Skip to content

Add client certificate authentication and SNI callback support #364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
etr wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add client certificate authentication and SNI callback support #364

etr wants to merge 4 commits into from
+1,083 −50

Conversation

@etr
Copy link
Owner

@etr etr commented Feb 4, 2026

Summary

Closes #133

This PR adds convenience methods for client certificate authentication (mTLS) and Server Name Indication (SNI) callback support:

  • Client certificate methods (8 new methods on http_request):

    • has_client_certificate() - check if client presented a certificate
    • get_client_cert_dn() - get subject Distinguished Name
    • get_client_cert_issuer_dn() - get issuer DN
    • get_client_cert_cn() - get Common Name from subject
    • is_client_cert_verified() - check if certificate chain is verified
    • get_client_cert_fingerprint_sha256() - get hex-encoded SHA-256 fingerprint
    • get_client_cert_not_before() / get_client_cert_not_after() - get validity times

  • SNI callback support (requires libmicrohttpd 0.9.71+):

    • sni_callback() builder method on create_webserver
    • Callback receives server name from TLS ClientHello
    • Returns cert/key pair for the requested hostname

Files Changed

File Description
src/httpserver/http_request.hpp Added 8 client cert method declarations
src/http_request.cpp Implemented methods using GnuTLS APIs
src/httpserver/create_webserver.hpp Added SNI callback typedef and builder
src/httpserver/webserver.hpp Added SNI callback member and handler
src/webserver.cpp Implemented SNI callback registration
test/integ/ws_start_stop.cpp Added 5 new tests for client cert & SNI
examples/client_cert_auth.cpp New example for client cert authentication
README.md Documentation for mTLS and SNI features

Test plan

  • All existing tests pass (make check - 14/14 pass)
  • New client certificate tests pass
  • SNI callback configuration test passes
  • cpplint style checks pass
  • Manual testing with curl and client certificates

etr added 2 commits February 4, 2026 10:05
@etr
Add client certificate authentication and SNI callback support
2e058a3 
Add convenience methods for extracting client certificate information
from TLS connections (mTLS) and Server Name Indication (SNI) callback
support for hosting multiple certificates on a single server.

Client certificate methods added to http_request (requires GnuTLS):
- has_client_certificate() - check if client cert present
- get_client_cert_dn() - subject Distinguished Name
- get_client_cert_issuer_dn() - issuer DN
- get_client_cert_cn() - Common Name from subject
- is_client_cert_verified() - certificate chain verification status
- get_client_cert_fingerprint_sha256() - hex-encoded SHA-256 fingerprint
- get_client_cert_not_before() / get_client_cert_not_after() - validity times

SNI callback support (requires libmicrohttpd 0.9.71+):
- sni_callback() builder method on create_webserver
- Callback receives server name from TLS ClientHello
- Returns cert/key pair for the requested hostname

Closes #133
@etr
Fix test: add client certificate files to AC_CONFIG_FILES
5ff1183 
The client_cert.pem and client_key.pem files need to be copied to the
build directory during configure, similar to how other test certificate
files are handled.
@codecov
Copy link

codecov bot commented Feb 4, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 29.41176% with 96 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.21%. Comparing base (42e769c) to head (9aaaa0d).

Files with missing lines Patch % Lines
src/http_request.cpp 28.24% 29 Missing and 65 partials ⚠️
src/webserver.cpp 0.00% 0 Missing and 2 partials ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #364      +/-   ##
==========================================
- Coverage   70.54%   67.21%   -3.33%     
==========================================
  Files          28       28              
  Lines        1436     1571     +135     
  Branches      570      661      +91     
==========================================
+ Hits         1013     1056      +43     
- Misses         35       61      +26     
- Partials      388      454      +66
Files with missing lines Coverage Δ
src/httpserver/create_webserver.hpp 96.98% <100.00%> (+0.04%) ⬆️
src/httpserver/http_request.hpp 84.21% <ø> (ø)
src/webserver.cpp 58.68% <0.00%> (-0.13%) ⬇️
src/http_request.cpp 53.54% <28.24%> (-16.85%) ⬇️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 42e769c...9aaaa0d. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

etr added 2 commits February 4, 2026 12:11
@etr
Fix HTTPS test pattern: use try-catch instead of checking start() ret…
2a6d12a 
…urn value

The webserver::start(false) method returns false when started successfully
in non-blocking mode (by design). The tests were incorrectly interpreting
this as a failure. Fixed by catching the exception that's thrown when
the server actually fails to start.

Also regenerated test certificates with valid dates (the old ones expired
in 2009).

Changes:
- Fix https_webserver, tls_session_getters, and all client_cert tests
- Regenerate cert.pem, key.pem, client_cert.pem, client_key.pem
@etr
Add test for client cert methods on non-TLS requests
9aaaa0d 
This test exercises all client certificate convenience methods on a
plain HTTP (non-TLS) connection, verifying they return appropriate
empty/false values when no TLS session is present.

This ensures the early-return code paths in the client certificate
methods are covered even when HTTPS tests may not run in all CI
environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enable client-certificate authentication

1 participant

@etr