Mutual TLS/Client Certificates with QUIC/H3

Hey.
I’ve been trying to get client authentication working with QUIC/H3.
I compiled HAProxy 1.8.3 with LibreSSL but also tried it with QuicTLS.

HTTP/1.1 and H2 works just like I expect, certs are asked for and checked. If it’s in the trusted_users.txt, the be_trusted backend is used.

However, when enabling QUIC, I noticed that the certificate auth doesn’t seem to work - it always hits the be_untrusted in my example.
Setting verify required makes Chrome not use H3 at all.

Config goes something like this:

frontend fe_https
  bind 1.2.3.4:443 ssl strict-sni crt /path/to/server.pem verify optional ca-file /path/to/clientroot.pem alpn h2,http1/1
  bind quic4@1.2.3.4:443 ssl strict-sni crt /path/to/server.pem verify optional ca-file /path/to/clientroot.pem alpn h3

  http-after-response set-header alt-svc 'h3=":443"; quic=":443"; ma=60'

  acl is_trusted ssl_c_s_dn(CN) -m str -f /etc/haproxy/trusted_users.txt
  use_backend be_trusted if is_trusted

  default_backend be_untrusted

Does HAProxy support mTLS/client auth with QUIC?
If yes, what am I doing wrong? Does Chrome/Edge just not support client certs with QUIC?

Hi all,

I’m facing the very same problem that @vifino pointed out some months ago.
I’m currently running the latest 3.0.0 version and my config works flawlessly in QUIC/H3 without mTLS active, and in H2 with mTLS active.
When I set up HAProxy to use mTLS on H3, it simply avoids to use H3.

Could you please point me to the right direction?
I’m pretty sure that I’m missing something.

Regards

I confirm you that mTLS should work as expected for QUIC on haproxy. I have just tested it with curl then chromium and everything seems to work as expected.

It may be difficult to know what happen when using a browser. If you can, you should test using a command-line client tool such as curl. Of course, it means that this client must be compiled to support QUIC.