With linkerd >= 1.4.0, requests to servers that have intermediates in their cert file now fail. See hello-with-intermediate.cert.pem for an example cert.
The certs were generated by following the OpenSSL Certificate Authority Guide. All of the keys have a password of password.
docker-compose up
# Make a direct request to the server-side linkerd router, with client certs provided by curl.
# This should return a successful response.
curl -k \
--cert certs/ca/intermediate/certs/client-with-intermediate.cert.pem \
--key certs/ca/intermediate/private/client.key.pkcs8.pem \
https://localhost:4141
# Make a plaintext request to the client-side linkerd router. This should fail, with linkerd logging
# an SSLV3_ALERT_HANDSHAKE_FAILURE error. From tracing with wireshark, it looks like the client-side
# router is not able to validate the presented cert chain against the configured `trustCerts`,
# cause it to not send the client-side certs.
#
# Prior to 1.4.0, linkerd was able to follow the server-side's presented cert chain and validate the
# intermediates against the trustCerts.
curl localhost:4140