Tengine Xquic 模块支持校验客户端证书 #1946

fbwfbi · 2024-06-21T07:34:36Z

Why you need it?

跟 https/http2 的相关配置一样，可以校验客户端证书，实现双向认证

How it could be?

配置 xquic 的监听器，可以配置 ssl_certificate 和 ssl_certificate_key 来配置服务端证书，但是通过 ssl_client_certificate ssl_verify_client ssl_verify_depth 三个指令无法实现客户端证书校验。在 tengine xquic 模块中实现相关功能，使其能落地生效。

Other related information

目前 xquic 模块的代码中，有注册证书设置的回调函数 .conn_cert_cb = ngx_http_v3_cert_cb

xqc_transport_callbacks_t ngx_xquic_transport_callbacks = {

    .server_accept = ngx_xquic_conn_accept,
    .server_refuse = ngx_xquic_conn_refuse,
    .write_socket = ngx_xquic_server_send,
#if defined(T_NGX_XQUIC_SUPPORT_SENDMMSG)
    .write_mmsg  = ngx_xquic_server_send_mmsg,
#endif
    .conn_update_cid_notify = ngx_http_v3_conn_update_cid_notify,
    .conn_cert_cb = ngx_http_v3_cert_cb,
};

但目前 xquic 没有提供开启客户端证书校验的方法

The text was updated successfully, but these errors were encountered:

fbwfbi · 2024-09-17T08:27:51Z

@lianglli 目前 tengine 实现的 xquic 模块里面，所有的配置 xquic 的 server 块都共用同一个 xquic engine 对象，导致处理新建连接配置 TLS 证书时，只能通过回调函数 .conn_cert_cb = ngx_http_v3_cert_cb 来处理；而 ngx_http_v3_cert_cb 只配置服务端证书，无法配置客户端证书校验等参数；如果后面 xquic 支持配置双向认证，是否还会继续共用一个 engine 对象？全局使用一个 engine 的对象的好处有哪些？

lianglli self-assigned this Jun 21, 2024

fbwfbi mentioned this issue Jul 10, 2024

[Feature]: XQUIC 支持在服务端开启双向认证 alibaba/xquic#439

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Tengine Xquic 模块支持校验客户端证书 #1946

Tengine Xquic 模块支持校验客户端证书 #1946

fbwfbi commented Jun 21, 2024 •

edited

Loading

fbwfbi commented Sep 17, 2024 •

edited

Loading

Tengine Xquic 模块支持校验客户端证书 #1946

Tengine Xquic 模块支持校验客户端证书 #1946

Comments

fbwfbi commented Jun 21, 2024 • edited Loading

Why you need it?

How it could be?

Other related information

fbwfbi commented Sep 17, 2024 • edited Loading

fbwfbi commented Jun 21, 2024 •

edited

Loading

fbwfbi commented Sep 17, 2024 •

edited

Loading