Is it possible to make the server request a client certificate?

[SF2311]

Hi,

I've been working on an implementation of a simple protocol on top of QUIC. I'd like to use client certificates for mutual authentication but I couldn't find any mentions of this in the documentation. There seems to be a test case however, that indicates there is at least some support for client certificates.

Is there a way to make the server request and check the certificate of the client during connection setup? If not, are there plans to implement support for this in the future?

Thanks and kind regards.

[rthalley]

The TLS code does have support for this, but there is no API to turn it on. The variable is marked like this:

self._request_client_certificate = False  # For test purposes only

but I don't know why it is only for testing purposes. If Jeremy sees this, perhaps he knows! I will try to take a look at this later when I get some time, as it seems like something we'd want to be able to enable. Beyond basic cert checking, which seems to be there, I'm not sure what other extra configuration is expect for this kind of feature (e.g. some sort of cert checking callback).

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[egormanga]

Still relevant to us, too.

[harsh-csl]

The TLS code does have support for this, but there is no API to turn it on. The variable is marked like this:

self._request_client_certificate = False  # For test purposes only

but I don't know why it is only for testing purposes. If Jeremy sees this, perhaps he knows! I will try to take a look at this later when I get some time, as it seems like something we'd want to be able to enable. Beyond basic cert checking, which seems to be there, I'm not sure what other extra configuration is expect for this kind of feature (e.g. some sort of cert checking callback).

Any updates to this?