New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP3 Client Certificate 421 #5078
Comments
I'm noticing 421 responses over HTTP/3, without a client certificate, when using |
It is recommended that you avoid redacting public information like hostnames. And if you really want to, you should be using the |
Thanks for opening an issue! We'll look into this. It's not immediately clear to me what is going on, so I'll need your help to understand it better. Ideally, we need to be able to reproduce the bug in the most minimal way possible. This allows us to write regression tests to verify the fix is working. If we can't reproduce it, then you'll have to test our changes for us until it's fixed -- and then we can't add test cases, either. I've attached a template below that will help make this easier and faster! This will require some effort on your part -- please understand that we will be dedicating time to fix the bug you are reporting if you can just help us understand it and reproduce it easily. This template will ask for some information you've already provided; that's OK, just fill it out the best you can. 👍 I've also included some helpful tips below the template. Feel free to let me know if you have any questions! Thank you again for your report, we look forward to resolving it! Template
Instructions -- please heed otherwise we cannot help you (help us help you!)
Example of a tutorial: Create a config file: |
@mholt Have you considered making that template into an issue form, rather than manually replying with it each time? I could probably set it up in a pull request, if you wish. |
@Saklad5 It's a canned response. We only use it when it's helpful. Some issues don't need the bug report template. And we know from experience with our forum that people don't follow templates or will fill out bogus information to bypass validations. We basically only have our maintainers triage issues, rather than having users do that themselves. We have a much higher success rate on GitHub in terms of compliance to templates. Basically, I just need to know how to reproduce this with simple instructions. For instance, is |
Would you like me to fill out the template myself? I may have experienced the same issue using Safari. I've disabled strict SNI checking for the moment in response, but I can re-enable it upon request so you can reproduce it. |
That might be helpful, thanks! I would also be interested in what is in your logs. |
This is related to #4294 I think the problem is we don't actually know the SNI early in h3 because the handshake is async, is my understanding. |
1. Environment1a. Operating system and version
1b. Caddy version (run
|
I didn't notice that issue, probably because I was searching for 421 errors. I agree, that's almost certainly the same problem. According to the log I just posted, the TLS ServerName Caddy is evaluating is empty. This might be one of those classic Go race conditions. |
Let me know if I can turn |
That's because we actually merged a pull request to change the |
1. Environment1a. Operating system and version
1b. Caddy version (run
|
That might be possible. Trying to think if that opens up any vulnerabilities. |
Would it be possible (or even standards-compliant) to enable strict SNI matching on everything except HTTP/3? Just as an interim fix? I'm starting to think enabling HTTP/3 by default was premature. |
That would leave your site vulnerable over HTTP/3, so probably not a good idea. Client auth is used by very, very few servers, and even fewer clients over HTTP/3. Rather than wait around for dependencies to support everything, I'd rather get what we can working in the meantime. |
Agreed, but that's still better than leaving it off entirely. Once the ECH spec is finalized, by the way, I hope Caddy will implement support. That makes domain fronting obsolete, which hopefully means you can make strict SNI matching the default. Personally I think it should be the default now, given the SNI spec requires that behavior anyway, but I'm guessing it caused enough problems for enough people to justify the current approach. |
What? 🤔 No, HTTP/3 is definitely very, very optional.
I hope the Go standard library will support it! (That's also what is holding back this issue.) |
Any news about this issue? |
I don't think so. @PaddyPat You can simply disable HTTP/3 if it's holding you back. (Use of client certs like this over H3 is still a niche use case...) |
You mean: servers { ? |
Yeah - you probably don't need to enable h2c though, just specify h1 and h2, to disable h3. Enabling h2c only makes sense for port 80, and only if you have a specific need for it. Most don't, because TLS is trivial with Caddy and h2c is only needed when the client can only do h2 but not h1, e.g. with gRPC. |
disabled h3 but the issue till exist: ERR_BAD_SSL_CLIENT_AUTH_CERT I use Authelia as middleware. Why? I have one ip allowed for multiple users but only users with local installed cert should reach auth.Domain.com. other subdomains / services doesn’t require tls so other users can use them |
What is the output of curl -v? Or better yet, curl --trace-ascii. |
here we go... with caddy 2.6 (latest)
with caddy 2.5.2 (without h1 h2 strict_sni)
|
there is no log entry created,.. log works, if I use the caddy 2.5.2 so it's not an issue from me by implementing log debug in caddy |
No log entry, even with debug logging? That's surprising to me. Either the request is not hitting your server as you think, or we have a hole in our log coverage... but I would think that even the std lib should be outputting something to debug logs... If you don't have logs, then it means your issue is different than the OP / what this thread is about, because this thread at least has logs. (We know the problem and the solution, but it has to be fixed in the Go std lib.) |
logfile: {"level":"error","ts":1673638171.0985782,"logger":"http.log.access.log11","msg":"handled request","request":{"remote_ip":"181.xx.xx.xx","remote_port":"40238","proto":"HTTP/2.0","method":"GET","host":"stats.domain.de","uri":"/","headers":{"User-Agent":["curl/7.74.0"],"Accept":["/"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"stats.domain.de"}},"user_id":"","duration":0.000097595,"size":0,"status":403,"resp_headers":{"Server":["Caddy"],"Content-Type":[]}} |
@PaddyPat That looks like a different issue than this thread is about. Your connection is using HTTP/2 and is returning a 403, whereas this thread is about the TLS ServerName being empty in HTTP/3 connections: Yours looks more like the client actually is providing the wrong certificate (or the client auth is misconfigured). Please open a new issue and, preferably, fill out the bug report template I posted above. Or ask your question in the forums so we can help you out. Thanks! |
After upgrading quic-go, this problem is no more in latest caddy. |
With the following configuration (hostnames replaced), and accessing over HTTP3, Caddy responds 421 for
subdomain1
.I think this is a bug because
subdomain1
doesn't haveclient_auth
enabled.Without the tls directive accessing over h3 or with the tls directive accessing over h2, both subdomains can be accessed without issue.
With
strict_sni_host insecure_off
and the tls directive in place,subdomain1
can be accessed, andsubdomain2
gets ERR_QUIC_PROTOCOL_ERROR. I suspect the ERR_QUIC_PROTOCOL_ERROR is probably due to my configuration or method of testing rather than Caddy though (chromium --origin-to-force-quic-on=subdomain1.tld:443,subdomain2.tld:443
), given that the browser doesn't bring up the 'Select a certificate` prompt.The text was updated successfully, but these errors were encountered: