Skip to content

Test client authentication (mtls) with --insecure, clientAuth EKU only #17493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Test client authentication (mtls) with --insecure, clientAuth EKU only #17493

wants to merge 3 commits into from

Conversation

yedayak
Copy link
Contributor

@yedayak yedayak commented May 30, 2025
edited
Loading

  • If there were two tests using the "https-mtls" server there was a perl unbound variable error, since certfile wan't set.
    Additionally, once the responsiveserver function was actually called, it failed finding a responsiveness function. For now I made it use the verifypid function, since the curl execution in verifyhttp doesn't know about client certificates.
  • Run mtls tests with --insecure.
  • The google chrome root program will stop allowing roots that have both clientAuth and ServerAuth [1]. In one of the mtls tests, use a certificate with only the clientAuth EKU.

[1] https://googlechrome.github.io/chromerootprogram/#322-pki-hierarchies-included-in-the-chrome-root-store

yedayak added 2 commits May 30, 2025 18:40
@yedayak
tests: Fix checks for https-mtls proto
7118221 
If there were two tests using the "https-mtls" server there was a
perl unbound variable error, since certfile wan't set.
Additionally, once the responsiveserver function was actually called, it
failed finding a responsiveness function. For now I made it use the
`verifypid` function, since the curl execution in `verifyhttp` doesn't know about
client certificates.
@yedayak
tests: Test mtls with --insecure
62d61d8
@github-actions github-actions bot added the tests label May 30, 2025
@yedayak
tests: Test mtls also w/ clientAuth EKU only
8cbe0cf 
The google chrome root program will stop allowing roots that have both
clientAuth and ServerAuth [1].

In one of the mtls tests, use a certificate with only the clientAuth
EKU.

[1] https://googlechrome.github.io/chromerootprogram/#322-pki-hierarchies-included-in-the-chrome-root-store
@yedayak yedayak changed the title Test client authentication (mtls) with --insecure Test client authentication (mtls) with --insecure, clientAuth EKU only May 30, 2025
@testclutch

This comment was marked as outdated.

Sign in to view
@bagder bagder closed this in 215b5f3 May 31, 2025
bagder pushed a commit that referenced this pull request May 31, 2025
@yedayak @bagder
tests: test mtls with --insecure
b538487 
Closes #17493
bagder pushed a commit that referenced this pull request May 31, 2025
@yedayak @bagder
tests: test mtls also w/ clientAuth EKU only
2cf19c2 
The google chrome root program will stop allowing roots that have both
clientAuth and ServerAuth [1].

In one of the mtls tests, use a certificate with only the clientAuth
EKU.

[1] https://googlechrome.github.io/chromerootprogram/#322-pki-hierarchies-included-in-the-chrome-root-store

Closes #17493
@bagder
Copy link
Member

bagder commented May 31, 2025

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bagder bagder bagder approved these changes

Assignees
No one assigned
Labels
tests
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yedayak @testclutch @bagder