Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn off peer certificate verification for quic-server by default #7574

Merged
merged 1 commit into from
Feb 14, 2022
Merged

Turn off peer certificate verification for quic-server by default #7574

merged 1 commit into from
Feb 14, 2022

Conversation

sunng87
Copy link
Contributor

@sunng87 sunng87 commented Feb 13, 2022

Current version of quic-server is configured to verify peer certificate (aka mutual tls) by default. I think this is accidentally set to true and should be changed to false in order to get examples working.

Signed-off-by: Ning Sun [email protected]

@sunng87 sunng87 force-pushed the turnoff-peer-verification-by-default branch from 0fa6434 to 7813c93 Compare February 13, 2022 13:26
@sunng87 sunng87 force-pushed the turnoff-peer-verification-by-default branch from 7813c93 to 65a47a3 Compare February 13, 2022 13:36
@sunng87 sunng87 mentioned this pull request Feb 13, 2022
Merged
7 tasks
@sbordet
Copy link
Contributor

sbordet commented Feb 14, 2022

@sunng87 the default configuration should be secure, so I think it should be left to true.

What examples are not working for you?

@sbordet sbordet self-requested a review February 14, 2022 09:40
@sunng87
Copy link
Contributor Author

sunng87 commented Feb 14, 2022

@sbordet by turning on this option, it requires any client to have a client certificate in secure connection handshake. This mechanism is typically used in mutual tls authentication. In most cases, like public https service, clients do not have such certificate and we do not auth client like this. So with current defaults, if we call the server with curl --http3 -v [url], it will be blocked by a TLS handshake error.

@joakime
Copy link
Contributor

joakime commented Feb 14, 2022

@sunng87 can you show how you initialize/configure your server?

@sunng87
Copy link
Contributor Author

sunng87 commented Feb 14, 2022

@joakime I'm using the code example from https://www.eclipse.org/jetty/documentation/jetty-10/programming-guide/index.html#pg-server-http-connector-protocol-http3

@sbordet
Copy link
Contributor

sbordet commented Feb 14, 2022
edited
Loading

@sunng87 this is surprising. The server typically configures [want|need]ClientAuthentication in order to request the client certificates.
Whether to verify the certificates is an orthogonal issue (if the certificates are not sent, then the verification is a no-op).
I really hope that Quiche is not requiring this.

@sbordet
Copy link
Contributor

sbordet commented Feb 14, 2022
edited
Loading

Yuck. Quiche requires this 😒
https://docs.rs/quiche/0.12.0/quiche/struct.Config.html#method.verify_peer

@sbordet sbordet merged commit fed2cbd into jetty:jetty-10.0.x Feb 14, 2022
@joakime joakime mentioned this pull request Feb 24, 2022
Closed
22 tasks
@joakime joakime added this to the 12.0.x milestone Feb 24, 2022
@joakime joakime changed the title Turn off peer cerificate verification for quic-server by default Turn off peer certificate verification for quic-server by default Apr 4, 2022
@joakime joakime mentioned this pull request Oct 6, 2022
Closed
51 tasks
@sbordet
Copy link
Contributor

sbordet commented Oct 10, 2022

Merged to jetty-12.0.x on 12 Feb 2022, commit 65a47a3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbordet sbordet sbordet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
12.0.x
Development

Successfully merging this pull request may close these issues.
3 participants
@sunng87 @sbordet @joakime