quic: enable TLS client authentication support#39766
Conversation
ggreenway
left a comment
There was a problem hiding this comment.
Does this end up going through the existing validator in the TLS server context?
This change requires more tests. At a minimum, we need an integration test for:
- happy path (client provides cert, and it validates)
- cert with wrong SANs compared to config (connection gets denied)
- no cert provided and validation configuration requires a cert (connection gets denied)
- no cert provided and validation configuration allows no cert (connection gets allowed, and http/rbac features to check for that work as they do for h2)
/wait
|
cc @RyanTheOptimist and @danzh2010 |
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
6f3d763 to
4441ecd
Compare
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
0105ec6 to
83a1077
Compare
|
Thanks for working on this missing piece! Can you elaborate more about how the implementation is like? It seems that removing a TODO and early return in QUIC integration code doesn't actually do client cert verification. Is QUICHE exposing client certs somewhere? How is it wired up with Envoy async cert validator? |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Description
This PR implements TLS client authentication (mTLS) support for QUIC connections, addressing the open TODO comment we have in
QuicServerTransportSocketConfigFactory::createTransportSocketFactory().We have modified the existing test to expect successful creation of transport socket factory with client authentication enabled and added new test cases to verify that the client certificate configuration is properly accepted and parsed.
This change aligns with RFC 9001 Section 4.4, which explicitly allows client authentication during the TLS handshake for QUIC connections.
Commit Message: quic: enable TLS client authentication support
Additional Description: Removed the TODO and added support for TLS client authentication for QUIC.
Risk Level: Low
Testing: Unit tests and integration tests added
Docs Changes: Added
Release Notes: Added