I’ve been trying to get client authentication working with QUIC/H3.
I compiled HAProxy 1.8.3 with LibreSSL but also tried it with QuicTLS.
HTTP/1.1 and H2 works just like I expect, certs are asked for and checked. If it’s in the
be_trusted backend is used.
However, when enabling QUIC, I noticed that the certificate auth doesn’t seem to work - it always hits the
be_untrusted in my example.
verify required makes Chrome not use H3 at all.
Config goes something like this:
frontend fe_https bind 220.127.116.11:443 ssl strict-sni crt /path/to/server.pem verify optional ca-file /path/to/clientroot.pem alpn h2,http1/1 bind email@example.com:443 ssl strict-sni crt /path/to/server.pem verify optional ca-file /path/to/clientroot.pem alpn h3 http-after-response set-header alt-svc 'h3=":443"; quic=":443"; ma=60' acl is_trusted ssl_c_s_dn(CN) -m str -f /etc/haproxy/trusted_users.txt use_backend be_trusted if is_trusted default_backend be_untrusted
Does HAProxy support mTLS/client auth with QUIC?
If yes, what am I doing wrong? Does Chrome/Edge just not support client certs with QUIC?