Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client proxy mTLS support #2211

Closed
danestig opened this issue May 26, 2023 · 7 comments · Fixed by #2443
Closed

Client proxy mTLS support #2211

danestig opened this issue May 26, 2023 · 7 comments · Fixed by #2443
Labels
💎 Bounty enhancement New feature or request

Comments

@danestig
Copy link

I need to send HTTP traffic though a proxy that requires mutual TLS authentication. There currently is no way to provide the required certificates to the client to do this.
@danestig danestig added the enhancement New feature or request label May 26, 2023
@danestig danestig changed the title Update client proxy settings Client proxy mTLS support May 26, 2023
@jdegoes
Copy link
Member

jdegoes commented Jul 27, 2023

/bounty $100

@algora-pbc
Copy link

algora-pbc bot commented Jul 27, 2023
edited
Loading

💎 $100 bounty created by ZIO
🙋 If you start working on this, comment /attempt #2211 to notify everyone
👉 To claim this bounty, submit a pull request that includes the text /claim #2211 somewhere in its body
📝 Before proceeding, please make sure you can receive payouts in your country
💵 Payment arrives in your account 2-5 days after the bounty is rewarded
💯 You keep 100% of the bounty award
🙏 Thank you for contributing to zio/zio-http!

Attempt Started (GMT+0) Solution
🟡 @rajcspsg Jul 28, 2023, 10:49:39 PM WIP

@rajcspsg
Copy link
Contributor

/attempt #2211

@algora-pbc
Copy link

algora-pbc bot commented Aug 4, 2023

@rajcspsg: Reminder that in 7 days the bounty will become up for grabs, so please submit a pull request before then 🙏

@rajcspsg
Copy link
Contributor

rajcspsg commented Sep 7, 2023

Hi @adamgfraser

This would be the approach that I would follow for this issue

  1. create new SslConfig for client.
  2. create a new field in ZClient for proxy SSLConfig.
  3. copy the proxySSL config into createChannel function in NettyConnectionPool

Does it seem correct approach to proceed?

@rajcspsg rajcspsg mentioned this issue Sep 12, 2023
Merged
@adamseres
Copy link

Hi,

Thanks for working on this issue, I also need this feature to use zio-http.

I think that the ClientAuth is not what we need. I've never used it, but as far as understand, ClientAuth is used to configure the server connection to indicate the server's SSL requirement from the client.
https://netty.io/4.1/api/io/netty/handler/ssl/ClientAuth.html

Mutual TLS requires a keyManager in addition to the already implemented trustManager.
keyManager function has several implementations, I think it makes sense to support the same as for trustManager.

certFile

val keyCertChainInputStream: InputStream = ???
val keyInputStream: InputStream = ???
val keyPassword: String = ???

SslContextBuilder
  .forClient()
  .trustManager(new File(serverCertPath))
  .keyManager(keyCertChainInputStream, keyInputStream, keyPassword)
  .build()

keystore

val keystoreInput: InputStream = ???
val keyPassword: String = ???
val keystore: KeyStore = KeyStore.getInstance(KeyStore.getDefaultType)
val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)

keystore.load(keystoreInput, keyPassword.toCharArray)
keyManagerFactory.init(keystore, keyPassword.toCharArray)

SslContextBuilder
  .forClient()
  .trustManager(new File(serverCertPath))
  .keyManager(keyManagerFactory)
  .build()

@rajcspsg
Copy link
Contributor

Thanks @adamseres .
I'll update my PR with new implementation shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
💎 Bounty enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: support mtls settings rajcspsg/zio-http
4 participants
@jdegoes @danestig @adamseres @rajcspsg