mTLS with HTTP/3

[Danny Williams]

I'm attempting to utilize Envoy in a manner similar to what is described in this blog post:

https://jedda.me/beneath-the-masque-network-relay-on-apple-platforms/

Sample configuration is here: https://gist.github.com/jedda/62643893faffd9143f9587a12ca1db38

The above configuration has an HTTP/2 listener performing mTLS validation, and a separate HTTP/3 listener.

For my use case, I want clients to only use HTTP/3, and I require them to present a client certificate and perform mTLS validation. I enabled this in my Envoy configuration and was surprised to see an error explicitly stating that mTLS is not supported for HTTP/3 listeners.

I've been brainstorming ways around this, to include performing mTLS over HTTP/2 and then advertising an upgrade to HTTP/3 via alt-svc, but I don't think this would work either since unauthenticated users could just connect directly to the HTTP/3 listener. 

If I only accept http/2 connections and then proxy to an http/3 listener, I'm going to lose all the benefits of QUIC as the connection would still have to flow through the http/2 TCP connection as I understand it.

Is there a clear way forward here? Is mTLS support for HTTP/3 connections planned for Envoy in the future?

[Yan Avlasov]

+Dan Zhang +Ryan Hamilton 

Adding devs that are working on H/3 and QUIC

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/envoy-users/93fdb510-de18-4288-bd27-e7f75caaa134n%40googlegroups.com.

[Dan Zhang]

It's on our list https://github.com/envoyproxy/envoy/issues/23809. @David Schinazi 

[David Schinazi]

+ Ricardo

Yes, this is definitely on our team's roadmap. We can't commit to an ETA just yet but we'll get there.

David