uv icon indicating copy to clipboard operation
uv copied to clipboard

Published 20 hours ago verified publisher icon astral-sh

mTLS Support?

Open SystemCoder99 opened this issue 1 year ago • 3 comments

Now that uv.toml is implemented and we can set the native-tls flag, will there be support for mTLS? Will we be able to pass a client_cert file path through the uv.toml so our developers and their package repos can authenticate each other? We rely heavily on this feature in pip, it would be great to see UV have some kind of implementation too!

SystemCoder99 avatar May 16 '24 15:05 SystemCoder99

Can you say more about how you're using this in pip? Perhaps link to an example or the relevant part of the pip implementation?

It sounds reasonable to configure certificates via the persistent config file. We do support SSL_CERT_FILE already.

zanieb avatar May 17 '24 02:05 zanieb

So for pip, we use the "cert" and "client_cert" items in our pip.conf, "cert" to pass the path to our trust store, and "client_cert" to pass the path to the file containing both our client certificate and it's key. Pip's cert and client-cert options. Our pip.conf currently looks something like this:

[global] index-url=https://package.index.one.url extra-index-url=https://package.index.two.url cert=/path/to/ca-chain.crt client_cert = /path/to/client_cert/bundle.pem

When a developer only needs to use TLS, we only pass the "cert" item, and it authenticates our jfrog index - which is what I see happens when we use UV with native-tls. But when we need to use mTLS, the "client_cert" item is ALSO added into the pip.conf and passed in the index request.

My understanding from the UV docs is SSL_CERT_FILE is what is used to point directly to our trust store/what we pass in the "cert" item, INSTEAD of native-tls, right? We need something where we can use the native-tls, while also passing the client-cert bundle as well. Pip's _build_session() and Pip's TLS handshake() both implement the cert and client_cert options, if that helps at all

SystemCoder99 avatar May 17 '24 12:05 SystemCoder99

Thanks for the additional details. This seems reasonable but I'd have to start working on an implementation to understand if it makes sense.

The SSL_CERT_FILE loading comes from https://github.com/rustls/rustls-native-certs but I think that's their behavior.

zanieb avatar May 17 '24 13:05 zanieb

We also need the cert option. I think our problem is simmilar. Currently this option is used for pip to access our index and I have not found an alternative way with uv to access our index.

alkatar21 avatar Jun 04 '24 16:06 alkatar21

I'm guessing this looks something like https://github.com/camelop/rust-mtls-example/blob/1379379eb08c63f22f9b4eae080c9380e29ffd44/src/main.rs#L22-L71

If anyone is interested in putting up a pull request I'm happy to review

zanieb avatar Jun 04 '24 18:06 zanieb

@SystemCoder99 this should be available in the latest release.

zanieb avatar Jun 12 '24 13:06 zanieb