Fedora Account System
Red Hat Associate
Red Hat Customer
The OpenShift Router's HAProxy configuration template sets X-SSL-Client-* headers (DN, DER, NotAfter, NotBefore, SHA1, Subject) on the HTTPS frontends (fe_sni, fe_no_sni) using values from the actual TLS handshake. However, the HTTP frontend (fe_http) does not strip these headers from incoming requests. When a Route has insecureEdgeTerminationPolicy set to Allow, an attacker can send plain HTTP requests with forged X-SSL-Client-* headers that are forwarded to the backend unmodified. Backends that rely on these headers for mutual TLS authentication can be completely bypassed, allowing an unauthenticated attacker to impersonate any client certificate identity.