Using custom CA with TLS certificates

[maxerz]

Describe the feature you'd like supported

Right now TLS certificate verification uses only system CA store. But in some cases custom CA certificates may be prefered (for example, non-HTTP/3 QUIC usage). For this we need to specify custom CA path(es), which should be passed to TLS backend. But MsQuic doesn't support that at this moment.

Proposed solution

Add function or struct field that will pass custom CA path(es) to TLS backend (for example, SSL_CTX_load_verify_locations for OpenSSL).

Additional context

No response

[nibanks]

Would you be willing to propose a more explicit change or even a PR for this?

[anrossi]

You can currently get this behavior if you pass the INDICATE_PEER_CERTIFICATE flag, and then in the PEER_CERTIFICATE callback, you can validate against your desired set of CAs by calling OpenSSL directly.

[maxerz]

In order to not introduce additional fields into credential config, I think function should be added (MsQuicConfigurationLoadVerifyLocations for example) that will call backend TLS function on CXPLAT_SEC_CONFIG, which will load custom CA certificates (in other words, call SSL_CTX_load_verify_locations for example). ср, 15 июн. 2022 г., 17:52 Nick Banks ***@***.***>:

…

Would you be willing to propose a more explicit change or even a PR for this? — Reply to this email directly, view it on GitHub <#2820 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AORD3RJUYEPCD4DPAHLZEWTVPHU3TANCNFSM5YYSZLVQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[anrossi]

What about a SetParam on the Configuration which calls SSL_CTX_load_verify_locations? That way it's not a new field on the Configuration, and it's less work than implementing the PEER_CERTIFICATE callback.

[maxerz]

That's fine. It will still keep old structures and will make backend verify the certificate, avoiding possible custom certificate verification bugs. чт, 16 июн. 2022 г., 21:25 Anthony Rossi ***@***.***>:

…

What about a SetParam on the Configuration which calls SSL_CTX_load_verify_locations? That way it's not a new field on the Configuration, and it's less work than implementing the PEER_CERTIFICATE callback. — Reply to this email directly, view it on GitHub <#2820 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AORD3RO3RTPLKMAI22PJCLTVPNWSHANCNFSM5YYSZLVQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[maxerz]

Actually i think it would be better to load custom CA certificates from memory in X.509 PEM/DER form. That way CA certificates can be easily loaded from any source without dependency on files.
With OpenSSL that would require something like this (DER):

X509* x509 = NULL;
if (!d2i_X509(&x509, &buffer, bufferLen))
{
    // handle error...
}
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if(X509_STORE_add_cert(store, x509) != 1)
{
    // handle error...
}
X509_free(x509); // decrement reference counter

[wfurt]

BTW you can already do that using the "PORTABLE" option e.g. you can give it PKCS12 blob with intermediate certs.
.NET is using that. It is somewhat different as it does nota dd new location but it allows you to be explicit.