Add client certificate argument to TLSOptions #10867
mocchapi
started this conversation in
Engine Core
Replies: 1 comment
-
|
I second this - it seems like a pretty important yet overlooked aspect of networking if Godot is to expand its multiplayer scene, allowing developers to not have to rely on external servers. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Client certificates can be used to authenticate not only a server, but also the client during the SSL handshake. This is helpful in p2p / friend2friend networks, as well as other non-conventional socket systems. The primary one that made me look for this feature while implementing would be Gemini protocol, which exclusively uses client certificates to handle logins & other authentication.
As far as i understand mbedtls already has support for client certificates, so if this were to be implemented i do not believe it would be a lot of work.
I think the most logical place to put an optional setting like this would be on
TLSOptions.client()andTLSOptions.client_unsafe()as a third and second argument respectively. This would keep it out of the way for those who won't use it while still offering the possibility for those that will.I am unsure how this would be presented from the server facing side. I'd imagine it would be best to allow gdscript to determine what to do with the client once it's client certificate is received (for example, to kick a client who was determined to not be authorized to connect), but i don't know the best way to offer that control. Perhaps a simple getter on the
StreamPeerTLSto retrieve the peers' certificate.It seems unlikely this would be a good fit for an addon since it has to be part of the TLS handling code, though i admit i am quite unfamiliar with godot's codebase & not great at writing C-like languages (which is also why i opened this as a discussion and not an issue :P )
as far as i know, currently there is no workaround for this if you are writing a client that connects to some server, unless you implement your own client cert exchange system which sounds like a recipe for disaster (& would be only viable if you can alter the protocol)
Beta Was this translation helpful? Give feedback.
All reactions