Make HTTP/3 Quic skip certificate verification

envoyproxy / nighthawk

L7 (HTTP/HTTPS/HTTP2/HTTP3) performance characterization tool

Apache License 2.0

358 stars 81 forks source link

Make HTTP/3 Quic skip certificate verification #727

Open mum4k opened 3 years ago

mum4k commented 3 years ago

The current implementation of HTTP/3 Quic in Nighthawk reuses Envoy's Http3::ConnectionPool which has a hardcoded Quic's EnvoyQuicProofVerifier. This means that a Quic connection can only be established if the requested hostname matches the one in the leaf server certificate.

This is different from how Nighthawk handles HTTPs with H1/H2 where certificate verification is skipped. The simplest solution might be to create our own instance of the H3 connection pool with the TestProofVerifier from here.

mum4k commented 3 years ago

Looking more at Nighthawk's code, it might be better if we push this change up to Envoy, e.g. allow a configuration where certificate verification is optional.

This seems to be the behavior Envoy has for the other protocols and also the behavior Envoy documents in its API.

However the Quic implementation of the createQuicNetworkConnection function currently doesn't take in any configuration and hardcodes the use of EnvoyQuicProofVerifier.

Going to discuss with the Envoy folks to see if this is intentional.

mum4k commented 3 years ago

Filed https://github.com/envoyproxy/envoy/issues/17700 to discuss with the Envoy owners.