Support optional client certificates for MsQuicConnection #69603
Conversation
ghost
added
the
|
Tagging subscribers to this area: @dotnet/ncl Issue DetailsFixes #57308. This PR needs to wait until we consume newer MsQuic with microsoft/msquic#2732 fixed.
|
| if (serverAuthenticationOptions.ClientCertificateRequired) | ||
| { | ||
| flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION; | ||
| flags |= QUIC_CREDENTIAL_FLAGS.REQUIRE_CLIENT_AUTHENTICATION | QUIC_CREDENTIAL_FLAGS.INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAGS.NO_CERTIFICATE_VALIDATION | QUIC_CREDENTIAL_FLAGS.DEFER_CERTIFICATE_VALIDATION; |
There was a problem hiding this comment.
Why do we need both, I thought it's either or:
When QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION or QUIC_CREDENTIAL_FLAG_DEFER_VALIDATION are present
There was a problem hiding this comment.
The handshake fails without it, I must have left it there when I was debugging the code (MsQuic uses it in its unit tests). I will check with @anrossi
There was a problem hiding this comment.
Somehow, it seems to work with the updated MsQuic, so I removed the DEFER_VALIDATION flag
There was a problem hiding this comment.
I believe @wfurt fixed MsQuic's OpenSSL layer so that it works with NO_VALIDATION as expected.
|
updated fedora image to one built in dotnet/dotnet-buildtools-prereqs-docker#618 |
ManickaP
left a comment
ManickaP
left a comment
There was a problem hiding this comment.
Thanks!
BTW, you removed several ActiveIssues attributes, are all of them fixed by this? If so, this PR should also mention them as "fixed".
| } | ||
|
|
||
| return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy); | ||
| return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT | QUIC_CREDENTIAL_FLAGS.USE_SUPPLIED_CREDENTIALS, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy); |
There was a problem hiding this comment.
By the way, USE_SUPPLIED_CREDENTIALS is only used for Schannel. It should cause an error to use it with OpenSSL.
There was a problem hiding this comment.
That's strange, I didn't observe any test failures on Linux
There was a problem hiding this comment.
I'm still planning to finish testing on Linux & Windows but got distracted with my trip. I should be able to finish testing tomorrow.
There was a problem hiding this comment.
This fails on my machine, I'll put up a PR to fix this.
5 participants
Fixes #57308, #64944
This PR needs to wait until we consume newer MsQuic with microsoft/msquic#2732 fixed.