Skip to content

[QUIC] Fix flags usage on Linux#69874

Merged
ManickaP merged 1 commit into
dotnet:mainfrom
ManickaP:mapichov/quic-fix-load-cert
May 27, 2022
Merged

[QUIC] Fix flags usage on Linux#69874
ManickaP merged 1 commit into
dotnet:mainfrom
ManickaP:mapichov/quic-fix-load-cert

Conversation

@ManickaP

@ManickaP ManickaP commented May 26, 2022

Copy link
Copy Markdown
Member

@ghost ghost added the area-System.Net.Quic label May 26, 2022
@ghost ghost assigned ManickaP May 26, 2022
@ghost

ghost commented May 26, 2022

Copy link
Copy Markdown

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

#69603 (comment)

Author: ManickaP
Assignees: -
Labels:

area-System.Net.Quic

Milestone: -

@ManickaP ManickaP requested review from rzikm and wfurt May 26, 2022 18:55
@wfurt

wfurt commented May 26, 2022

Copy link
Copy Markdown
Member

I'm not sure it is needed. My understanding was that the flags may be used on Windows. I did tests on Windows and all tests passes after updating msquic manually.

@anrossi

anrossi commented May 26, 2022

Copy link
Copy Markdown

On Schannel, USE_SUPPLIED_CREDENTIALS forces the client to send an empty certificate_list back to the server when the server requests client authentication and the client has no certificate to send, so the server may decide whether to terminate the connection or not.
Without USE_SUPPLIED_CREDENTIALS, Schannel client will end the handshake if it cannot find a certificate to send to the server when the server requests client authentication.

@wfurt

wfurt commented May 26, 2022

Copy link
Copy Markdown
Member

It is unfortunate that the flag is platform specific. It feels like it would be better to ignore it on Linux if Linux can provide same functionality.

@rzikm rzikm left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!


return Create(options, QUIC_CREDENTIAL_FLAGS.CLIENT | QUIC_CREDENTIAL_FLAGS.USE_SUPPLIED_CREDENTIALS, certificate: certificate, certificateContext: null, options.ClientAuthenticationOptions?.ApplicationProtocols, options.ClientAuthenticationOptions?.CipherSuitesPolicy);
QUIC_CREDENTIAL_FLAGS flags = QUIC_CREDENTIAL_FLAGS.CLIENT;
if (OperatingSystem.IsWindows())

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as long as .NET doesn't use OpenSSL on Windows, this is fine.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any way to query what backend the library uses? Otherwise having the flag produce errors with OpenSSL makes it a bit inconvenient.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we have a way to query which crypto library is in use. @ThadHouse @nibanks, do you know of something?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we don't currently expose a way to do this. We could via a global GetParam option easily enough. If you need this @rzikm please open a MsQuic issue for it.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still feel that making sure the flag does not break OpenSSL would be better option e.g. less platform code to maintain elsewhere.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.NET uses the SChannel version on Windows, so unless we care that the user may somehow provide a different dll (possibly built with OpenSSL), then we don't need it.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have had asks to support OpenSSL MsQuic on Windows with .NET, so would prefer not to make assumptions of using Schannel on Windows.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed. While we may not support it we may take community contributions. Requirement for S2022 or W11 seems pretty steep for many users.

@ManickaP ManickaP May 26, 2022

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also tie to OperatingSystem.IsWindows() (non) usage of portable certs. I assume that is also rather thing of OpenSSL and following would not work with it:

if (OperatingSystem.IsWindows())
{
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_CONTEXT;
config.CertificateContext = (void*)certificate.Handle;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}

Unless, I'm mistaken here, I wouldn't put too much effort into distinguishing Windows from SChannel atm.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I filed microsoft/msquic#2761, it is not urgent, but it would be nice to have it in place when somebody eventually asks for support of OpenSSL-MsQuic on Windows.

@ManickaP

Copy link
Copy Markdown
Member Author

Failing QUIC test is System.Net.Quic.Functional.Tests: [Long Running Test] 'System.Net.Quic.Tests.MsQuicTests.ConnectWithClientCertificate', Elapsed: 00:02:05
Which is cover by #69792

@ManickaP ManickaP merged commit ecb4e6c into dotnet:main May 27, 2022
@ManickaP ManickaP deleted the mapichov/quic-fix-load-cert branch May 27, 2022 08:05
@ghost ghost locked as resolved and limited conversation to collaborators Jun 26, 2022
@karelz karelz added this to the 7.0.0 milestone Jul 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants