Merge pull request #3460 from h2o/kazuho/proxy-h3-cert-verify

[proxy] apply cert verify logic of SSL_CTX to H3 (QUIC)
2025-04-20 13:11:35 +08:00 · 2025-01-30 15:33:44 +09:00 · 2025-01-30 15:33:44 +09:00 · 1be9253d1d
commit 1be9253d1d
parent a95ada622b a87d6ca537
2 changed files with 16 additions and 3 deletions
--- a/include/h2o/httpclient.h
+++ b/include/h2o/httpclient.h
@ -188,6 +188,7 @@ typedef struct st_h2o_httpclient_ctx_t {
 } h2o_httpclient_ctx_t;

 struct st_h2o_http3client_ctx_t {
+    ptls_openssl_verify_certificate_t verify_cert;
    ptls_context_t tls;
    quicly_context_t quic;
    h2o_quic_ctx_t h3;
--- a/lib/handler/proxy.c
+++ b/lib/handler/proxy.c
@ -63,7 +63,7 @@ static int on_req(h2o_handler_t *_self, h2o_req_t *req)
    return 0;
 }

-static h2o_http3client_ctx_t *create_http3_context(h2o_context_t *ctx, int use_gso)
+static h2o_http3client_ctx_t *create_http3_context(h2o_context_t *ctx, SSL_CTX *ssl_ctx, int use_gso)
 {
 #if H2O_USE_LIBUV
    h2o_fatal("no HTTP/3 support for libuv");
@ -71,13 +71,21 @@ static h2o_http3client_ctx_t *create_http3_context(h2o_context_t *ctx, int use_g

    h2o_http3client_ctx_t *h3ctx = h2o_mem_alloc(sizeof(*h3ctx));

-    /* tls (FIXME provide knobs to configure, incl. certificate validation) */
+    /* tls (TODO inherit session cache setting of ssl_ctx) */
    h3ctx->tls = (ptls_context_t){
        .random_bytes = ptls_openssl_random_bytes,
        .get_time = &ptls_get_time,
        .key_exchanges = ptls_openssl_key_exchanges,
        .cipher_suites = ptls_openssl_cipher_suites,
    };
+    h3ctx->verify_cert = (ptls_openssl_verify_certificate_t){};
+    if ((SSL_CTX_get_verify_mode(ssl_ctx) & SSL_VERIFY_PEER) != 0) {
+        X509_STORE *store;
+        if ((store = SSL_CTX_get_cert_store(ssl_ctx)) == NULL)
+            h2o_fatal("failed to obtain the store to be used for server certificate verification");
+        ptls_openssl_init_verify_certificate(&h3ctx->verify_cert, store);
+        h3ctx->tls.verify_certificate = &h3ctx->verify_cert.super;
+    }
    quicly_amend_ptls_context(&h3ctx->tls);

    /* quic */
@ -120,6 +128,8 @@ static void destroy_http3_context(h2o_http3client_ctx_t *h3ctx)
 {
    h2o_quic_dispose_context(&h3ctx->h3);
    quicly_free_default_cid_encryptor(h3ctx->quic.cid_encryptor);
+    if (h3ctx->verify_cert.super.cb != NULL)
+        ptls_openssl_dispose_verify_certificate(&h3ctx->verify_cert);
    free(h3ctx);
 }

@ -162,7 +172,9 @@ static void on_context_init(h2o_handler_t *_self, h2o_context_t *ctx)
                .latency_optimization = ctx->globalconf->http2.latency_optimization, /* TODO provide config knob, or disable? */
                .max_concurrent_streams = self->config.http2.max_concurrent_streams,
            },
-        .http3 = self->config.protocol_ratio.http3 != 0 ? create_http3_context(ctx, ctx->globalconf->http3.use_gso) : NULL,
+        .http3 = self->config.protocol_ratio.http3 != 0
+                     ? create_http3_context(ctx, self->sockpool->_ssl_ctx, ctx->globalconf->http3.use_gso)
+                     : NULL,
    };

    handler_ctx->client_ctx = client_ctx;