Skip to content

[release-4.18] OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP#800

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:release-4.18from
MrSanketkumar:CVE-2026-46579-4.18
Jul 8, 2026
Merged

[release-4.18] OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP#800
openshift-merge-bot[bot] merged 1 commit into
openshift:release-4.18from
MrSanketkumar:CVE-2026-46579-4.18

Conversation

@MrSanketkumar

@MrSanketkumar MrSanketkumar commented Jun 18, 2026

Copy link
Copy Markdown

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

  • Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
  • Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
  • Secure by default - header stripping enabled unless explicitly disabled

Summary by CodeRabbit

Release Notes

  • New Features
    • Added header filtering to the router to prevent spoofing of mutual TLS identity claims. This security enhancement automatically filters headers that could be forged by clients, reducing unauthorized access risks. The feature is enabled by default but can be toggled if needed.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 18, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:

  • expected dependent Jira Issue OCPBUGS-86716 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

  • Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
  • Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
  • Secure by default - header stripping enabled unless explicitly disabled

Backport of : #799

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Walkthrough

The HAProxy config template gains conditional http-request del-header directives in three frontends (frontend public, frontend fe_sni, frontend fe_no_sni) to strip X-SSL and all X-SSL-Client-* headers from incoming requests. The behavior is gated on the ROUTER_MUTUAL_TLS_HEADER_FILTER environment variable, which defaults to true.

Changes

X-SSL Header Spoofing Mitigation

Layer / File(s) Summary
Conditional X-SSL header stripping across all three frontends
images/router/haproxy/conf/haproxy-config.template
Adds identical ROUTER_MUTUAL_TLS_HEADER_FILTER-gated blocks (default true) in the plain HTTP frontend (lines 254–270), TLS SNI frontend (lines 388–405), and TLS no-SNI frontend (lines 521–538), each issuing http-request del-header for X-SSL and all X-SSL-Client-* headers to prevent client spoofing of mutual-TLS identity headers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • openshift/router#787: Modifies the same HAProxy template file to add the same ROUTER_MUTUAL_TLS_HEADER_FILTER-gated http-request del-header stripping for X-SSL and X-SSL-Client-* headers in the same frontends.
  • openshift/router#793: Directly overlaps — conditionally deletes X-SSL and X-SSL-Client-* (including X-SSL-Issuer) from the same three HAProxy frontends behind ROUTER_MUTUAL_TLS_HEADER_FILTER.
  • openshift/router#795: Applies the same conditional X-SSL/X-SSL-Client-* header stripping via ROUTER_MUTUAL_TLS_HEADER_FILTER in frontend public, fe_sni, and fe_no_sni of the same template file.

Suggested labels

approved, lgtm, backport-risk-assessed, jira/valid-bug, verified

Suggested reviewers

  • Miciah
  • knobunc
🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main security change and mentions the primary plain-HTTP header stripping behavior.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from Miciah and knobunc June 18, 2026 09:18
@MrSanketkumar

Copy link
Copy Markdown
Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@UdayYendva

Copy link
Copy Markdown

I’ve created a cluster using the PR that includes the merged fix from PR #800. The corresponding ClusterVersion is: 4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest

oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest   True        False         13m     Cluster version is 4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest
oc project openshift-ingress
Now using project "openshift-ingress" on server "https://api.ci-ln-nx25ys2-76ef8.aws-4.ci.openshift.org:6443".
oc get pods
NAME                             READY   STATUS    RESTARTS      AGE
router-default-d6d7549b5-9qn7t   1/1     Running   1 (36m ago)   44m
router-default-d6d7549b5-sv4sw   1/1     Running   0             35m

After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed
These are the changes from the PR are correctly reflected in the running ingress/router pods.

oc rsh pods/router-default-d6d7549b5-9qn7t 
sh-5.1$ cat haproxy
haproxy-config.template  haproxy.config           
sh-5.1$ cat haproxy-config.template 

These are the same changes that were introduced in #800

  # Strip off X-SSL* headers for plain HTTP if not explicitly disabled.
  # This prevents unauthenticated spoofing of mutual TLS client identities.
  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
  http-request del-header X-SSL
  http-request del-header X-SSL-Client-CN
  http-request del-header X-SSL-Client-DER
  http-request del-header X-SSL-Client-DN
  http-request del-header X-SSL-Client-NotAfter
  http-request del-header X-SSL-Client-NotBefore
  http-request del-header X-SSL-Client-SHA1
  http-request del-header X-SSL-Client-Serial
  http-request del-header X-SSL-Client-Subject
  http-request del-header X-SSL-Client-Verify
  http-request del-header X-SSL-Client-Version
  http-request del-header X-SSL-Issuer
  {{- end }}

/Verified by ci

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@UdayYendva: This PR has been marked as verified by ci.

Details

In response to this:

I’ve created a cluster using the PR that includes the merged fix from PR #800. The corresponding ClusterVersion is: 4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest

oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest   True        False         13m     Cluster version is 4.18.0-0-2026-06-30-054954-test-ci-ln-p9spn1k-latest
oc project openshift-ingress
Now using project "openshift-ingress" on server "https://api.ci-ln-nx25ys2-76ef8.aws-4.ci.openshift.org:6443".
oc get pods
NAME                             READY   STATUS    RESTARTS      AGE
router-default-d6d7549b5-9qn7t   1/1     Running   1 (36m ago)   44m
router-default-d6d7549b5-sv4sw   1/1     Running   0             35m

After inspecting one of the pods, I confirmed that the latest changes from the PR are present in the Router , SNI and NO SNI code paths, Therefore succesfully indicating that the fix has been successfully deployed
These are the changes from the PR are correctly reflected in the running ingress/router pods.

oc rsh pods/router-default-d6d7549b5-9qn7t 
sh-5.1$ cat haproxy
haproxy-config.template  haproxy.config           
sh-5.1$ cat haproxy-config.template 

These are the same changes that were introduced in #800

  # Strip off X-SSL* headers for plain HTTP if not explicitly disabled.
  # This prevents unauthenticated spoofing of mutual TLS client identities.
  {{- if isTrue (env "ROUTER_MUTUAL_TLS_HEADER_FILTER" "true") }}
  http-request del-header X-SSL
  http-request del-header X-SSL-Client-CN
  http-request del-header X-SSL-Client-DER
  http-request del-header X-SSL-Client-DN
  http-request del-header X-SSL-Client-NotAfter
  http-request del-header X-SSL-Client-NotBefore
  http-request del-header X-SSL-Client-SHA1
  http-request del-header X-SSL-Client-Serial
  http-request del-header X-SSL-Client-Subject
  http-request del-header X-SSL-Client-Verify
  http-request del-header X-SSL-Client-Version
  http-request del-header X-SSL-Issuer
  {{- end }}

/Verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Miciah

Miciah commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This is a clean cherry-pick of #799.

/approve
/lgtm

You do have a typo in the PR title and in the commit message: "OCPBUGS-OCPBUGS-86715". Do you want to fix that while #799 goes through CI and verification? I can re-/lgtm if you do push an updated commit to fix that one issue.

This is a medium-risk backport. The assessment for the release-4.21 backport #795 (comment) applies equally to the release-4.18 backport.

/label backport-risk-assessed

@openshift-ci openshift-ci Bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jul 7, 2026
@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2026
@MrSanketkumar

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:

  • expected dependent Jira Issue OCPBUGS-86716 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@MrSanketkumar MrSanketkumar force-pushed the CVE-2026-46579-4.18 branch from e2848a1 to 4dddbe9 Compare July 7, 2026 15:36
@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Jul 7, 2026
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@MrSanketkumar

Copy link
Copy Markdown
Author

/retitle [release-4.18] OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP

@openshift-ci openshift-ci Bot changed the title [release-4.18] OCPBUGS-OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP [release-4.18] OCPBUGS-86715: Strip X-SSL-* headers for plain HTTP Jul 7, 2026
@MrSanketkumar

Copy link
Copy Markdown
Author

@Miciah Thanks! I've corrected the commit and PR title as well. Could you please provide an LGTM?

@Miciah

Miciah commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Thanks!

/lgtm

@Miciah

Miciah commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Changing the commit message shouldn't affect the validity of the earlier verification, so per #800 (comment),
/verified by ci

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 7, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@Miciah: This PR has been marked as verified by ci.

Details

In response to this:

Changing the commit message shouldn't affect the validity of the earlier verification, so per #800 (comment),
/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@MrSanketkumar

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is invalid:

  • expected dependent Jira Issue OCPBUGS-86716 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@MrSanketkumar

Copy link
Copy Markdown
Author

/test e2e-aws-serial

@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@MrSanketkumar

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 8, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-86715, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.18.z) matches configured target version for branch (4.18.z)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note type set to "Release Note Not Required"
  • dependent bug Jira Issue OCPBUGS-86716 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-86716 targets the "4.19.z" version, which is one of the valid target versions: 4.19.0, 4.19.z
  • bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot Bot merged commit e5c059e into openshift:release-4.18 Jul 8, 2026
8 checks passed
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@MrSanketkumar: Jira Issue OCPBUGS-86715: Some pull requests linked via external trackers have merged:

The following pull request, linked via external tracker, has not merged:

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-86715 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Vulnerability: CVE-2026-46579 - mTLS client certificate spoofing via HTTP header injection

Fix: Prevents unauthenticated spoofing of mutual TLS client identities by stripping X-SSL-Client-* headers from HTTP requests before they reach backends.

Changes:

  • Adds `ROUTER_MUTUAL_TLS_HEADER_FILTER` environment variable (default: `true`)
  • Strips all 12 X-SSL headers in HTTP frontends: `public`, `fe_sni`, `fe_no_sni`
  • Secure by default - header stripping enabled unless explicitly disabled

Summary by CodeRabbit

Release Notes

  • New Features
  • Added header filtering to the router to prevent spoofing of mutual TLS identity claims. This security enhancement automatically filters headers that could be forged by clients, reducing unauthorized access risks. The feature is enabled by default but can be toggled if needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-robot

Copy link
Copy Markdown
Contributor

Fix included in release 4.18.0-0.nightly-2026-07-08-092428

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

9 participants