-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS 1.3 client authentication in the client side #298
Conversation
Added CertificateAuthorities extension
Relating to #274. |
I compiled OpenSSL 1.1.1 and run s_server:
And I ran tls-simpleclient with out this PR:
The server said:
Then, I ran tls-simpleclient with this PR. The server said:
OK. Good. |
The other test case is when a server asks for a client certificate, but the client has none, and sends an empty certificate list. That also worked for me, but should be part of any tests that are added once hs-tls supports sending certificate requests from the server, and verifying client chains in return. |
What about this?
|
Yes, I think that's the basic idea, though of course I would still encourage you to review the code and comments, and perhaps consider moving some functions to other modules if some of the new "top-level" functions are not in the right place. Perhaps some move to "Common.hs"? I think got the functionality roughly right, but my familiarity with this code base is not yet very good, so someone more familiar with how it is organized might find opportunities for improvement... |
I added some commits: https://github.com/kazu-yamamoto/hs-tls/commits/vdukhovni-tls13-client-auth Continuing to review. |
Promising but for now I'll prefer to focus on other topics first (continuing to read v1.3). If you have bandwidth you can also look if this conflicts badly with branch |
I need to check this with #302, too. |
@ocheron |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I have reviewed the most complicated part ( |
Please let me know if you need anything further from me on this PR. My impression is that nobody is presently waiting for me, and this PR is queued up pending some related work... |
As I said in #309, I'm waiting for |
Merged. |
Tested with and without client certificates against an OpenSSL (Postfix) server that requested client certificates. Both cases work.
This is a large patch, please study it carefully. It would also be great if someone implemented the server side support for requesting TLS13 client auth. Then this could be covered by the tests.
The code could perhaps use more polish. Perhaps some helper functions should be moved to other modules? And more work remains...
All the various ways of referring to public key algorithms could really use a more uniform treatment. As it stands there's
and conversions between these are a hit or miss afair. One area of cleanup might to systematically map out clean interfaces for moving between all these related things.
Another thing that seems to be rather missing is an API for loading a certificate chain from a single file, rather than an array of files with a single certificate in each... Is something like that provided by X.509? TLS seems to have
credentialLoadX509Chain
, which is far from ideal.