Skip to content

fix(tls): reject inbound connections that present no client certificate#1341

Merged
acul71 merged 3 commits into
libp2p:mainfrom
sumanjeet0012:tls-fix
Jun 28, 2026
Merged

fix(tls): reject inbound connections that present no client certificate#1341
acul71 merged 3 commits into
libp2p:mainfrom
sumanjeet0012:tls-fix

Conversation

@sumanjeet0012

@sumanjeet0012 sumanjeet0012 commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

What was wrong?

Fixes #1340

Inbound TLS connections were accepted even when the remote peer sent no client certificate. The server silently assigned a synthetic placeholder Peer ID and returned a fully-formed SecureSession, bypassing libp2p's mutual authentication requirement entirely.

How was it fixed?

The fix addresses each of the failure layers:

  • Request the cert — the server-side TLS context is changed to actively solicit a client certificate during the handshake. Standards-compliant clients (Go, Rust) always send one; the cert is then available for post-handshake verification.
  • Enforce the requirement — a missing certificate is now a hard rejection instead of a recoverable warning. No session is created and no data flows.
  • Remove the synthetic identity — the fallback that invented a random Peer ID for unauthenticated peers is deleted from the normal path entirely.
  • Preserve the AutoTLS exception — the one legitimate case (ACME broker registration, where no libp2p cert exists yet) is kept but strictly gated behind the enable_autotls flag so it cannot be reached on a standard node.
  • Align exception hierarchyTLSHandshakeFailure extends the central HandshakeFailure so TransportUpgrader surfaces SecurityUpgradeFailure on rejection.

Tests and docs

  • Regression tests cover transport-level rejection, upgrader integration, and the AutoTLS primitive-exchange exception path.
  • docs/tls-support.rst documents inbound mutual authentication and the AutoTLS bootstrap exception.

To-Do

  • Clean up commit history
  • Add or update documentation related to these changes
  • Add entry to the release notes

acul71 and others added 2 commits June 28, 2026 20:44
Fixes libp2p#1340. Request client certificates on inbound TLS contexts, reject
connections that present no certificate on the standard path, and align
TLSHandshakeFailure with the central security exception hierarchy so
TransportUpgrader surfaces SecurityUpgradeFailure. Preserve the AutoTLS
broker bootstrap exception behind enable_autotls.

Co-authored-by: Cursor <cursoragent@cursor.com>
Cover transport-level rejection, upgrader integration, and the AutoTLS
primitive-exchange exception path.

Co-authored-by: Cursor <cursoragent@cursor.com>
Build RTCIceServer objects in WebRTC helpers to satisfy mypy, use a valid
generated certhash in the webrtc-direct multiaddr test, and apply ruff
parenthesized with-statement formatting in TLS regression tests.

Co-authored-by: Cursor <cursoragent@cursor.com>
@acul71
acul71 merged commit 50f3a07 into libp2p:main Jun 28, 2026
109 of 112 checks passed
@acul71
acul71 deleted the tls-fix branch June 28, 2026 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

TLS: inbound TLS handshake accepts connections with no client certificate (authentication bypass)

2 participants