Fix openssl tls initialize not verifying server vs client state checks #2606
Conversation
|
This is breaking down-level tests: https://github.com/microsoft/msquic/runs/5821817654?check_suite_focus=true |
|
So this bug is actually user visible. It basically means that openssl builds ignore the flag, and will happily apply a server credential to a client. I think this is a bug worth fixing, and backporting down to 2.0 for the downlevel tests to pass. |
I agree. Let's fix this in release/2.0 first. Do we want to fully publish a new release, or "cheat" and just update the test binaries for 2.0.2? |
|
Lets just push a release. I'll finish up the fix, and then work on a backport. |
|
@anrossi I'm going to need your help finishing this. The pfx certificate does not properly validate. |
|
Talked with Thad about how to unblock him and finish this up. It's going to be a larger change to fix the tests, but worth it long-term. |
| QuicTraceEvent( | ||
| LibraryErrorStatus, | ||
| "[ lib] ERROR, %u, %s.", | ||
| (unsigned int)QUIC_STATUS_INVALID_PARAMETER, | ||
| "NULL Pkcs12 passed to CxPlatGetTestCertificate"); |
There was a problem hiding this comment.
| QuicTraceEvent( | |
| LibraryErrorStatus, | |
| "[ lib] ERROR, %u, %s.", | |
| (unsigned int)QUIC_STATUS_INVALID_PARAMETER, | |
| "NULL Pkcs12 passed to CxPlatGetTestCertificate"); | |
| QuicTraceEvent( | |
| LibraryErrorStatus, | |
| "[ lib] ERROR, %u, %s.", | |
| (unsigned int)QUIC_STATUS_INVALID_PARAMETER, | |
| "NULL Pkcs12 passed to CxPlatGetTestCertificate"); |
|
This PR is nowhere near ready to go. There is a ton to do. We need to get a pcks12 writer into the C code to actually complete it. |
Description
These states should be matched, and this is checked in schannel
Testing
Existing tests will likely cover this, although they are going to fail. I'm on my slow system so using CI to find failures.
Documentation
No