Skip to content

Support for multiple server certificates #3141

New issue
New issue
Open
Task
#4096
Open
Support for multiple server certificates#3141
Task
#4096
Labels
Area: APITLS: SchannelTLS: quicTLSfeature requestA request for new functionalitygood first issueGood for newcomers
Milestone
 
Future
@Techwolfy

Description

@Techwolfy
Techwolfy
opened on Oct 12, 2022

Describe the feature you'd like supported

Currently MsQuic only supports a single QUIC_CERTIFICATE_HASH_STORE in QUIC_CREDENTIAL_CONFIG, so servers cannot offer both RSA-based and ECDSA-based ciphers. As certificate protocols evolve it would be useful to support multiple types of certificates simultaneously.

Proposed solution

QUIC_CREDENTIAL_CONFIG.CertificateHashStore is already a pointer type. Either accept an array length via the Reserved parameter, or create a new QUIC_CERTIFICATE_MULTI_HASH_STORE type to handle an array of hash store objects.

Additional context

No response

Activity

Techwolfy
added
feature requestA request for new functionality
on Oct 12, 2022
nibanks

nibanks commented on Oct 12, 2022

@nibanks
nibanks
on Oct 12, 2022
Collaborator

How does Schannel/OpenSSL expose/support this?

nibanks
added this to the Future milestone on Oct 12, 2022
nibanks
added
TLS: quicTLS
TLS: Schannel
Area: API
on Oct 12, 2022
Techwolfy

Techwolfy commented on Oct 12, 2022

@Techwolfy
Techwolfy
on Oct 12, 2022
ContributorAuthor

Schannel accepts an array of SCHANNEL_CERT_HASH_STORE in the ACH call via SCH_CREDENTIALS.{paCred,cCreds}. MsQuic already uses this but cCreds is currently always set to 1. I'm not familiar with OpenSSL unfortunately.

anrossi

anrossi commented on Oct 12, 2022

@anrossi
anrossi
on Oct 12, 2022
Contributor

I think from the Envoy work I did, I saw a BoringSSL API for setting multiple certificates. It might also exist and behave the same in OpenSSL. So I might have an idea there

nibanks

nibanks commented on Oct 13, 2022

@nibanks
nibanks
on Oct 13, 2022
Collaborator

Thanks @Techwolfy. Is there a significant priority around this ask? Also, I'd recommend simply going with the QUIC_CERTIFICATE_MULTI_HASH_STORE proposal (indicated by a new QUIC_CREDENTIAL_FLAGS). Should be pretty easy to wire up.

Techwolfy

Techwolfy commented on Oct 14, 2022

@Techwolfy
Techwolfy
on Oct 14, 2022
ContributorAuthor

I'm currently working on a new feature that uses this. It's not too urgent, but we'd like to get it done in the current semester.

nibanks
added
good first issueGood for newcomers
on Oct 17, 2022
nibanks
added this to MsQuic Walkthroughson May 8, 2023
nibanks
moved this to Should be written in MsQuic Walkthroughson May 8, 2023
nibanks
linked a pull request that will close this issue on Jan 29, 2024
nibanks
added this to DPT Iteration Trackeron Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    Area: APITLS: SchannelTLS: quicTLSfeature requestA request for new functionalitygood first issueGood for newcomers

    Type

    Projects

    MsQuic Walkthroughs

    Status

    Should be written
    DPT Iteration Tracker

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Support for multiple server certificates · Issue #3141 · microsoft/msquic