Is mutual TLS supported with private resource integration in HTTP API gateway?
I created HTTP integration that routes traffic into private ALB's HTTP listener. After that I implemented mutual TLS by using this quide:
https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
While testing certificate authentication I created second set of certificates and used second set's client key and pem to authenticate successfully against first sets keystore. This is behavior should not be possible. With this configuration api gateway demands, that clients sends certificate and key, but never verifies them against specified truststore. Tested this setup by switching private integration to lambda integration and TLS operated like it should, by verifying the certificate against truststore.
How to reproduce:
-create HTTP API gateway API with lambda integration (used ANY /)
-create custom domain for the API, with mutual TLS enabled and default endpoint disabled
-create 2 set of certificates and client keys
-TLS should check the validity of the client certificate and prevent mixing certificates between sets
-switch lambda integration to private alb integration with HTTP listener
-test TLS again by mixing certificates
-API gateway accepts mixed certificates
-As an side effect in this configuration gateway ignores the default endpoint disable setting and enables bypassing the TLS completely.
AWS 官方已更新 1 年前
I'm aware that mutual TLS for private API gateways are not supported, but in my case I'm using public API gateway with VPC link. Shouldn't this configuration be supported, as only difference between functional and nonfunctional configurations is to swap lambda integration with VPC link integration?