Add an enumeration of client certificate modes to quic_types.h.
ClientCertMode is used to configure server endpoints. It tells the endpoint
whether it should request a client certificate, and whether it should allow
"unauthenticated" connections (when the client does not have a certificate).
TLS 1.3 supports three modes for the server:
- No client certificate requested
- Request a client certificate but allow unauthenticated connections
- Request a client certificate and reject unauthenticated connections
See go/quic-tls-client-certificates for details.
gfe-relnote: no change in behavior (new enum definition only).
PiperOrigin-RevId: 291452671
Change-Id: Iaab64381451af7ea0cd2a324d3262ae1e46d0bcd
diff --git a/quic/core/quic_types.h b/quic/core/quic_types.h
index fd49da2..f149ed3 100644
--- a/quic/core/quic_types.h
+++ b/quic/core/quic_types.h
@@ -434,6 +434,15 @@
QUIC_EXPORT_PRIVATE std::string EncryptionLevelToString(EncryptionLevel level);
+// Enumeration of whether a server endpoint will request a client certificate,
+// and whether that endpoint requires a valid client certificate to establish a
+// connection.
+enum class ClientCertMode {
+ kNone, // Do not request a client certificate. Default server behavior.
+ kRequest, // Request a certificate, but allow unauthenticated connections.
+ kRequire, // Require clients to provide a valid certificate.
+};
+
enum AddressChangeType : uint8_t {
// IP address and port remain unchanged.
NO_CHANGE,