Skip to content

Add mTLS client certificate support for proxy authentication#4430

Open
dhawalseth wants to merge 5 commits into
actions:mainfrom
dhawalseth:feature/mtls-proxy-support
Open

Add mTLS client certificate support for proxy authentication#4430
dhawalseth wants to merge 5 commits into
actions:mainfrom
dhawalseth:feature/mtls-proxy-support

Conversation

@dhawalseth
Copy link
Copy Markdown

@dhawalseth dhawalseth commented May 19, 2026
edited
Loading

Summary

Add support for configuring TLS client certificates when connecting through proxies that require mTLS authentication.

  • Adds environment variable support for mTLS proxy configuration:
    • HTTPS_PROXY_CLIENT_CERT: Path to client certificate file (PEM format)
    • HTTPS_PROXY_CLIENT_KEY: Path to client private key file (PEM format)
    • HTTPS_PROXY_CA_CERT: Path to CA certificate file (PEM format)
  • Updates RunnerWebProxy to read and expose these certificate paths
  • Updates HttpClientHandlerFactory to load X509 certificates and configure HttpClientHandler.ClientCertificates
  • Supports both uppercase and lowercase environment variable names for consistency with existing proxy variables

HTTP Paths Covered

All HTTP client paths in the runner now support mTLS:

Path Implementation
VssHttpMessageHandler ConfigureClientCertificates callback in VssUtil.cs
RawHttpMessageHandler ConfigureClientCertificates callback in VssUtil.cs
VssOAuthTokenHttpClient Invokes ConfigureClientCertificates callback
HttpClientHandlerFactory Loads certs from webProxy.HttpsProxyClientCert/Key
Azure SDK BlobClient Custom HttpClientTransport in ResultsHttpClient.cs

Use Case

Enterprise environments often use mTLS proxies (like Kraken, Envoy with mTLS, or corporate forward proxies) that require clients to present certificates for
authentication. This change enables the GitHub Actions runner to work in such environments.

Example Usage

export HTTPS_PROXY="http://proxy.corp.example.com:8080"
export HTTPS_PROXY_CLIENT_CERT="/etc/runner/certs/client.crt"
export HTTPS_PROXY_CLIENT_KEY="/etc/runner/certs/client.key"
export HTTPS_PROXY_CA_CERT="/etc/runner/certs/ca.crt"

./run.sh

Related PRs

This is part of a broader effort to add mTLS proxy support across the GitHub Actions ecosystem:

Test plan

  • Added unit tests for HTTPS_PROXY_CLIENT_CERT, HTTPS_PROXY_CLIENT_KEY, HTTPS_PROXY_CA_CERT environment variable parsing
  • Added tests for lowercase environment variable variants
  • Error handling for missing or invalid certificate files
  • Manual testing with mTLS proxy (log uploads to Azure blob storage)

@dseth-linkedin @claude
Add mTLS client certificate support for proxy authentication
42dd104 
Add support for configuring TLS client certificates when connecting
through proxies that require mTLS authentication. This is configured
via environment variables:

- HTTPS_PROXY_CLIENT_CERT: Path to client certificate file (PEM)
- HTTPS_PROXY_CLIENT_KEY: Path to client private key file (PEM)
- HTTPS_PROXY_CA_CERT: Path to CA certificate file (PEM)

The HttpClientHandlerFactory loads these certificates and configures
the HttpClientHandler to present them during TLS handshake.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@dhawalseth dhawalseth requested a review from a team as a code owner May 19, 2026 06:45
@dhawalseth dhawalseth mentioned this pull request May 19, 2026
Open
4 tasks
@dseth-linkedin @claude
fix: wire mTLS client certs into VssHttpMessageHandler and RawHttpMes…
72b5069 
…sageHandler

The runner's primary HTTP paths (VssConnection/RawConnection) create
bare HttpClientHandler instances without loading client certificates.
RunnerWebProxy reads HTTPS_PROXY_CLIENT_CERT/KEY env vars but only
HttpClientHandlerFactory (secondary path) wires them into the handler.

Changes:
- VssHttpMessageHandler: add ConfigureClientCertificates callback,
  invoke it in ApplySettings after proxy is set
- RawHttpMessageHandler: same callback pattern
- VssUtil: set RawHttpMessageHandler.DefaultWebProxy (was missing),
  wire cert loading callback into both handlers

This enables mTLS proxy authentication for all runner communication:
job pickup, token refresh, broker connections, action downloads.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@dhawalseth dhawalseth force-pushed the feature/mtls-proxy-support branch from 74b6602 to 72b5069 Compare May 29, 2026 16:36
@dseth-linkedin @claude
fix: add mTLS cert loading to VssOAuthTokenHttpClient
559c3a5 
The OAuth token HTTP client creates its own HttpClientHandler without
loading client certificates. This breaks mTLS proxy auth for broker
session creation (IssuedTokenProvider → RawHttpMessageHandler path).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@dhawalseth dhawalseth force-pushed the feature/mtls-proxy-support branch from 0a80b0c to 559c3a5 Compare May 29, 2026 17:46
dhawalseth and others added 2 commits May 29, 2026 10:48
@dhawalseth
Merge branch 'main' into feature/mtls-proxy-support
e6a96f1
@dseth-linkedin @claude
fix: add mTLS client cert support to Azure SDK blob transport
f08479f 
Configure HttpClientTransport with client certificates for BlobClient
and AppendBlobClient to support mTLS proxy authentication when uploading
logs/results to Azure blob storage.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dhawalseth @dseth-linkedin