Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUIC] Support for OpenSSL build of MsQuic on Windows #69978

Closed
rzikm opened this issue May 30, 2022 · 2 comments · Fixed by #72262 or #72609
Closed

[QUIC] Support for OpenSSL build of MsQuic on Windows #69978

rzikm opened this issue May 30, 2022 · 2 comments · Fixed by #72262 or #72609
Assignees
@rzikm
Labels
area-System.Net.Quic
Projects
HTTP/3
Milestone
7.0.0

Comments

@rzikm
Copy link
Member

rzikm commented May 30, 2022
edited

Currently, we assume that on Windows, MsQuic always uses Schannel for TLS operations and on Linux it uses OpenSSL. This influences how we pass certificates to MsQuic

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

Lines 183 to 221 in a4223dc

if (OperatingSystem.IsWindows())
{
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_CONTEXT;
config.CertificateContext = (void*)certificate.Handle;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}
else
{
byte[] asn1;
if (intermediates?.Length > 0)
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Add(certificate);
for (int i = 0; i < intermediates?.Length; i++)
{
collection.Add(intermediates[i]);
}
asn1 = collection.Export(X509ContentType.Pkcs12)!;
}
else
{
asn1 = certificate.Export(X509ContentType.Pkcs12);
}
fixed (byte* ptr = asn1)
{
QUIC_CERTIFICATE_PKCS12 pkcs12Config = new QUIC_CERTIFICATE_PKCS12
{
Asn1Blob = ptr,
Asn1BlobLength = (uint)asn1.Length,
PrivateKeyPassword = (sbyte*)IntPtr.Zero
};
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_PKCS12;
config.CertificatePkcs12 = &pkcs12Config;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}

And also some certificate related flags:

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

Lines 55 to 58 in a4223dc

if (OperatingSystem.IsWindows())
{
flags |= QUIC_CREDENTIAL_FLAGS.USE_SUPPLIED_CREDENTIALS;
}

However, it is possible to build MsQuic with OpenSSL for Windows (e.g. to use on older Windows without TLS 1.3 support via Schannel). So we should instead make these decision based on the actual TLS backend being used. This information can be retrieved via recently added API: microsoft/msquic#2762.
@rzikm rzikm added this to To Do (Low Priority) in HTTP/3 via automation May 30, 2022
@ghost ghost added the untriaged New issue has not been triaged by the area owner label May 30, 2022
@ghost
Copy link

ghost commented May 30, 2022

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Currently, we assume that on Windows, MsQuic uses Schannel for TLS operations and on LInux it uses OpenSSL. This influences how we pass certificates to MsQuic

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

Lines 183 to 221 in a4223dc

if (OperatingSystem.IsWindows())
{
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_CONTEXT;
config.CertificateContext = (void*)certificate.Handle;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}
else
{
byte[] asn1;
if (intermediates?.Length > 0)
{
X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Add(certificate);
for (int i = 0; i < intermediates?.Length; i++)
{
collection.Add(intermediates[i]);
}
asn1 = collection.Export(X509ContentType.Pkcs12)!;
}
else
{
asn1 = certificate.Export(X509ContentType.Pkcs12);
}
fixed (byte* ptr = asn1)
{
QUIC_CERTIFICATE_PKCS12 pkcs12Config = new QUIC_CERTIFICATE_PKCS12
{
Asn1Blob = ptr,
Asn1BlobLength = (uint)asn1.Length,
PrivateKeyPassword = (sbyte*)IntPtr.Zero
};
config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_PKCS12;
config.CertificatePkcs12 = &pkcs12Config;
status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
}

And also some certificate related flags:

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

Lines 55 to 58 in a4223dc

if (OperatingSystem.IsWindows())
{
flags |= QUIC_CREDENTIAL_FLAGS.USE_SUPPLIED_CREDENTIALS;
}

However, it is possible to build MsQuic with OpenSSL for Windows (e.g. to use on older Windows without TLS 1.3 support via Schannel). So we should instead make these decision based on the actual TLS backend being used. This information can be retrieved via recently added API: microsoft/msquic#2762.

Author: rzikm
Assignees: -
Labels:

area-System.Net.Quic
Milestone: -

@rzikm rzikm removed the untriaged New issue has not been triaged by the area owner label May 30, 2022
@rzikm rzikm added this to the Future milestone May 30, 2022
@ManickaP ManickaP moved this from To Do (Low Priority) to Future in HTTP/3 May 30, 2022
@rzikm rzikm mentioned this issue Jun 7, 2022
Open
@rzikm rzikm self-assigned this Jul 15, 2022
@ManickaP ManickaP mentioned this issue Jul 15, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jul 15, 2022
HTTP/3 automation moved this from Future to Done Jul 18, 2022
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Jul 18, 2022
@karelz karelz modified the milestones: Future, 7.0.0 Jul 19, 2022
@CarnaViire
Copy link
Member

#72262 would be reverted in #72456, because it supposedly triggered strange native crashes on schannel-unsupported platforms, see #72429. We need to investigate before reintroducing the change.

@CarnaViire CarnaViire reopened this Jul 19, 2022
HTTP/3 automation moved this from Done to In Progress Jul 19, 2022
@CarnaViire CarnaViire moved this from In Progress to To Do (Low Priority) in HTTP/3 Jul 19, 2022
@rzikm rzikm mentioned this issue Jul 21, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jul 21, 2022
@rzikm rzikm moved this from To Do (Low Priority) to In Progress in HTTP/3 Jul 22, 2022
HTTP/3 automation moved this from In Progress to Done Jul 22, 2022
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Jul 22, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Aug 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rzikm rzikm

Labels
area-System.Net.Quic
Projects
No open projects
HTTP/3
  
Done
Milestone
7.0.0
3 participants
@CarnaViire @karelz @rzikm