Client TLS Certficat is not always requested http/3

whoo · July 27, 2024, 3:23pm

1. The problem I’m having:

TLS certificate is not always requested.
I’m using:

TLS client if provided
Fallback to basic_auth if there is no certificate.

The certificate is sent/received on the first call, but the refresh doesn’t work and it falls back to basic authentication. (I use a similar configuration on Apache without this issue).
It happens only when it switches to HTTP/3.0.

2. Error messages and/or full log output:

— Certificat should be send
I saw that on http/2.0 it works but not with http/3.0

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

Docker, caddy

a. System environment:

Docker

b. My complete Caddy config:

example.com {
        encode gzip
        log

        tls {
                client_auth {
                        mode verify_if_given
                        trusted_ca_cert_file /etc/caddy/easy-rsa.crt
                        #trusted_pool  file /etc/caddy/easy-rsa.crt << didn't work
                }
        }

        @notlsauth expression {tls_client_subject} == null

        handle_path /vault/* {
                basic_auth * {
                        Bob HASH
                }

                rewrite * /vault/{uri}
                reverse_proxy vault:80
        }

        handle_path /git/* {
                basic_auth @notlsauth {
                        Bob HASH
                }
                reverse_proxy gogs:3000
        }

        respond "Hello {http.request.tls.client.subject} {uri} {http.request.tls.client.san.emails.0}"
}

whoo · July 27, 2024, 4:15pm

If use a workaround:
remove globally http/3.0

{
    servers {
        protocols h1 h2
    }
}

system · August 26, 2024, 4:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.