate.
To limit client certificate requests during handshake while ensuring the client
certificate is requested when needed, the in-memory map is dependent on the routes in
Kong Gateway having the SNIs attribute set.
If any routes don’t have SNIs set, Kong Gateway must request
the client certificate during every TLS handshake:
Plugin is applied globally: mTLS auth is applied on every request irrespective of workspace
Plugin is applied at the service level: If one or more of the routes do not have SNIs set, mTLS auth is applied on every request irrespective of workspace.
Plugin is applied at the route level: If one or more of the routes do not have SNIs set, applied on every request irrespective of workspace.
Plugin is applied at the route level and all routes have SNIs set: mTLS is applied on specific requests only.
SNIs must be set for all routes that mutual TLS authentication uses.
When authentication fails, the client does not have access to any details that explain the
failure. The security reason for this omission is to prevent malicious reconnaissance.
Instead, the details are recorded inside Kong’s error logs under the
Get started with the mTLS Authentication plugin