Mutual TLS Authentication

Release date 2026/04/07

Feature

• the ssl_verify option to validate verification of the certificate presented by the server of the OCSP responder’s URL and by the server of the CRL Distribution Point is now enabled by default.

• Added WebSocket protocol support. This authentication plugin can now protect WebSocket connections (ws and wss protocols) in addition to HTTP/HTTPS. In hybrid mode, using ws/wss with this plugin requires data planes running DP >= 3.14, or explicit removal of ws/wss protocols from configurations targeting older data planes.

Bugfix

• Fixed an issue where client certificates with Subject Alternative Name (SAN) DirectoryName extensions caused authentication errors. Added a new san_dirname_matcher configuration option to specify which Distinguished Name attributes from the SAN DirectoryName extension should be used for consumer lookup.

Release date 2025/12/18

Feature

• added support for the tls_certificate_verify global option. When this option is enabled, the plugin’s ssl_verify flag cannot be disabled.

• added the flag ssl_verify to control certificate verification when connecting to the server of the OCSP responder’s URL and to the server of the CRL Distribution Point.

Release date 2025/10/01

Bugfix

• Fixed an issue where a certificate with an empty DN led to a runtime exception.

Release date 2025/07/03

Bugfix

• Fixed an issue where uselss interface is called when doing the OCSP client cert verification.

Release date 2025/08/07

Bugfix

• Fixed an issue where uselss interface is called when doing the OCSP client cert verification.

Release date 2024/05/28

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2024/05/14

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2024/02/12

Bugfix

• Mtls-auth print notice log if revocation check fails with revocation_check_mode = IGNORE_CA_ERROR

Release date 2024/05/20

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2023/11/08

Bugfix

• mtls-auth should not cache the network failure when doing revocation check

Release date 2024/12/17

Bugfix

• Fixed an issue where a 500 error occurs when the configuration changes with the mTLS plugin enabled.

Release date 2024/03/21

Feature

• Add default_consumer option that allows a default consumer to be used when the client certificate is valid but does not match any existing consumers.

Release date 2023/09/28

Bugfix

• mtls-auth should not cache the network failure when doing revocation check

Release date 2023/08/09

Bugfix

• Fixed several revocation verification issues:

  • If revocation_check_mode=IGNORE_CA_ERROR, then the CRL revocation failure will be ignored.
  • Once a CRL is added into the store, it will always do CRL revocation check with this CRL file.
  • OCSP verification failed with no issuer certificate in chain error if the client only sent a leaf certificate.
  • http_timeout wasn’t correctly set.

• If revocation_check_mode=IGNORE_CA_ERROR, then the CRL revocation failure will be ignored.

• Once a CRL is added into the store, it will always do CRL revocation check with this CRL file.

• OCSP verification failed with no issuer certificate in chain error if the client only sent a leaf certificate.

• http_timeout wasn’t correctly set.

• Optimized CRL revocation verification.

• Fixed an issue that would cause an unexpected error when skip_consumer_lookup is enabled and authenticated_group_by is set to null.

Release date 2023/10/12

Bugfix

• Fixed an issue that caused the plugin to cache network failures when running certificate revocation checks.

Release date 2023/01/24

Bugfix

• Fixed an issue where the plugin used the old route caches after routes were updated.

Release date 2022/12/06

Feature

• The anonymous field can now be configured as the username of the consumer. This field allows you to configure a string to use as an “anonymous” consumer if authentication fails.

• Added the config.send_ca_dn configuration parameter to support sending CA DNs in the CertificateRequest message during SSL handshakes.

• Added the allow_partial_chain configuration parameter to allow certificate verification with only an intermediate certificate.

Release date 2022/09/09

Feature

• Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: http_proxy_host, http_proxy_port, https_proxy_host, and https_proxy_port.

Breaking Change

• Updated the priority for some plugins.: mtls-auth changed from 1006 to 1600

Release date 2023/11/28

Bugfix

• mtls-auth should not cache the network failure when doing revocation check

Release date 2023/03/28

Bugfix

• Fixed an issue where the plugin used the old route caches after routes were updated.

Release date 2022/11/21

Bugfix

• Fixed an issue where the plugin was causing requests to silently fail on Kong Gateway data planes.

Release date 2022/05/27

Feature

• Introduced certificate revocation list (CRL) and OCSP server support with the following parameters: http_proxy_host, http_proxy_port, https_proxy_host, and https_proxy_port.

Release date 2022/03/02

Bugfix

• Fixed attempt to index local 'workspace' error, which occurred when accessing Routes or Services using TLS.