Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mutual authentication (mTLS) does not work with quic transport #771

Closed
sjames opened this issue Feb 28, 2024 · 2 comments · Fixed by #899
Closed

Mutual authentication (mTLS) does not work with quic transport #771

sjames opened this issue Feb 28, 2024 · 2 comments · Fixed by #899
Assignees
Labels
bug Something isn't working

Comments

@sjames
Copy link

sjames commented Feb 28, 2024

Describe the bug

I followed the instructions here https://zenoh.io/docs/manual/tls/#mutual-authentication-mtls to configure mTLS authentication with the quic transport.

My router is configured like this

{
  mode : "router",
  listen : {
    endpoints : [
      "quic/socket.hostname:7449",
    ]
  },
  transport: {
    link: {
      tls : {
        root_ca_certificate:"/path/to/chargercmd/client/minica.pem",
        client_auth : true,
        server_private_key:"/path/to/privkey.pem",
        server_certificate:"/path/to/fullchain.pem"
      }
    },
  },
}

With the server configured as above, I tried to publish using z_put. I did not specific a client certificate in the z_put configuration. I expected the publish to fail.

However, the publish was successful. I think the server ignores the client_auth: true setting when using the quic protocol.

This fails as expected with transport set to 'tls'

To reproduce

  1. Start router with quic protocol and mTLS enabled as described in https://zenoh.io/docs/manual/tls/#mutual-authentication-mtls
  2. Publish to a topic using a client configuration without specifying the client certificates.
  3. Publish suceeds. It is expected that the publish will fail as the client authentication is not performed.

System info

  • Platform : Ubuntu 22.04 on X86_64
@sjames sjames added the bug Something isn't working label Feb 28, 2024
@gabrik
Copy link
Contributor

gabrik commented Feb 28, 2024

Hi @sjames,

Currently, mTLS is not implemented for QUIC, however, we are receiving more and more requests for it.
Thus we've started investigating how to implement it.

I think we should use this issue to keep track of it.

@sjames
Copy link
Author

sjames commented Mar 6, 2024

Hi @sjames,

Currently, mTLS is not implemented for QUIC, however, we are receiving more and more requests for it. Thus we've started investigating how to implement it.

I think we should use this issue to keep track of it.

Thanks @gabrik will watch this space.

A related question. Is there any way for a publisher to get information about the identity of the subscriber - for example some information from the client certificate that was used in the mTLS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants