Hey.
I’ve been trying to get client authentication working with QUIC/H3.
I compiled HAProxy 1.8.3 with LibreSSL but also tried it with QuicTLS.
HTTP/1.1 and H2 works just like I expect, certs are asked for and checked. If it’s in the trusted_users.txt, the be_trusted backend is used.
However, when enabling QUIC, I noticed that the certificate auth doesn’t seem to work - it always hits the be_untrusted in my example.
Setting verify required makes Chrome not use H3 at all.
Config goes something like this:
frontend fe_https
bind 1.2.3.4:443 ssl strict-sni crt /path/to/server.pem verify optional ca-file /path/to/clientroot.pem alpn h2,http1/1
bind quic4@1.2.3.4:443 ssl strict-sni crt /path/to/server.pem verify optional ca-file /path/to/clientroot.pem alpn h3
http-after-response set-header alt-svc 'h3=":443"; quic=":443"; ma=60'
acl is_trusted ssl_c_s_dn(CN) -m str -f /etc/haproxy/trusted_users.txt
use_backend be_trusted if is_trusted
default_backend be_untrusted
Does HAProxy support mTLS/client auth with QUIC?
If yes, what am I doing wrong? Does Chrome/Edge just not support client certs with QUIC?