http2 - cannot use client certificate and key

[dragosnicolae]

Version: 8.4.0

Currently, as a client, you cannot specify a certificate-key pair for authentication. I know that the http2 module is still experimental, but this seems like a useful feature.

[mcollina]

Definitely. It should be simple to add, tagging as good-first-contribution.
@dragosnicolae do you want to send a PR with it?

[darahayes]

@mcollina I've been really wanting to make some contributions to the project. I would love to give this a shot if I could get some pointers for getting started. I've been reading through the http2/core.js file and I think it mostly looks like a few small changes are needed to propagate the appropriate options down into the connect function. Does that sound right?

[mcollina]

@darahayes yes, definitely!

[apapirovski]

@mcollina am I missing something here? I thought this was taken care of by the underlying TLS module. I'm able to use requestCert: true just fine (and pass in the key & cert). This is probably a documentation issue rather than a feature that's missing.

[mcollina]

@apapirovski I tend to agree (https://github.com/nodejs/node/blob/master/lib/internal/http2/core.js#L2434). However we don't have a test to cover this behavior, so we should probably add that test and updates the docs.

[darahayes]

I did some investigation into this issue and on a separate note I found that currently http2.createSecureServer server does not properly support the requestCert and ca arguments passed into the tls module for using client certificate authentication.

I had to reinstall my OS over the weekend so I will need to do some more work to reproduce but basically the connection is never fully established for some reason. The debug logs showed onhandshakestart being printed multiple times but the session is never established.

@mcollina Should I investigate this and open a proper issue?

[mcollina]

@darahayes open a PR with the fix and unit tests.

[ryshep111]

I am merely a noob that happens to be at node.js interactive, but looking at the documentation here it does mention that any options supported by tls.createServer are available. One thing I noticed is that the 'ca' option is passed on tls.connect (via createSecureContext) and not createServer. If you omit this option, a self-signed cert will not work.

[nikshepsvn]

is this still open? would love to give it a shot if someone could guide me a little with where to look and what I need to accomplish :)

[mcollina]

I think @davidmarkclements is working on it.