Skip to content

quic: present configured client certificates on upstream connections#45980

Open
bpalermo wants to merge 1 commit into
envoyproxy:mainfrom
bpalermo:quic-upstream-client-certs
Open

quic: present configured client certificates on upstream connections#45980
bpalermo wants to merge 1 commit into
envoyproxy:mainfrom
bpalermo:quic-upstream-client-certs

Conversation

@bpalermo

@bpalermo bpalermo commented Jul 5, 2026

Copy link
Copy Markdown

Commit Message

quic: present configured client certificates on upstream connections

Additional Description

Part 2 of re-introducing QUIC client certificate authentication (#23809, supersedes part of the
stale #40017). Part 1 is #45978 (QUIC connection info peer certificate population).

Client certificates configured in a cluster's upstream TLS context
(QuicUpstreamTransport.upstream_tls_context.common_tls_context.tls_certificates) were silently
not sent over HTTP/3: they are loaded into the Envoy ClientContextImpl but were never installed
on the QUICHE client SSL context, so upstream QUIC servers requesting a client certificate got
none.

QuicClientTransportSocketFactory::getCryptoConfig() now installs the certificate chain and
private key on the QUICHE SSL context when the crypto config is created or refreshed (SDS
rotation included). QUICHE's SSL context uses the CRYPTO_BUFFER-based method, so the chain is
installed via SSL_CTX_set_chain_and_key rather than the X509-based APIs. Client certificates
using a private key provider are not supported over QUIC and are skipped with a warning (the raw
private key is not accessible in that case), matching the existing rejection of the TLS
certificate selector on QUIC.

Risk Level

Low-medium — changes wire behavior of already-accepted configurations (certificates previously
silently omitted are now presented), therefore runtime-guarded.

Testing

Unit tests: client certificate installed on the QUICHE SSL context when configured (using a real
ClientContextImpl), not installed when absent, and not installed with the runtime guard
disabled.

Docs Changes

N/A

Release Notes

Added a bug-fix changelog fragment describing the change and the runtime guard.

Runtime Guard

envoy.reloadable_features.quic_upstream_client_certificates (default true). Setting it to
false restores the previous behavior of not presenting client certificates over QUIC.

The client certificates configured in a cluster's upstream TLS context
were silently not sent over HTTP/3: they are loaded into the Envoy
ClientContextImpl but were never installed on the QUICHE client SSL
context, so upstream QUIC servers requesting a client certificate got
none.

The certificate chain and private key are now installed on the QUICHE
SSL context (via SSL_CTX_set_chain_and_key, since QUICHE uses the
CRYPTO_BUFFER-based SSL method) when the crypto config is created or
refreshed. Client certificates using a private key provider are not
supported over QUIC and are skipped with a warning.

Guarded by envoy.reloadable_features.quic_upstream_client_certificates
(default true) since this changes the wire behavior of existing
accepted configurations.

Signed-off-by: Bruno Palermo <b@palermo.dev>
@bpalermo bpalermo requested a deployment to external-contributors July 5, 2026 01:50 — with GitHub Actions Waiting
@repokitteh-read-only

Copy link
Copy Markdown

Hi @bpalermo, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #45980 was opened by bpalermo.

see: more, trace.

@repokitteh-read-only

Copy link
Copy Markdown

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #45980 was opened by bpalermo.

see: more, trace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant