Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(tls): add an option for optional TLS client authentication #1163

Merged
merged 2 commits into from
Feb 16, 2023
Merged

feat(tls): add an option for optional TLS client authentication #1163

merged 2 commits into from
Feb 16, 2023

Conversation

dufkan
Copy link
Contributor

@dufkan dufkan commented Nov 26, 2022
edited
Loading

Previously there were only two options for client authentication – either no authentication or mandatory authentication. With this change, a server can allow for optional authentication with a given root CA certificate and enforce client authentication on a per-request basis.

Refs: #687

Motivation

Currently, there is no easy way of performing client authentication on a per-request basis with the API provided by ServerTlsConfig. This behavior is useful in scenarios like the one described in #687, i.e., when some endpoints should be publicly accessible while others not.

Solution

Since rustls provides ClientCertVerifier with the desired behavior, it only needs to be made accessible from ServerTlsConfig. Currently, when the method client_ca_cert is called on a ServerTlsConfig, it forces mandatory client authentication with a given root CA certificate.

I propose to rename this method and change its input to a three-valued enum – no authentication (default), optional authentication with a provided root CA certificate, and mandatory authentication with a provided root CA certificate. I understand this is a breaking change, but it seems like a much cleaner solution than introducing a new method along client_ca_certificate that would set some optional flag in ServerTlsConfig, since the flag would have no meaning if the client_ca_certificate was not used.

LucioFranco
LucioFranco requested changes Feb 13, 2023
View reviewed changes
Copy link
Member

@LucioFranco LucioFranco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can move forward with this change, I left a few comments on the api but otherwise I think this could be a good addition, thanks!

examples/src/tls_client_auth/server.rs Outdated Show resolved Hide resolved
tonic/src/transport/server/tls.rs Outdated Show resolved Hide resolved
tonic/src/transport/server/tls.rs Outdated Show resolved Hide resolved
@dufkan
feat(tls): add an option for optional TLS client authentication
b6692da 
Previously there were only two options for client authentication –
either no authentication or mandatory authentication. With this change,
a server can allow for optional authentication with a given root CA
certificate and enforce client authentication on a per-request basis.

Refs: hyperium#687
@LucioFranco LucioFranco added this pull request to the merge queue Feb 16, 2023
Merged via the queue into hyperium:master with commit 773e4e1 Feb 16, 2023
@dufkan dufkan mentioned this pull request Feb 26, 2023
Closed
@LucioFranco LucioFranco mentioned this pull request Mar 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LucioFranco LucioFranco LucioFranco approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dufkan @LucioFranco