-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP/3: Support SslServerAuthenticationOptions with QUIC #49574
Comments
Thanks for contacting us. |
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsSslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC. The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols. Break down of its properties:
System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580
|
Tagging subscribers to this area: @dotnet/ncl Issue DetailsSslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC. The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols. Break down of its properties:
System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580
|
Moved to runtime. Changes will need to be made here in QUIC library. |
Tagging subscribers to this area: @dotnet/ncl Issue DetailsSslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC. The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols. Break down of its properties:
System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580
|
@wfurt Can you help with some of these? |
What does msquic do currently? Just not check for revocation? |
Is the server certificate working on Linux @JamesNK? From the list:
For the revocation, we can most likely use X509Chain to do verification via custom callback. This is generally What we do now for SslStream. For the ServerCertificateContext aka custom trust we will need to check and probably make API changes. It will work on Windows as ServerCertificateContext puts intermediate certificates to the CA store. Validation may still be problematic. I think we should focus on marshaling certificates in & out and making that consistent across all platforms. |
I have been purely testing on Windows so I don't know about Linux. Other devs are using Linux with a custom build of OpenSSL so I assume it is working there. |
I'm not sure. It could also be the opposite: msquic only accepts non-revocated client certs. |
@nibanks This is the list I put together after our meeting comparing TLS server configuration in .NET to msquic. What is msquic behavior without a CertificateRevocationCheckMode property? |
I'll answer that, no it isn't, we're using "tls_stub" msquic version to work around that ATM. |
The I'm wondering if it would make sense to trace remain tasks separately. I think it would be easier to track and argue about priority than large mega issue. For example, microsoft/msquic#1430 added support for Cipher selection but there are 3 max to choose from so it seems pretty marginal. |
Meeting notes: |
ClientCertificateRequired. QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION is the last thing on the list, that hasn't been crossed out. |
That should be fixed with #54302 @ManickaP. The server part is OK but on client MsQuic does not support it on Linux and I'm going to open issue for tracking. It should light up when read as the certificate handling is shared with server e.g. on Linux we should marshall the portable buffer instead of Windows certstore handle. |
microsoft/msquic#1803 opened to track the Linux support in MsQuic |
Closing then, all should be either resolved or tracked by one of: #55378, #55421 and microsoft/msquic#1803 |
SslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC.
The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols.
Break down of its properties:
Alternatively, might map to QUIC_SERVER_RESUMPTION_LEVEL.CipherSuitesPolicy. Not currently supported.Tracked separately as QUIC: support CipherSuitesPolicy #55378ServerCertificateSelectionCallback. Used for SNI. Already used as part of setting the server certificate with a listener connection. Relevent: https://github.com/microsoft/msquic/blob/73bd4a7700b9d0c4f9570a46734eb9bf40f8448f/src/inc/msquic.h#L753Extracted to [QUIC] Server side certificate selection viaServerCertificateSelectionCallback
should work #55421System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580
The text was updated successfully, but these errors were encountered: