diff --git a/apisix/schema_def.lua b/apisix/schema_def.lua index 491265a58a18..054f8629c8de 100644 --- a/apisix/schema_def.lua +++ b/apisix/schema_def.lua @@ -838,7 +838,12 @@ _M.ssl = { client = { type = "object", properties = { - ca = certificate_scheme, + ca = { + oneOf = { + certificate_scheme, + secret_uri_schema + } + }, depth = { type = "integer", minimum = 0, diff --git a/apisix/ssl.lua b/apisix/ssl.lua index 2bd757077ebc..f9718ff14843 100644 --- a/apisix/ssl.lua +++ b/apisix/ssl.lua @@ -299,10 +299,12 @@ function _M.check_ssl_conf(in_dp, conf) if not support_client_verification() then return nil, "client tls verify unsupported" end - - local ok, err = validate(conf.client.ca, nil) - if not ok then - return nil, "failed to validate client_cert: " .. err + + if not secret.check_secret_uri(conf.client.ca) then + local ok, err = validate(conf.client.ca, nil) + if not ok then + return nil, "failed to validate client_cert: " .. err + end end end diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua index 15ea67225fc4..fbce200bba87 100644 --- a/apisix/ssl/router/radixtree_sni.lua +++ b/apisix/ssl/router/radixtree_sni.lua @@ -253,9 +253,9 @@ function _M.set(matched_ssl, sni) return false, err end - if matched_ssl.value.client then - local ca_cert = matched_ssl.value.client.ca - local depth = matched_ssl.value.client.depth + if new_ssl_value.client then + local ca_cert = new_ssl_value.client.ca + local depth = new_ssl_value.client.depth if apisix_ssl.support_client_verification() then local parsed_cert, err = apisix_ssl.fetch_cert(sni, ca_cert) if not parsed_cert then