Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deny HTTP/3 connection creation for clients missing cert when needClientAuth is true #12014

Merged
merged 11 commits into from
Jul 10, 2024
Merged

Deny HTTP/3 connection creation for clients missing cert when needClientAuth is true #12014

merged 11 commits into from
Jul 10, 2024

Conversation

lorban
Copy link
Contributor

@lorban lorban commented Jul 8, 2024

There is no way to tell Quiche to refuse connections from clients who do not hold a client certificate, so when SslContextFactory.needClientAuth is set to true and a HTTP/3 request is made, an explicit check for that config setting must be added to explicitly tell Quiche to close the connection when the client cert is missing.

Fixes #11996

@lorban
#11996 deny connection creation for clients missing needed cert
e04b66d 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban lorban added the Bug For general bugs on Jetty side label Jul 8, 2024
@lorban lorban requested a review from sbordet July 8, 2024 13:09
@lorban lorban self-assigned this Jul 8, 2024
@lorban lorban changed the title Deny HTTP/3 connection creation for clients missing needed cert Deny HTTP/3 connection creation for clients missing needed cert when needClientAuth is true Jul 8, 2024
@lorban lorban changed the title Deny HTTP/3 connection creation for clients missing needed cert when needClientAuth is true Deny HTTP/3 connection creation for clients missing cert when needClientAuth is true Jul 8, 2024
@lorban
Merge remote-tracking branch 'origin/jetty-12.0.x' into fix/11996/h3-…
ac0aa14 
…needed-client-cert
@lorban
add extra assertions
ea1bed3 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban
revert wrong change
3f928e7 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban
rename test
3cf4d26 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban
remove unneeded test infra changes
45ed8a3 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban
do not notify protocol session
d12aa06 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban
Merge remote-tracking branch 'origin/jetty-12.0.x' into fix/11996/h3-…
3d3a99f 
…needed-client-cert
@lorban
check client cert only after connection is established
64c879c 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban
Copy link
Contributor Author

lorban commented Jul 9, 2024

@sbordet I had to completely change the implementation as it was totally broken: the peer certificate is accessible only after Quiche declares the connection as established.

@lorban lorban requested a review from sbordet July 9, 2024 12:13
@lorban
Merge remote-tracking branch 'origin/jetty-12.0.x' into fix/11996/h3-…
9994225 
…needed-client-cert
@lorban
handle review comments
4a6124d 
Signed-off-by: Ludovic Orban <lorban@bitronix.be>
@lorban lorban requested a review from sbordet July 10, 2024 15:04
@lorban lorban merged commit 17c8a76 into jetty-12.0.x Jul 10, 2024
10 checks passed
@lorban lorban deleted the fix/11996/h3-needed-client-cert branch July 10, 2024 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet approved these changes

Assignees

@lorban lorban

Labels
Bug For general bugs on Jetty side
Projects
No open projects
🧊 Jetty 12.0.12 - FROZEN
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mTLS: client cert verification for QUIC/HTTP3
2 participants
@lorban @sbordet