You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Unable to get the transport ssl context from the request. This prevents checking the Client provided certificate and matching up the provided CN against allowed users/server.
#2306
Closed
2 tasks done
desean1625 opened this issue
Apr 15, 2024
· 0 comments
I confirm this was discussed, and the maintainers suggest I open an issue.
I'm aware that if I created this issue without a discussion, it may be closed without a response.
Discussion Link
https://github.com/encode/uvicorn/issues/745
Description
Many applications in finance/banking require two way certificate verification. Currently the way we have handled this is by proxying the request and extracting out the client information at nginx or traefik and stuffing it into the headers.
Example Code
From the request we cannot get the transport information and unable to getgetpeercert preventing application-level validation of client certificates.
A possible solution is to pass the transport in the request scope.
In the protocol h11_impl.py we could simply add
Then at a route level or fastapi middleware we could pull the client certificates to check against an authorization service.
@app.get("/admin")asyncdefgetAdminPage(request:Request):
client_cert=request.scope['transport'].get_extra_info("ssl_object").getpeercert()
#Verify user common name is an admin
Python, Uvicorn & OS Version
All
Important
We're using Polar.sh so you can upvote and help fund this issue.
We receive the funding once the issue is completed & confirmed by you.
Thank you in advance for helping prioritize & fund our backlog.
The text was updated successfully, but these errors were encountered:
Initial Checks
Discussion Link
Description
Many applications in finance/banking require two way certificate verification. Currently the way we have handled this is by proxying the request and extracting out the client information at nginx or traefik and stuffing it into the headers.
Example Code
From the request we cannot get the transport information and unable to getgetpeercert preventing application-level validation of client certificates.
A possible solution is to pass the transport in the request scope.
In the protocol h11_impl.py we could simply add
after
uvicorn/uvicorn/protocols/http/h11_impl.py
Line 203 in 0efd383
Then at a route level or fastapi middleware we could pull the client certificates to check against an authorization service.
Python, Uvicorn & OS Version
Important
The text was updated successfully, but these errors were encountered: