Support optional client certificates for MsQuicConnection #69603

rzikm · 2022-05-20T10:44:24Z

This PR needs to wait until we consume newer MsQuic with microsoft/msquic#2732 fixed.

ghost · 2022-05-20T10:44:32Z

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

This PR needs to wait until we consume newer MsQuic with microsoft/msquic#2732 fixed.

Author:	rzikm
Assignees:	-
Labels:	`area-System.Net.Quic`
Milestone:	-

ManickaP · 2022-05-20T11:32:37Z

...Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

@@ -70,7 +70,7 @@ public static SafeMsQuicConfigurationHandle Create(QuicOptions options, SslServe

                if (serverAuthenticationOptions.ClientCertificateRequired)
                {
-                    flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION;
+                    flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION | QUIC_CREDENTIAL_FLAGS.DEFER_CERTIFICATE_VALIDATION;


Why do we need both, I thought it's either or:

When QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION or QUIC_CREDENTIAL_FLAG_DEFER_VALIDATION are present

The handshake fails without it, I must have left it there when I was debugging the code (MsQuic uses it in its unit tests). I will check with @anrossi

Somehow, it seems to work with the updated MsQuic, so I removed the DEFER_VALIDATION flag

I believe @wfurt fixed MsQuic's OpenSSL layer so that it works with NO_VALIDATION as expected.

rzikm · 2022-05-24T14:05:52Z

updated fedora image to one built in dotnet/dotnet-buildtools-prereqs-docker#618

ManickaP

Thanks!
BTW, you removed several ActiveIssues attributes, are all of them fixed by this? If so, this PR should also mention them as "fixed".

anrossi · 2022-05-25T18:30:00Z

...Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

@@ -51,7 +51,7 @@ public static SafeMsQuicConfigurationHandle Create(QuicClientConnectionOptions o
                }
            }

-            return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy);
+            return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT | QUIC_CREDENTIAL_FLAGS.USE_SUPPLIED_CREDENTIALS, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy);


By the way, USE_SUPPLIED_CREDENTIALS is only used for Schannel. It should cause an error to use it with OpenSSL.

That's strange, I didn't observe any test failures on Linux

I'm still planning to finish testing on Linux & Windows but got distracted with my trip. I should be able to finish testing tomorrow.

This fails on my machine, I'll put up a PR to fix this.

Support optional client certificates for MsQuicConnection

18e8a77

dotnet-issue-labeler bot added the area-System.Net.Quic label May 20, 2022

ghost assigned rzikm May 20, 2022

fixup! Support optional client certificates for MsQuicConnection

2195164

ManickaP reviewed May 20, 2022

View reviewed changes

Update Fedora image

4238083

Remove DEFER_CERTIFICATE_VALIDATION flag

72fb91c

rzikm marked this pull request as ready for review May 24, 2022 15:29

rzikm requested a review from ManickaP May 25, 2022 06:56

ManickaP approved these changes May 25, 2022

View reviewed changes

rzikm merged commit 8aac5ee into dotnet:main May 25, 2022

mkhamoyan mentioned this pull request May 25, 2022

Microsoft.Quic.MsQuicException on rolling build of runtime #69792

Closed

anrossi reviewed May 25, 2022

View reviewed changes

wfurt mentioned this pull request May 26, 2022

Redisable timouting MsQuic tests #69843

Merged

ManickaP mentioned this pull request May 26, 2022

[QUIC] Fix flags usage on Linux #69874

Merged

maraf mentioned this pull request May 31, 2022

Missing docker image fedora-34-helix-20220523150939-4f64125 in mcr #70005

Closed

dougbu mentioned this pull request Jun 3, 2022

[release/7.0-preview5] Update dependencies from dotnet/runtime dotnet/efcore dotnet/aspnetcore#41887

Merged

ghost locked as resolved and limited conversation to collaborators Jun 25, 2022

karelz added this to the 7.0.0 milestone Jul 19, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support optional client certificates for MsQuicConnection #69603

Support optional client certificates for MsQuicConnection #69603

rzikm commented May 20, 2022 •

edited

Loading

ghost commented May 20, 2022

ManickaP May 20, 2022

rzikm May 20, 2022

rzikm May 25, 2022

anrossi May 25, 2022

rzikm commented May 24, 2022

ManickaP left a comment

anrossi May 25, 2022

rzikm May 25, 2022

wfurt May 25, 2022

ManickaP May 26, 2022

Support optional client certificates for MsQuicConnection #69603

Support optional client certificates for MsQuicConnection #69603

Conversation

rzikm commented May 20, 2022 • edited Loading

ghost commented May 20, 2022

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

rzikm commented May 24, 2022

ManickaP left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

rzikm commented May 20, 2022 •

edited

Loading