Recommended new way to pass in TLSClientAuth in Akka HTTP 10.2 API

moonkev · August 7, 2020, 10:19pm

Hello, first let me say nice work on the Akka HTTP 10.2 release. The migration has been quite easy, and as an Akka gRPC users, many changes are greatly appreciated. The one question I have is that with the new API to create an HttpsConnectionContext (using either ConnectionContext.httpsServer or ConnectionContext.httpsClient), we are no longer able to pass in the TLSClientAuth parameter to turn on mutual authentication. While the documentation here https://doc.akka.io/docs/akka-http/current/server-side/server-https-support.html mostly details the new API, the section at the bottom for mutual authentication still follows the older API.

Thanks in advance

jrudolph · August 11, 2020, 12:43pm

Thanks for the feedback. Indeed, that was left over.

These kind of settings now need to be applied to the SSLContext/SSLEngine manually:

These old utils show how that was done before:

github.com

akka/akka/blob/c41c0420ad1ed1841a47d5c4187e54b478936430/akka-stream/src/main/scala/akka/stream/impl/io/TLSActor.scala#L486-L497


def applySessionParameters(engine: SSLEngine, sessionParameters: NegotiateNewSession): Unit = {
  sessionParameters.enabledCipherSuites.foreach(cs => engine.setEnabledCipherSuites(cs.toArray))
  sessionParameters.enabledProtocols.foreach(p => engine.setEnabledProtocols(p.toArray))
  sessionParameters.clientAuth match {
    case Some(TLSClientAuth.None) => engine.setNeedClientAuth(false)
    case Some(TLSClientAuth.Want) => engine.setWantClientAuth(true)
    case Some(TLSClientAuth.Need) => engine.setNeedClientAuth(true)
    case _                        => // do nothing
  }

  sessionParameters.sslParameters.foreach(engine.setSSLParameters)
}

So, you need to call

engine.setNeedClientAuth(true)

in the new engine creation factory. You can create a context like this:

    // val sslContext: SSLContext = // create manually
    ConnectionContext.httpsServer(() => {
      val engine = sslContext.createSSLEngine()
      engine.setUseClientMode(false)
      engine.setNeedClientAuth(true)
      engine
    })

Would that work for you?

I created #3433 to update the docs.

moonkev · August 12, 2020, 6:08pm

Yes, this is great. Many thanks @jrudolph!

Topic		Replies	Views
Mutual TLS implementation for Akka Http Client and Akka Http Server or Other Server Akka Streams & Alpakka	1	1451	April 3, 2019
Akka-HTTP server HTTPS Support Akka HTTP akka , akka-http , java , configuration	3	1770	July 24, 2022
Akka grpc custom authentication Akka gRPC	1	1342	March 7, 2019
Akka cluster tls tcp configuration Akka Libraries java , configuration	0	43	August 21, 2024
mTLS with Akka gRPC Akka gRPC	0	533	June 21, 2022

Recommended new way to pass in TLSClientAuth in Akka HTTP 10.2 API

Related topics