Add client certificate authentication and SNI callback support#364
Open
Add client certificate authentication and SNI callback support#364
Conversation
Add convenience methods for extracting client certificate information from TLS connections (mTLS) and Server Name Indication (SNI) callback support for hosting multiple certificates on a single server. Client certificate methods added to http_request (requires GnuTLS): - has_client_certificate() - check if client cert present - get_client_cert_dn() - subject Distinguished Name - get_client_cert_issuer_dn() - issuer DN - get_client_cert_cn() - Common Name from subject - is_client_cert_verified() - certificate chain verification status - get_client_cert_fingerprint_sha256() - hex-encoded SHA-256 fingerprint - get_client_cert_not_before() / get_client_cert_not_after() - validity times SNI callback support (requires libmicrohttpd 0.9.71+): - sni_callback() builder method on create_webserver - Callback receives server name from TLS ClientHello - Returns cert/key pair for the requested hostname Closes #133
The client_cert.pem and client_key.pem files need to be copied to the build directory during configure, similar to how other test certificate files are handled.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #364 +/- ##
==========================================
- Coverage 70.54% 67.21% -3.33%
==========================================
Files 28 28
Lines 1436 1571 +135
Branches 570 661 +91
==========================================
+ Hits 1013 1056 +43
- Misses 35 61 +26
- Partials 388 454 +66
Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
…urn value The webserver::start(false) method returns false when started successfully in non-blocking mode (by design). The tests were incorrectly interpreting this as a failure. Fixed by catching the exception that's thrown when the server actually fails to start. Also regenerated test certificates with valid dates (the old ones expired in 2009). Changes: - Fix https_webserver, tls_session_getters, and all client_cert tests - Regenerate cert.pem, key.pem, client_cert.pem, client_key.pem
This test exercises all client certificate convenience methods on a plain HTTP (non-TLS) connection, verifying they return appropriate empty/false values when no TLS session is present. This ensures the early-return code paths in the client certificate methods are covered even when HTTPS tests may not run in all CI environments.
webserver::start(false) always returns false for non-blocking mode (returns value_onclose which is only set true for blocking mode). Tests were checking `if (started)` which never executed the test code. Changed affected tests to: - Use try-catch for exception handling - Check ws.is_running() instead of the return value - Handle dual_stack curl failures gracefully (may not be available) This fixes coverage for client cert and SNI tests that were silently skipping without actually testing the functionality.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #133
This PR adds convenience methods for client certificate authentication (mTLS) and Server Name Indication (SNI) callback support:
Client certificate methods (8 new methods on
http_request):has_client_certificate()- check if client presented a certificateget_client_cert_dn()- get subject Distinguished Nameget_client_cert_issuer_dn()- get issuer DNget_client_cert_cn()- get Common Name from subjectis_client_cert_verified()- check if certificate chain is verifiedget_client_cert_fingerprint_sha256()- get hex-encoded SHA-256 fingerprintget_client_cert_not_before()/get_client_cert_not_after()- get validity timesSNI callback support (requires libmicrohttpd 0.9.71+):
sni_callback()builder method oncreate_webserverFiles Changed
src/httpserver/http_request.hppsrc/http_request.cppsrc/httpserver/create_webserver.hppsrc/httpserver/webserver.hppsrc/webserver.cpptest/integ/ws_start_stop.cppexamples/client_cert_auth.cppREADME.mdTest plan
make check- 14/14 pass)