Error when client certificate is requested
Payne-X6 opened this issue · comments
When the server requests a client certificate (in the case of a GnuTLS server, the gnutls_certificate_server_set_request
function), the aioquic
client returns a QUIC Error: 266, reason: , frame_type: 6
error and the connection is closed
I'm encountering the same problem when implementing a client for communicating with Apple's iOS services (starting at iOS 17)
Hi, I've been wanting to implement this but lack a publicly accessible server against which to test it. If anyone wants to tackle this please make sure you include a full test suite!
@doronz88 I tried your PR. It works with small changes, beware that the client cert does not need to be set (can be set to None
).
This is also valid, some server implementations may request but not require a client cert.
But with a few conditions in _client_handle_finished
this can be fixed.
One more little detail. From Wireshark it seems that the certificate is sent from the client to the server twice, once in a Protected Payload (I think this is unnecessary) and once in a Handshake packet. I'm not 100% sure where the certificate should be sent, but sending it 2x seems redundant to me.
@Payne-X6 I fixed the _client_handle_finished
to handle no certificates. From my understanding, the certificate being sent twice isn't necessarily bad, since the client cannot tell before trying to establish the connection wether the remote party would use CertificateRequest
-based authentication. I could add an option for disabling its send in the Hello packet.
@jlaine Could you take a look at the PR I reopened? I tested it and managed to create a fully working connections with the new iOS services.
@doronz88 Could you add a not-None check for self.certificate_private_key
? It's crashing on self.certificate_private_key.sign(...)
(cf348bd#diff-7ade72bf4580c7d1ea561a54e1067f4d744c1f0f037ccd42737467b0360ab51bR1597).
I stopped caring about aioquic
since it seems this project isn't very active on PRs (to say the least).
This support was added instead in:
I stopped caring about
aioquic
since it seems this project isn't very active on PRs (to say the least). This support was added instead in:
Great, love the positive attitude. Stepping up and offering to co-maintain would have just been too much effort.
When the server requests a client certificate (in the case of a GnuTLS server, the
gnutls_certificate_server_set_request
function), theaioquic
client returns aQUIC Error: 266, reason: , frame_type: 6
error and the connection is closed
Do you have a public server where you encountered this please?
When the server requests a client certificate (in the case of a GnuTLS server, the
gnutls_certificate_server_set_request
function), theaioquic
client returns aQUIC Error: 266, reason: , frame_type: 6
error and the connection is closedDo you have a public server where you encountered this please?
You can use ns2.xdp.cz.
for testing.
You can use
ns2.xdp.cz.
for testing.
Unfortunately I'm not having any luck, that server doesn't respond to my INITIAL packet. Is it actually an HTTP/3 server?
You can use
ns2.xdp.cz.
for testing.Unfortunately I'm not having any luck, that server doesn't respond to my INITIAL packet. Is it actually an HTTP/3 server?
It's a DNS server with enabled DNS over QUIC (port 853).
Thank you!
PR #386 had a number of problems:
- The signature algorithm negotiation was wrong, it would blindly try negotiating any of the supported algorithms, not just the ones compatible with the type of certificate used by the client.
- It incorrectly handled the case when the client does not have a certificate compatible with what the server requests. RFC8446 states that the client should still send a
Certificate
message, but with no certificates. - The client certificate code was not exercised by any tests.
It's a DNS server with enabled DNS over QUIC (port 853).
Ah that's what I was missing. The handshake does complete with the latest code in main
both with and without a client certificate. I do however need to disable certificate validation when running the test as the server's certificate does not have any Subject Alternative Name.