[EventHubs] Custom ssl certificate support when using http proxy

[yunhaoling]

Summary

EventHub allows connecting to the service via http proxy.
Currently we expose http proxy setting including:

proxy_hostname (str)
proxy_port (int)
username (str)
password (str)

However, there're scenarios:

• the http proxy server has its own Server SSL certificate -- when the client wants to build tls connection to the http proxy, a custom certificate is required for authenticating the identity of the proxy server.
• Apart from the server certificate, there is also Client SSL certificate which is used by the server to authenticate the identity of a client.

We would like to provide the ability to set server/client certificate in EventHub Python SDK for authenticating the identity of the proxy server/client when connection to the service via a http proxy.

Scope of work

• Client accepts server SSL certificate and uses the certificate (path to the CA_BUNDLE file) in the case of http proxy usage for authenticating the identity of the proxy server when building tls connection.
  • (?) certificate ignored if there's no proxy setting
• Client accepts client SSL certificate and uses the certificate in the case of http proxy usage for authenticating the identity of the client when building tls connection.
  • (?) certificate ignored if there's no proxy setting
• The surface should align with the azure-core on exposing the certificate settings at the top-level client

Success Criteria

• The server ssl certificate and client certificate is supported/implemented in the underlying uamqp library
• clients accept ssl certificate and client certificate could connect to the service via http proxy which requires the certificates.

Samples

http_proxy = {
proxy_hostname (str)
proxy_port (int)
username (str)
password (str)
connection_verify: path the server certificate CA_BUNDLE file
connection_cert: path to the client side certificate CA_BUNDLE file or (key, certificate pair?)
}

References

Python request ssl cert
Python request client cert

[yunhaoling]

action items:

• investigate the "verify" feature in uamqp auth and test setting the server certificate to connect to http proxy server
• investigate the client side certification in uamqp-c library
  • whether setting client side cert is supported or not

issue opened in the azure-c-shared-utility repo asking for the certificate support: Azure/azure-c-shared-utility#501
PR for tls http proxy: Azure/azure-c-shared-utility#512

issue about the client-side certificate: Azure/azure-c-shared-utility#513

api proposal for the c lib: https://gist.github.com/yunhaoling/753677c4ee8137f50da38402c6646595

[fulii]

Hi!

I would really like this to happen.
Currently we cannot use azure service bus because our proxy server has a custom certificate.
I cannot see any workaround at the moment how to bypass this, i spent hours to figure out.
Aslo from uamqp library side there is not much information about bad certificate.
If this happens in march that is really great, until then do you have any workaround?

[yunhaoling]

hey @fulii,

I'm sorry to tell you that the currently the underlying C networking implementation for http proxy only supports basic auth (username and password) and we could do nothing until the support is being added into the C library first so that our uamqp library could take advantage of the feature and expose the settings to the upper layer.

I'll continue my work on adding support to the C library this month, but I can't guarantee you the timeline.