Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #11892 - mtls not working with http/3. #11900

Merged
merged 4 commits into from
Jun 12, 2024
Merged

Fixes #11892 - mtls not working with http/3. #11900

merged 4 commits into from
Jun 12, 2024

Conversation

sbordet
Copy link
Contributor

@sbordet sbordet commented Jun 10, 2024

The client certificate is now exposed in QuicheConnection, so that it can be returned by QuicStreamEndPoint.getSslSessionData().

Not much else is exposed by Quiche, so not much else that we can provide to applications, for example no TLS session id, no cipher suite, etc.

@sbordet
Fixes #11892 - mtls not working with http/3.
409916f 
The client certificate is now exposed in QuicheConnection, so that it can be returned by QuicStreamEndPoint.getSslSessionData().

Not much else is exposed by Quiche, so not much else that we can provide to applications, for example no TLS session id, no cipher suite, etc.

Signed-off-by: Simone Bordet <[email protected]>
@sbordet sbordet linked an issue Jun 10, 2024 that may be closed by this pull request
mtls not working with http/3 #11892
Closed
@sbordet sbordet mentioned this pull request Jun 10, 2024
Closed
@sbordet sbordet requested review from gregw and lorban June 10, 2024 15:53
lorban
lorban requested changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@lorban lorban left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You forgot to modify ForeignQuicheConnection. It already has a getPeerCertificate implementation, but it lacks the @Override annotation and for some reason, it's not the chosen binding even when running the tests with JDK 22.

@sbordet
Updates after review.
9abb881 
Signed-off-by: Simone Bordet <[email protected]>
@sbordet sbordet requested a review from lorban June 11, 2024 15:11
lorban
lorban previously approved these changes Jun 11, 2024
View reviewed changes
@sbordet
Fixed --enable-native-access command line option to run tests, as the…
af35325 
… foreign dependency is in the class-path.

Signed-off-by: Simone Bordet <[email protected]>
lorban
lorban previously approved these changes Jun 11, 2024
View reviewed changes
gregw
gregw previously approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@gregw gregw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, but javadoc the Quic limitation

...re/jetty-quic/jetty-quic-common/src/main/java/org/eclipse/jetty/quic/common/QuicSession.java
@@ -423,6 +427,23 @@ private void finishOutwardClose(Throwable failure)
}
}

public X509Certificate[] getPeerCertificates()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe javadoc that only the top/last/single certificate will be returned.

@sbordet
Updates after review.
a1513c7 
Signed-off-by: Simone Bordet <[email protected]>
@sbordet sbordet dismissed stale reviews from gregw and lorban via a1513c7 June 12, 2024 15:28
@sbordet sbordet merged commit 8e6ab93 into jetty-12.0.x Jun 12, 2024
2 of 4 checks passed
@sbordet sbordet deleted the fix/jetty-12.0.x/11892/mtls-http3-request-attribute branch June 12, 2024 15:29
joakime added a commit that referenced this pull request Jun 19, 2024
@joakime
Fixes #11892 - mtls not working with http/3. (#11900)
4a31e66 
The client certificate is now exposed in QuicheConnection, so that it can be returned by QuicStreamEndPoint.getSslSessionData().

Not much else is exposed by Quiche, so not much else that we can provide to applications, for example no TLS session id, no cipher suite, etc.

Fixed --enable-native-access command line option to run tests, as the foreign dependency is in the class-path.

Signed-off-by: Simone Bordet <[email protected]>
@lorban lorban mentioned this pull request Jul 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregw gregw gregw left review comments

@lorban lorban lorban left review comments

Assignees
No one assigned
Labels
None yet
Projects
No open projects
🧊 Jetty 12.0.11 - FROZEN
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mtls not working with http/3
3 participants
@sbordet @gregw @lorban