nighthawk icon indicating copy to clipboard operation
nighthawk copied to clipboard
verified publisher icon envoyproxy

Make HTTP/3 Quic skip certificate verification

Open mum4k opened this issue 4 years ago • 2 comments

The current implementation of HTTP/3 Quic in Nighthawk reuses Envoy's Http3::ConnectionPool which has a hardcoded Quic's EnvoyQuicProofVerifier. This means that a Quic connection can only be established if the requested hostname matches the one in the leaf server certificate.

This is different from how Nighthawk handles HTTPs with H1/H2 where certificate verification is skipped. The simplest solution might be to create our own instance of the H3 connection pool with the TestProofVerifier from here.

mum4k avatar Aug 10 '21 18:08 mum4k

Looking more at Nighthawk's code, it might be better if we push this change up to Envoy, e.g. allow a configuration where certificate verification is optional.

This seems to be the behavior Envoy has for the other protocols and also the behavior Envoy documents in its API.

However the Quic implementation of the createQuicNetworkConnection function currently doesn't take in any configuration and hardcodes the use of EnvoyQuicProofVerifier.

Going to discuss with the Envoy folks to see if this is intentional.

mum4k avatar Aug 11 '21 21:08 mum4k

Filed https://github.com/envoyproxy/envoy/issues/17700 to discuss with the Envoy owners.

mum4k avatar Aug 12 '21 17:08 mum4k