Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

QuicListener Not Including Intermediary Certificates Without Explicit ServerCertificateContext #100530

Closed
pepone opened this issue Apr 2, 2024 · 2 comments · Fixed by #100584
Closed

QuicListener Not Including Intermediary Certificates Without Explicit ServerCertificateContext #100530

pepone opened this issue Apr 2, 2024 · 2 comments · Fixed by #100584
Assignees
@rzikm
Labels
area-System.Net.Quic
Milestone
9.0.0

Comments

@pepone
Copy link
Contributor

pepone commented Apr 2, 2024

When using a certificate that contains an intermediary present in the system store, a Quic server doesn't include the intermediary in the TLS handshake.

You have to manually set ServerCertificateContext in the SslServerAuthenticationOptions pass to the QuicListener.

With SslStream if the intermediary is present in the system store, it is also send without need to explicitly set ServerCertificateContext.

That is with Ubuntu 22.04, dotnet 8.0.3

Is this expected? It would be better if they work the same way as they are configured using the same SslServerAuthenticationOptions.
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Apr 2, 2024
@rzikm
Copy link
Member

rzikm commented Apr 3, 2024
edited
Loading

I think it's because we don't explicitly pass the intermediates to MsQuic

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Internal/MsQuicConfiguration.cs

Lines 97 to 110 in e12e2fa

// the order of checking here matches the order of checking in SslStream
if (authenticationOptions.ServerCertificateSelectionCallback is not null)
{
certificate = authenticationOptions.ServerCertificateSelectionCallback.Invoke(authenticationOptions, targetHost);
}
else if (authenticationOptions.ServerCertificateContext is not null)
{
certificate = authenticationOptions.ServerCertificateContext.TargetCertificate;
intermediates = authenticationOptions.ServerCertificateContext.IntermediateCertificates;
}
else if (authenticationOptions.ServerCertificate is not null)
{
certificate = authenticationOptions.ServerCertificate;
}

In SslStream, we build the SslStreamCertificateContext under the covers so we manage to find the intermediates, we should do that in Quic as well.

Note that using SslStreamCertificateContext is the recommended way to pass certificates in .NET 8+ because it avoids the need to build the X509 chain for each connection separately for the same certificate.

@rzikm rzikm added this to the 9.0.0 milestone Apr 3, 2024
@rzikm rzikm removed the untriaged New issue has not been triaged by the area owner label Apr 3, 2024
@rzikm rzikm self-assigned this Apr 3, 2024
@pepone pepone mentioned this issue Apr 3, 2024
Closed
@rzikm rzikm mentioned this issue Apr 3, 2024
Merged
@ManickaP ManickaP mentioned this issue Apr 4, 2024
Open
@github-actions github-actions bot locked and limited conversation to collaborators May 4, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees

@rzikm rzikm

Labels
area-System.Net.Quic
Projects
None yet
Milestone
9.0.0
Development

Successfully merging a pull request may close this issue.

Perform manual intermediate certificate lookup when creating MsQuicConfiguration dotnet/runtime
2 participants
@pepone @rzikm