search

swift-server / async-http-client

HTTP client library built on SwiftNIO
https://swiftpackageindex.com/swift-server/async-http-client/main/documentation/asynchttpclient
Apache License 2.0
920 stars 118 forks source link

setup mTLS proxy server #776

Open ddLesha opened 1 month ago

ddLesha commented 1 month ago

We have a mTLS proxy server in DMZ, and client applications with auth certificate can send requests to private network through it. Currently I using iOS 17.0+ api: ProxyConfiguration.init( httpCONNECTProxy: NWEndpoint, tlsOptions: NWProtocolTLS.Options? = nil )

sec_protocol_challenge_t is called then proxy asks auth certificate and all proccess is working.

How to setup TLSConfiguration for certificate auth with mTLS proxy ?

Lukasa commented 1 month ago

Do you need a callback to work out which cert to set, or are you setting the cert unconditionally?

ddLesha commented 1 month ago

Yes, I need to set user auth certificate unconditionally. This cert will be shown to mTLS proxy with every request through proxy.

Lukasa commented 1 month ago

Place the identity cert and any intermediate certs at TLSConfiguration.certificateChain and the private key at TLSConfiguration.privateKey.

ddLesha commented 1 month ago

Sorry, I forget to mention - all clients is iOS devices (iPhones, iPads). If I setup certificateChain - the error appears:

Fatal error: TLSConfiguration.certificateChain is not supported. You can still use this configuration option on macOS if you initialize HTTPClient with a MultiThreadedEventLoopGroup. Please note that using MultiThreadedEventLoopGroup will make AsyncHTTPClient use NIO on BSD Sockets and not Network.framework (which is the preferred platform networking stack).

Lukasa commented 1 month ago

Ah yes, this is a current limitation of async-http-client. You'll need to follow the instructions in that message, to use MultiThreadedEventLoopGroup instead of the platform specific EL. Right now there isn't an easy way for us to create a SecIdentity which is what you need, so we'd need to offer an entirely new API that allows you to provide it.

ddLesha commented 1 month ago

Ah yes, this is a current limitation of async-http-client. You'll need to follow the instructions in that message, to use MultiThreadedEventLoopGroup instead of the platform specific EL. Right now there isn't an easy way for us to create a SecIdentity which is what you need, so we'd need to offer an entirely new API that allows you to provide it.

Thanks for giving right direction, I will try to use MultiThreadedEventLoopGroup today and post result here.