envoyproxy/envoy
View on GitHubSPIFFE validator + "mtls_authenticated" do not support session resumption
Open
#42,668 opened on Dec 17, 2025
area/tlsbughelp wanted
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (303 merged PRs in 30d)
Description
On a resumed session, "peer certificate validated" is set to false since that bit is cert by the validator flow per connection. That means any policy using mtls_authenticated evaluates to false, and can be dangerous if used as a DENY policy. The workaround is to disable session resumption in TLS.