Unable to get the transport ssl context from the request. This prevents checking the Client provided certificate and matching up the provided CN against allowed users/server.

[desean1625]

Initial Checks

• I confirm this was discussed, and the maintainers suggest I open an issue.
• I'm aware that if I created this issue without a discussion, it may be closed without a response.

Discussion Link

https://github.com/encode/uvicorn/issues/745

Description

Many applications in finance/banking require two way certificate verification. Currently the way we have handled this is by proxying the request and extracting out the client information at nginx or traefik and stuffing it into the headers.

Example Code

From the request we cannot get the transport information and unable to getgetpeercert preventing application-level validation of client certificates.

A possible solution is to pass the transport in the request scope.
In the protocol h11_impl.py we could simply add

"transport":self.transport

after

uvicorn/uvicorn/protocols/http/h11_impl.py

Line 203 in 0efd383

"type": "http",

Then at a route level or fastapi middleware we could pull the client certificates to check against an authorization service.

@app.get("/admin")
async def getAdminPage(request:Request):
  client_cert = request.scope['transport'].get_extra_info("ssl_object").getpeercert()
  #Verify user common name is an admin

Python, Uvicorn & OS Version

All

Important

• We're using Polar.sh so you can upvote and help fund this issue.
• We receive the funding once the issue is completed & confirmed by you.
• Thank you in advance for helping prioritize & fund our backlog.