Release date 2025/12/18
added support for the tls_certificate_verify global option.
When this option is enabled, the plugin’s ssl_verify flag
cannot be disabled.
added the flag ssl_verify to control certificate
verification when connecting to the server of the OCSP responder’s URL and to
the server of the CRL Distribution Point.
Release date 2025/10/01
Fixed an issue where a certificate with an empty DN led to a runtime exception.
Release date 2025/07/03
Fixed an issue where uselss interface is called when doing the OCSP client cert verification.
Release date 2025/08/07
Fixed an issue where uselss interface is called when doing the OCSP client cert verification.
Release date 2024/05/28
Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.
Release date 2024/05/14
Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.
Release date 2024/02/12
Mtls-auth print notice log if revocation check fails with revocation_check_mode = IGNORE_CA_ERROR
Release date 2024/05/20
Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.
Release date 2023/11/08
mtls-auth should not cache the network failure when doing revocation check
Release date 2024/12/17
Fixed an issue where a 500 error occurs when the configuration changes with the mTLS plugin enabled.
Release date 2024/03/21
Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.
Release date 2023/09/28
mtls-auth should not cache the network failure when doing revocation check
Release date 2023/08/09
Fixed several revocation verification issues:
revocation_check_mode=IGNORE_CA_ERROR, then the CRL revocation failure will be ignored.no issuer certificate in chain error if the client only sent a leaf certificate.http_timeout wasn’t correctly set.If revocation_check_mode=IGNORE_CA_ERROR, then the CRL revocation failure will be ignored.
Once a CRL is added into the store, it will always do CRL revocation check with this CRL file.
OCSP verification failed with no issuer certificate in chain error if the client only sent a leaf certificate.
http_timeout wasn’t correctly set.
Optimized CRL revocation verification.
Fixed an issue that would cause an unexpected error when skip_consumer_lookup is enabled and authenticated_group_by is set to null.
Release date 2023/10/12
Fixed an issue that caused the plugin to cache network failures when running certificate revocation checks.
Release date 2023/01/24
Fixed an issue where the plugin used the old route caches after routes were updated.
Release date 2022/12/06
The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.
Added the config.send_ca_dn configuration parameter to support sending CA DNs in the CertificateRequest message during SSL handshakes.
Added the allow_partial_chain configuration parameter to allow certificate verification with only an intermediate certificate.
Release date 2022/09/09
Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: http_proxy_host, http_proxy_port, https_proxy_host, and https_proxy_port.
Updated the priority for some plugins.: mtls-auth changed from 1006 to 1600
Release date 2023/11/28
mtls-auth should not cache the network failure when doing revocation check
Release date 2023/03/28
Fixed an issue where the plugin used the old route caches after routes were updated.
Release date 2022/11/21
Fixed an issue where the plugin was causing requests to silently fail on Kong Gateway data planes.