HTTP/3: Support SslServerAuthenticationOptions with QUIC

[JamesNK]

SslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC.

The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols.

Break down of its properties:

• AllowRenegotiation. Not sure if this is supported in QUIC or not. Crypto settings can't change once started with QUIC. Alternatively, might map to QUIC_SERVER_RESUMPTION_LEVEL.
• ApplicationProtocols. Already using successfully.
• CertificateRevocationCheckMode. No built in support. Can we implement manually with .NET APIs?
• CipherSuitesPolicy. Not currently supported. Tracked separately as QUIC: support CipherSuitesPolicy #55378
• ClientCertificateRequired. QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION.
• EnabledSslProtocols. Not revelevent.
• EncryptionPolicy. Not revelevent.
• RemoteCertificateValidationCallback. QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED.
  • certificate - Passed as a platform sepecific certificate type.
  • chain - resolve from certificate?
  • sslPolicyErrors - figure this out ourselves?
• ServerCertificate. Already used.
• ServerCertificateContext. Not sure about this one.
• ServerCertificateSelectionCallback. Used for SNI. Already used as part of setting the server certificate with a listener connection. Relevent: https://github.com/microsoft/msquic/blob/73bd4a7700b9d0c4f9570a46734eb9bf40f8448f/src/inc/msquic.h#L753 Extracted to [QUIC] Server side certificate selection via ServerCertificateSelectionCallback should work #55421

System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

SslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC.

The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols.

Break down of its properties:

• AllowRenegotiation. Not sure if this is supported in QUIC or not. Crypto settings can't change once started with QUIC. Alternatively, might map to QUIC_SERVER_RESUMPTION_LEVEL.
• ApplicationProtocols. Already using successfully.
• CertificateRevocationCheckMode. No built in support. Can we implement manually with .NET APIs?
• CipherSuitesPolicy. Not currently supported. Open issue for msquic to support: Add Option for Ciphers to QUIC_CREDENTIAL_CONFIG microsoft/msquic#109
• ClientCertificateRequired. QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION.
• EnabledSslProtocols. Not revelevent.
• EncryptionPolicy. Not revelevent.
• RemoteCertificateValidationCallback. QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED.
  • certificate - Passed as a platform sepecific certificate type.
  • chain - resolve from certificate?
  • sslPolicyErrors - figure this out ourselves?
• ServerCertificate. Already used.
• ServerCertificateContext. Not sure about this one.
• ServerCertificateSelectionCallback. Used for SNI. Already used as part of setting the server certificate with a listener connection. Relevent: https://github.com/microsoft/msquic/blob/73bd4a7700b9d0c4f9570a46734eb9bf40f8448f/src/inc/msquic.h#L753

System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580

Author:	JamesNK
Assignees:	-
Labels:	area-System.Net.Security, untriaged
Milestone:	-

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

SslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC.

The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols.

Break down of its properties:

• AllowRenegotiation. Not sure if this is supported in QUIC or not. Crypto settings can't change once started with QUIC. Alternatively, might map to QUIC_SERVER_RESUMPTION_LEVEL.
• ApplicationProtocols. Already using successfully.
• CertificateRevocationCheckMode. No built in support. Can we implement manually with .NET APIs?
• CipherSuitesPolicy. Not currently supported. Open issue for msquic to support: Add Option for Ciphers to QUIC_CREDENTIAL_CONFIG microsoft/msquic#109
• ClientCertificateRequired. QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION.
• EnabledSslProtocols. Not revelevent.
• EncryptionPolicy. Not revelevent.
• RemoteCertificateValidationCallback. QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED.
  • certificate - Passed as a platform sepecific certificate type.
  • chain - resolve from certificate?
  • sslPolicyErrors - figure this out ourselves?
• ServerCertificate. Already used.
• ServerCertificateContext. Not sure about this one.
• ServerCertificateSelectionCallback. Used for SNI. Already used as part of setting the server certificate with a listener connection. Relevent: https://github.com/microsoft/msquic/blob/73bd4a7700b9d0c4f9570a46734eb9bf40f8448f/src/inc/msquic.h#L753

System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580

Author:	JamesNK
Assignees:	-
Labels:	area-System.Net.Http, area-System.Net.Security, untriaged
Milestone:	-

[JamesNK]

Moved to runtime. Changes will need to be made here in QUIC library.

@geoffkizer

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

SslServerAuthenticationOptions is the primary type for configuring HTTPS/TLS in Kestrel. It is designed for SslStream but most of the options can be mapped to QUIC.

The goal is to make setting a certificate for HTTP/3 to be like setting a certificate for other protocols.

Break down of its properties:

• AllowRenegotiation. Not sure if this is supported in QUIC or not. Crypto settings can't change once started with QUIC. Alternatively, might map to QUIC_SERVER_RESUMPTION_LEVEL.
• ApplicationProtocols. Already using successfully.
• CertificateRevocationCheckMode. No built in support. Can we implement manually with .NET APIs?
• CipherSuitesPolicy. Not currently supported. Open issue for msquic to support: Add Option for Ciphers to QUIC_CREDENTIAL_CONFIG microsoft/msquic#109
• ClientCertificateRequired. QUIC_CREDENTIAL_FLAG_REQUIRE_CLIENT_AUTHENTICATION.
• EnabledSslProtocols. Not revelevent.
• EncryptionPolicy. Not revelevent.
• RemoteCertificateValidationCallback. QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED.
  • certificate - Passed as a platform sepecific certificate type.
  • chain - resolve from certificate?
  • sslPolicyErrors - figure this out ourselves?
• ServerCertificate. Already used.
• ServerCertificateContext. Not sure about this one.
• ServerCertificateSelectionCallback. Used for SNI. Already used as part of setting the server certificate with a listener connection. Relevent: https://github.com/microsoft/msquic/blob/73bd4a7700b9d0c4f9570a46734eb9bf40f8448f/src/inc/msquic.h#L753

System.Net.Quic currently has an out of date version of msquic. Current blocked on msquic update: #44580

Author:	JamesNK
Assignees:	-
Labels:	area-System.Net.Quic, untriaged
Milestone:	-

[geoffkizer]

@wfurt Can you help with some of these?

[geoffkizer]

CertificateRevocationCheckMode

What does msquic do currently? Just not check for revocation?

[wfurt]

Is the server certificate working on Linux @JamesNK?

From the list:

• allow renegotiation: we should ignore and not applicable to TLS13. The resumption is whole different connect and and should not be mixed.

For the revocation, we can most likely use X509Chain to do verification via custom callback. This is generally What we do now for SslStream.

For the ServerCertificateContext aka custom trust we will need to check and probably make API changes. It will work on Windows as ServerCertificateContext puts intermediate certificates to the CA store. Validation may still be problematic.

I think we should focus on marshaling certificates in & out and making that consistent across all platforms.
I can take a look and perhaps we can reuse or mimic parts of X509Certificate2 PAL.