async-http-client icon indicating copy to clipboard operation
async-http-client copied to clipboard

Published 20 hours ago verified publisher icon swift-server

setup mTLS proxy server

Open ddLesha opened this issue 1 year ago • 6 comments

We have a mTLS proxy server in DMZ, and client applications with auth certificate can send requests to private network through it. Currently I using iOS 17.0+ api: ProxyConfiguration.init( httpCONNECTProxy: NWEndpoint, tlsOptions: NWProtocolTLS.Options? = nil )

sec_protocol_challenge_t is called then proxy asks auth certificate and all proccess is working.

How to setup TLSConfiguration for certificate auth with mTLS proxy ?

ddLesha avatar Oct 02 '24 07:10 ddLesha

Do you need a callback to work out which cert to set, or are you setting the cert unconditionally?

Lukasa avatar Oct 02 '24 08:10 Lukasa

Yes, I need to set user auth certificate unconditionally. This cert will be shown to mTLS proxy with every request through proxy.

ddLesha avatar Oct 02 '24 08:10 ddLesha

Place the identity cert and any intermediate certs at TLSConfiguration.certificateChain and the private key at TLSConfiguration.privateKey.

Lukasa avatar Oct 02 '24 09:10 Lukasa

Sorry, I forget to mention - all clients is iOS devices (iPhones, iPads). If I setup certificateChain - the error appears:

Fatal error: TLSConfiguration.certificateChain is not supported. You can still use this configuration option on macOS if you initialize HTTPClient with a MultiThreadedEventLoopGroup. Please note that using MultiThreadedEventLoopGroup will make AsyncHTTPClient use NIO on BSD Sockets and not Network.framework (which is the preferred platform networking stack).

ddLesha avatar Oct 02 '24 09:10 ddLesha

Ah yes, this is a current limitation of async-http-client. You'll need to follow the instructions in that message, to use MultiThreadedEventLoopGroup instead of the platform specific EL. Right now there isn't an easy way for us to create a SecIdentity which is what you need, so we'd need to offer an entirely new API that allows you to provide it.

Lukasa avatar Oct 02 '24 10:10 Lukasa

Ah yes, this is a current limitation of async-http-client. You'll need to follow the instructions in that message, to use MultiThreadedEventLoopGroup instead of the platform specific EL. Right now there isn't an easy way for us to create a SecIdentity which is what you need, so we'd need to offer an entirely new API that allows you to provide it.

Thanks for giving right direction, I will try to use MultiThreadedEventLoopGroup today and post result here.

ddLesha avatar Oct 02 '24 10:10 ddLesha