Skip to content

Add dev-only in-process mTLS termination to the http4s server#2869

Merged
simonredfern merged 1 commit into
OpenBankProject:developfrom
constantine2nd:feature/http4s-mtls-dev-mode
Jul 15, 2026
Merged

Add dev-only in-process mTLS termination to the http4s server#2869
simonredfern merged 1 commit into
OpenBankProject:developfrom
constantine2nd:feature/http4s-mtls-dev-mode

Conversation

@constantine2nd

Copy link
Copy Markdown
Contributor

Successor of the RunMTLSWebApp.scala launcher removed with the Jetty teardown, as a props toggle on the normal server instead of a separate launcher:

  • Http4sMtls.scala: mtls.* props (honoured only when run.mode=development), SSLContext from JKS keystore/truststore, fs2 TLSContext + TLSParameters (client_auth need/want), and an HttpApp middleware that strips any client-supplied PSD2-CERT header and injects the handshake-verified client certificate as canonical PEM.
  • Http4sServer.scala: mtls.enabled branch on the Ember builder (withTLS + middleware); plain-HTTP path is unchanged when the prop is off. Warns when hostname is still http://.
  • sample.props.template: commented mtls.* block next to the other keystore props.
  • Http4sMtlsTest: unit tests for PEM encoding, header injection/stripping, SSLContext construction from the checked-in dev keystores.
  • Http4sMtlsHandshakeTest: end-to-end proof over a real TLS handshake that Ember populates ServerRequestKeys.SecureSession, the verified client cert surfaces as PSD2-CERT (spoofed header replaced), and certless handshakes are rejected under client_auth=need.
  • docs/MTLS_DEV_MODE.md: how-to (cert generation, props, smoke tests, consumer pinning, troubleshooting, production proxy guidance).

Verified manually end-to-end: HTTPS on dev.port, certless handshake rejected, DirectLogin over mTLS, and /my/mtls/certificate/current returning the handshake certificate while ignoring a spoofed header.

Successor of the RunMTLSWebApp.scala launcher removed with the Jetty
teardown, as a props toggle on the normal server instead of a separate
launcher:

- Http4sMtls.scala: mtls.* props (honoured only when run.mode=development),
  SSLContext from JKS keystore/truststore, fs2 TLSContext + TLSParameters
  (client_auth need/want), and an HttpApp middleware that strips any
  client-supplied PSD2-CERT header and injects the handshake-verified
  client certificate as canonical PEM.
- Http4sServer.scala: mtls.enabled branch on the Ember builder (withTLS +
  middleware); plain-HTTP path is unchanged when the prop is off. Warns
  when hostname is still http://.
- sample.props.template: commented mtls.* block next to the other
  keystore props.
- Http4sMtlsTest: unit tests for PEM encoding, header injection/stripping,
  SSLContext construction from the checked-in dev keystores.
- Http4sMtlsHandshakeTest: end-to-end proof over a real TLS handshake that
  Ember populates ServerRequestKeys.SecureSession, the verified client
  cert surfaces as PSD2-CERT (spoofed header replaced), and certless
  handshakes are rejected under client_auth=need.
- docs/MTLS_DEV_MODE.md: how-to (cert generation, props, smoke tests,
  consumer pinning, troubleshooting, production proxy guidance).

Verified manually end-to-end: HTTPS on dev.port, certless handshake
rejected, DirectLogin over mTLS, and /my/mtls/certificate/current
returning the handshake certificate while ignoring a spoofed header.
@sonarqubecloud

Copy link
Copy Markdown

@simonredfern simonredfern merged commit d888386 into OpenBankProject:develop Jul 15, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants