Skip to content

Missing TLS HandshakeType support (certificate_request) #19521

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
richard-powers opened this issue Apr 3, 2024 · 3 comments · May be fixed by #23005
Open

Missing TLS HandshakeType support (certificate_request) #19521

richard-powers opened this issue Apr 3, 2024 · 3 comments · May be fixed by #23005
Labels
enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library.
Milestone
0.16.0

Comments

@richard-powers
Copy link

Zig Version

0.11.0

Steps to Reproduce and Observed Behavior

I found this issue when trying to connect to a postgres database which requires ssl.
In std.crypto.tls.Client there is a switch statement over the HandshakeType, but certificate_request is unhandled, so I simply receive error.TlsUnexpectedMessage instead of being able to connect to my database.

In the TLS RFC, A server which is authenticating with a certificate MAY optionally request a certificate from the client

So it seems this must be supported in some cases, unless I'm mistaken?

Expected Behavior

HandshakeType.certificate_request to be supported, if it is indeed required for the protocol
@richard-powers richard-powers added the bug Observed behavior contradicts documented or intended behavior label Apr 3, 2024
@jedisct1 jedisct1 added enhancement Solving this issue will likely involve adding new logic or components to the codebase. and removed bug Observed behavior contradicts documented or intended behavior labels Apr 3, 2024
@clickingbuttons
Copy link
Contributor

Yes, the TLS Client should add an option for a Certificate to respond to these messages. This isn't required for HTTPS, which is what the client is currently designed for.

I think this is blocked on #14171. After it lands it this feature should be added to both the TLS client and the TLS server and tested.

@rockorager
Copy link
Contributor

Chiming in here that this is a blocker for me in an IRC client appllication. Several IRC servers fail TLS handshakes because of this.

@VaskoBozhurski
Copy link

Just wanted to note that some HTTPS endpoints such as the Kubernetes API Server may do a certificate_request during the handshake.

@andrewrk andrewrk added the standard library This issue involves writing Zig code for the standard library. label Aug 14, 2024
@andrewrk andrewrk added this to the 0.16.0 milestone Aug 14, 2024
@ianic ianic linked a pull request Feb 24, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Solving this issue will likely involve adding new logic or components to the codebase. standard library This issue involves writing Zig code for the standard library.
Projects
None yet
Milestone
0.16.0
Development

Successfully merging a pull request may close this issue.

alternate crypto.tls ianic/zig
6 participants
@andrewrk @jedisct1 @rockorager @VaskoBozhurski @clickingbuttons @richard-powers