You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Optional client authentication, such as enabled by QuicSslContextBuilder#clientAuth(ClientAuth.OPTIONAL), causes Netty QUIC clients to fail connecting if no sufficient key material is found, such as with QuicSslContextBuilder#keyManager. This raises a cryptic exception with a limited stack trace
Caused by: javax.net.ssl.SSLHandshakeException: QUICHE_ERR_TLS_FAIL: error:1000007e:SSL routines:OPENSSL_internal:CERT_CB_ERROR
at io.netty.incubator.codec.quic.Quiche.newException(Quiche.java:758)
at io.netty.incubator.codec.quic.Quiche.throwIfError(Quiche.java:777)
at io.netty.incubator.codec.quic.QuicheQuicChannel.connectionSendSimple(QuicheQuicChannel.java:1161)
at io.netty.incubator.codec.quic.QuicheQuicChannel.connectionSend(QuicheQuicChannel.java:1250)
My guess is that BoringSSLCertificateCallback#handle removes the engine and ends up yielding a failure to BoringSSL if keying material is not found, without checking if it's mandatory with the server (which I don't think is possible to determine within the Java portion at this time)
Example server
QuicSslContextcontext = QuicSslContextBuilder
.forServer(newFile("server_key.pem"), null, newFile("server_certificate.pem"))
.trustManager(newFile("ca_certificate.pem"))
.applicationProtocols("echo/0.0.1")
.clientAuth(ClientAuth.OPTIONAL) // try toggling me
.build();
ChannelHandlercodec = newQuicServerCodecBuilder()
.sslContext(context)
.maxIdleTimeout(5, TimeUnit.SECONDS)
// Configure some limits for the maximal number of streams (and the data) that we want to handle.
.initialMaxData(10000000)
.initialMaxStreamDataBidirectionalLocal(1000000)
.initialMaxStreamDataBidirectionalRemote(1000000)
.initialMaxStreamsBidirectional(100)
.initialMaxStreamsUnidirectional(100)
.tokenHandler(InsecureQuicTokenHandler.INSTANCE)
.handler(newChannelInboundHandlerAdapter() {
@OverridepublicvoiduserEventTriggered(ChannelHandlerContextctx, Objectevt) {
if (evt == SslHandshakeCompletionEvent.SUCCESS) {
try {
X509Certificatepeer = (X509Certificate) ((QuicChannel) ctx.channel()).sslEngine().getSession().getPeerCertificates()[0];
System.err.println("Verification... success!");
} catch (Exceptionignored) {
System.err.println("Verification... failure!");
}
}
ctx.fireUserEventTriggered(evt);
}
@OverridepublicbooleanisSharable() {
returntrue;
}
})
.streamHandler(newChannelInboundHandlerAdapter() {
@OverridepublicvoidchannelRead(ChannelHandlerContextctx, Objectmsg) {
System.out.println(((ByteBuf) msg).toString(StandardCharsets.UTF_8));
ctx.writeAndFlush(msg);
}
@OverridepublicbooleanisSharable() {
returntrue;
}
})
.build();
NioEventLoopGroupgroup = newNioEventLoopGroup(1);
try {
Channelchannel = newBootstrap()
.group(group)
.channel(NioDatagramChannel.class)
.handler(codec)
.bind(8737)
.sync().channel();
while (System.in.read() != 'q') {
Thread.onSpinWait();
}
System.err.println("closing");
channel.close();
} finally {
group.shutdownGracefully();
}
Motivation:
When client auth is optional we must not fail the handshake on the client side when no keymanager was configured on the client side.
Modifications:
- Fix handling on the client-side
- Add testcase
- Fix test
Result:
Fixes#566
Motivation:
When client auth is optional we must not fail the handshake on the
client side when no keymanager was configured on the client side.
Modifications:
- Fix handling on the client-side
- Add testcase
- Fix test
Result:
Fixes#566
Optional client authentication, such as enabled by
QuicSslContextBuilder#clientAuth(ClientAuth.OPTIONAL)
, causes Netty QUIC clients to fail connecting if no sufficient key material is found, such as withQuicSslContextBuilder#keyManager
. This raises a cryptic exception with a limited stack traceMy guess is that
BoringSSLCertificateCallback#handle
removes the engine and ends up yielding a failure to BoringSSL if keying material is not found, without checking if it's mandatory with the server (which I don't think is possible to determine within the Java portion at this time)Example server
Example client
Sample keying material
ca_certificate.pem
ca_key.pem
client_certificate.pem
client_key.pem
server_certificate.pem
server_key.pem
The text was updated successfully, but these errors were encountered: