can falcon be used with client certificate authentication?

[graf0]

Or mtls - where client present to server it's ssl certificate and then server validates this certificate before processing request, or gives me possiblity to do validation?

[ioquatix]

Yes, it should be possible, but it may require some effort.

In the first instance, here is an example of how to do client validation of the server:

require 'async'
require 'async/http'

# These are generated from the certificate chain that the server presented.
trusted_fingerprints = {
	"dac9024f54d8f6df94935fb1732638ca6ad77c13" => true,
	"e6a3b45b062d509b3382282d196efe97d5956ccb" => true,
	"07d63f4c05a03f1c306f9941b8ebf57598719ea2" => true,
	"e8d994f44ff20dc78dbff4e59d7da93900572bbf" => true,
}

Async do
	endpoint = Async::HTTP::Endpoint.parse("https://www.codeotaku.com/index")
	
	# This is a quick hack/POC:
	ssl_context = endpoint.ssl_context
	
	ssl_context.verify_callback = proc do |verified, store_context|
		certificate = store_context.current_cert
		fingerprint = OpenSSL::Digest::SHA1.new(certificate.to_der).to_s
		
		if trusted_fingerprints.include? fingerprint
			true
		else
			Console.warn("Untrusted Certificate Fingerprint", fingerprint: fingerprint)
			false
		end
	end
	
	endpoint = endpoint.with(ssl_context: ssl_context)
	
	client = Async::HTTP::Client.new(endpoint)
	
	response = client.get(endpoint.path)
	
	pp response.status, response.headers.fields, response.read
end

I believe a similar approach can be used on the server (e.g. Falcon). Do you have something specific in mind for verify_callback?

[ioquatix]

Here is a small example for setting up falcon host using a verify_callback:

#!/usr/bin/env falcon-host
# frozen_string_literal: true

# Released under the MIT License.
# Copyright, 2019-2024, by Samuel Williams.

require "falcon/environment/self_signed_tls"
require "falcon/environment/rack"
require "falcon/environment/supervisor"

service "hello.localhost" do
	include Falcon::Environment::SelfSignedTLS
	include Falcon::Environment::Rack
	
	scheme "https"
	protocol {Async::HTTP::Protocol::HTTPS}
	
	ssl_context do
		super().tap do |context|
			context.verify_mode = OpenSSL::SSL::VERIFY_PEER
			
			context.verify_callback = proc do |verified, store_context|
				Console.warn(self, "Verified: #{verified}, error: #{store_context.error_string}")
				
				true
			end
		end
	end
	
	endpoint do
		Async::HTTP::Endpoint.for(scheme, "localhost", port: 9292, protocol: protocol, ssl_context: ssl_context)
	end
end

I generated a fake client certificate and tested this with openssl s_client:

    4m     warn: #<Class:0x00007476b8f1a8d0> [oid=0xdfc] [ec=0xe10] [pid=26576] [2025-01-25 22:07:17 +1300]
               | Verified: false, error: self-signed certificate
    4m     warn: #<Class:0x00007476b8f1a8d0> [oid=0xdfc] [ec=0xe10] [pid=26576] [2025-01-25 22:07:17 +1300]
               | Verified: true, error: ok

So it seems to work okay.

[ioquatix]

I've added a simple example here: 2d28532