.NET 8 `QuicConnection` AuthenticationException: RemoteCertificateNameMismatch

[GF-Huang]

Description

In .NET Interactive environment (.NET 7.0.14), QuicConnection.ConnectAsync successful, but in .NET 8 console app, it fails with System.Security.Authentication.AuthenticationException due to RemoteCertificateNameMismatch.

.NET 7 interactive notebook successful

.NET 8 console app exception

Reproduction Steps

Just create a new .NET 8 console app and run the following code:

using System.Net.Quic;
using System.Net.Security;
using System.Net;

using var cts = new CancellationTokenSource(10_000);

await using var connection = await QuicConnection.ConnectAsync(new QuicClientConnectionOptions {
    RemoteEndPoint = new DnsEndPoint("unfiltered.adguard-dns.com", 853),
    DefaultStreamErrorCode = 0,
    DefaultCloseErrorCode = 0,
    ClientAuthenticationOptions = new SslClientAuthenticationOptions {
        ApplicationProtocols = [new SslApplicationProtocol("doq")]
    }
}, cts.Token);

Console.WriteLine("Connected.");

Expected behavior

Connect to the unfiltered.adguard-dns.com successful.

Actual behavior

Got exception AuthenticationException due to RemoteCertificateNameMismatch.

Regression?

Works well in VSCode Polyglot Notebooks v1.0.4562010 with .NET 7 (7.0.14) environment.

Known Workarounds

No response

Configuration

.NET 8
Win11 22H2 22621.2715
x64

Other information

No response

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

In .NET Interactive environment (.NET 7.0.14), QuicConnection.ConnectAsync successful, but in .NET 8 console app, it fails with System.Security.Authentication.AuthenticationException due to RemoteCertificateNameMismatch.

.NET 7 interactive notebook successful

.NET 8 console app exception

Reproduction Steps

Just create a new .NET 8 console app and run the following code:

using System.Net.Quic;
using System.Net.Security;
using System.Net;

using var cts = new CancellationTokenSource(10_000);

await using var connection = await QuicConnection.ConnectAsync(new QuicClientConnectionOptions {
    RemoteEndPoint = new DnsEndPoint("unfiltered.adguard-dns.com", 853),
    DefaultStreamErrorCode = 0,
    DefaultCloseErrorCode = 0,
    ClientAuthenticationOptions = new SslClientAuthenticationOptions {
        ApplicationProtocols = [new SslApplicationProtocol("doq")]
    }
}, cts.Token);

Console.WriteLine("Connected.");

Expected behavior

Connect to the unfiltered.adguard-dns.com successful.

Actual behavior

Got exception AuthenticationException due to RemoteCertificateNameMismatch.

Regression?

Works well in VSCode Polyglot Notebooks v1.0.4562010 with .NET 7 (7.0.14) environment.

Known Workarounds

No response

Configuration

.NET 8
Win11 22H2 22621.2715
x64

Other information

No response

Author:	GF-Huang
Assignees:	-
Labels:	untriaged, area-System.Net.Quic
Milestone:	-

[wfurt]

Can you hook certificate validation callback and dump the chain status & error?

[GF-Huang]

Can you hook certificate validation callback and dump the chain status & error?

It's empty.

[rzikm]

That looks very wrong. I will have a look

[rzikm]

Right, so this is actually not a regression. In 7.0 we did not validate the server's certificate against the expected host name. so the following should work

using System.Net.Quic;
using System.Net.Security;
using System.Net;

using var cts = new CancellationTokenSource(10_000);

await using var connection = await QuicConnection.ConnectAsync(new QuicClientConnectionOptions {
    RemoteEndPoint = new DnsEndPoint("unfiltered.adguard-dns.com", 853),
    DefaultStreamErrorCode = 0,
    DefaultCloseErrorCode = 0,
    ClientAuthenticationOptions = new SslClientAuthenticationOptions {
        ApplicationProtocols = [new SslApplicationProtocol("doq")],
        TargetHost = "unfiltered.adguard-dns.com" // <-- add this
    }
}, cts.Token);

Console.WriteLine("Connected.");

Let me know if this fix works for you.

This issue has been marked needs-author-action and may be missing some important information.

[GF-Huang]

Let me know if this fix works for you.

After add TargetHost = "unfiltered.adguard-dns.com", it works as expected. Thank you!