Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: document s2n_cert_auth_type behavior #4454

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: document s2n_cert_auth_type behavior #4454

wants to merge 2 commits into from

Conversation

toidiu
Copy link
Contributor

@toidiu toidiu commented Mar 9, 2024
edited

Description of changes:

s2n-tls has a concept of s2n_cert_auth_type which controls handshake behavior depending on the type of connection (server vs client). This behavior is complex and undocumented. This PR attempts to document the behavior.

Callout:

The default behavior was recently changed in #4390

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@toidiu toidiu requested a review from lrstewart March 9, 2024 07:16
@github-actions github-actions bot added the s2n-core team label Mar 9, 2024
@toidiu
Copy link
Contributor Author

toidiu commented Apr 3, 2024

offline comments:

@toidiu toidiu requested a review from maddeleine May 1, 2024 18:47
maddeleine
maddeleine reviewed May 1, 2024
View reviewed changes
api/s2n.h
@@ -2291,7 +2291,31 @@ S2N_API extern int s2n_shutdown_send(struct s2n_connection *conn, s2n_blocked_st
/**
* Used to declare what type of client certificate authentication to use.
*
* Currently the default for s2n-tls is for neither the server side or the client side to use Client (aka Mutual) authentication.
* A s2n_connection will enforce client certificate authentication (mTLS) differently based on
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay a couple of thoughts:

  1. The API guide isn't really a good fit for in-depth discussions about behavior. Maybe the discussion about the default behavior is better suited to the Usage Guide, in the Client / Mutual Auth section? I dunno, you could play around with it and see if some of this information works better there.
  2. You should probably take a step back if you're starting to discuss specific messages sent in the TLS handshake. Users don't care about this level of detail, they are at minimum skimming these docs and probably aren't going to read it if it goes too in-depth. The important bits are: what errors could occur with these different options, and what validation they will get with these different options. So for example:
    S2N_CERT_AUTH_OPTIONAL: Server requests a client certificate but does not error if the client doesn't send one. The certificate is validated if the client sends one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maddeleine maddeleine maddeleine left review comments

@lrstewart lrstewart Awaiting requested review from lrstewart

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@toidiu @maddeleine