New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mutual TLS Support #1366
Comments
gQUIC doesn't support client authentication. IETF QUIC will. |
Ok. Thanks. But that doesn't actually help. I need to this to work on top of quic-go. Do you have any suggestions? Let's say I don't care about standards compatibility, and I only care about my version taking to itself. |
I'm working on IETF QUIC support in quic-go, but it's still highly experimental, and should not be used in production yet. |
For my purposes, I'm not interested in standards compatibility... I just need working client authentication. I'm willing to manage my own custom fork. Any advice as to what needs to be implemented to get client authentication happening? |
You can use |
@michaelquigley I've gotten quic-go's IETF quic to work with required client certs and I had to fork and make a few changes. My branch is here: https://github.com/jared2501/quic-go/commits/master |
I also had to make a change to Mint, here's the PR: bifurcation/mint#192 |
It will require you to be willing to take the time to read and understand the quic-go and mint codebases. |
@jared2501: I think we merged all your changes into quic-go, except for exposing the Starting with the next quic-go release, we will start exposing "milestone versions" which will allow selecting IETF QUIC on certain commits. |
@jared2501 Thank you so much for the info! That will definitely help get me pointed in the right direction. I'll start digging into this, and into your changes. Much appreciated. |
hey @michaelquigley did you succeed in making mTLS work with quic-go? |
We did at the time, yes. I remember us having to maintain our quic-go dependency at a specific commit for a long time, in order to keep that functional. The details are pretty hazy at this point, and I'm no longer working on that project. |
Finally I found this issue but currently mTLS seems to be supported. Here is an example (fixed the above codes) // server.go
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"io/ioutil"
"log"
"github.com/lucas-clemente/quic-go"
)
func main() {
ctx := context.Background()
caCert, err := ioutil.ReadFile("./client.crt")
if err != nil {
panic(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, err := tls.LoadX509KeyPair("./tls.crt", "./tls.key")
if err != nil {
panic(err)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
NextProtos: []string{"app"},
}
listener, err := quic.ListenAddr("localhost:6262", tlsConfig, nil)
if err != nil {
panic(err)
}
fmt.Println(listener.Addr().String())
for {
session, err := listener.Accept(ctx)
if err != nil {
panic(err)
}
log.Println("accepted")
stream, err := session.AcceptStream(ctx)
if err != nil {
panic(err)
}
log.Println("accepted stream")
buffer := make([]byte, 256)
n, err := stream.Read(buffer)
fmt.Printf("read [%d] bytes, [%s]\n", n, string(buffer[:n]))
if err != nil && err != io.EOF {
panic(err)
}
n, err = stream.Write([]byte("hello"))
fmt.Printf("write [%d] bytes\n", n)
if err != nil && err != io.EOF {
panic(err)
}
stream.Close()
}
} // client.go
package main
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"io/ioutil"
"github.com/lucas-clemente/quic-go"
)
func main() {
ctx := context.Background()
caCert, err := ioutil.ReadFile("./tls.crt")
if err != nil {
panic(err)
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
cert, err := tls.LoadX509KeyPair("./client.crt", "./client.key")
if err != nil {
panic(err)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
NextProtos: []string{"app"},
}
session, err := quic.DialAddrContext(ctx, "localhost:6262", tlsConfig, nil)
if err != nil {
panic(err)
}
stream, err := session.OpenStreamSync(ctx)
if err != nil {
panic(err)
}
n, err := stream.Write([]byte("hello"))
fmt.Printf("write [%d] bytes\n", n)
if err != nil && err != io.EOF {
panic(err)
}
buffer := make([]byte, 256)
n, err = stream.Read(buffer)
fmt.Printf("read [%d] bytes, [%s]\n", n, string(buffer[:n]))
if err != nil && err != io.EOF {
panic(err)
}
stream.Close()
} When client cert is invalid, CRYPTO_ERROR has occured at $ go run client.go
write [5] bytes
read [0] bytes, []
panic: CRYPTO_ERROR (0x12a): tls: bad certificate However I just thought it would be failed at |
I'm trying to implement mutual TLS using quic-go.
I have a client like this:
And a server like this:
Even though I'm setting
tls.Config{ClientAuth: tls.RequireAndVerifyClientCert
, the server is ignoring the client certificate. Is mutual TLS implemented in quic-go? If not, do you have any pointers for doing this implementation?The text was updated successfully, but these errors were encountered: