Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quictransport server certificate problem #697

Open
rebelde96 opened this issue Aug 21, 2020 · 3 comments
Open

quictransport server certificate problem #697

rebelde96 opened this issue Aug 21, 2020 · 3 comments

Comments

@rebelde96
Copy link

I am having problem trying to connect to the python server I got from quictransport example.

net::ERR_QUIC_PROTOCOL_ERROR.QUIC_HANDSHAKE_FAILED (TLS handshake failure (ENCRYPTION_HANDSHAKE) 46: certificate unknown).
client.html:1 Uncaught (in promise) TypeError: Connection lost.

I am using letsencrypt certificate on Windows Server. With regular "Hello World" python page, the certificate is working. What can be the reason?
@jeffposnick
Copy link
Contributor

CC: @vasilvv, who may know more about the certificate requirements for the sample.

@serg551 serg551 mentioned this issue Aug 21, 2020
Closed
@yoursunny
Copy link

yoursunny commented Nov 13, 2020
edited
Loading

I'm using a certificate generated by OpenSSL following these instructions:

samples/quictransport/quic_transport_server.py

Lines 56 to 75 in 8223e1b

# 1. Generate a certificate and a private key:
# openssl req -newkey rsa:2048 -nodes -keyout certificate.key \
# -x509 -out certificate.pem -subj '/CN=Test Certificate' \
# -addext "subjectAltName = DNS:localhost"
#
# 2. Compute the fingerprint of the certificate:
# openssl x509 -pubkey -noout -in certificate.pem |
# openssl rsa -pubin -outform der |
# openssl dgst -sha256 -binary | base64
# The result should be a base64-encoded blob that looks like this:
# "Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck="
#
# 3. Pass a flag to Chromium indicating what host and port should be allowed
# to use the self-signed certificate. For instance, if the host is
# localhost, and the port is 4433, the flag would be:
# --origin-to-force-quic-on=localhost:4433
#
# 4. Pass a flag to Chromium indicating which certificate needs to be trusted.
# For the example above, that flag would be:
# --ignore-certificate-errors-spki-list=Gi/HIwdiMcPZo2KBjnstF5kQdLI5bPrYJ8i3Vi6Ybck=

My localhost is Windows and cannot install aioquic successfully, so I installed that on a Linux server in my LAN and adjusted command lines to reference FQDN of that server, as well as BIND_ADDRESS in the Python script.
Chrome is complaining "You are using an unsupported command-line flag" above the webpage, and the console is indicating 46: certificate unknown.
Wireshark shows 1 QUIC-Initial frame from Chrome, 3 QUIC-Handshake frames from server, and 2 QUIC-Handshake frames from Chrome.

@yoursunny
Copy link

https://bugs.chromium.org/p/chromium/issues/detail?id=762819#c5

I don't see --user-data-dir (which has to be set in order for --ignore-certificate-errors-spki-list to be set)

After adding --user-data-dir=.\quic-userdata, it's working.

Moreover, it has to be a non-existent directory every time. Reusing an existing directory would not work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yoursunny @jeffposnick @rebelde96