QuicListener usage issues

[ayende]

I'm trying out how the QuicListener API to see how suitable it is, but so far I've been unable to even get it past the hello world stage.

Here is my code:

using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography;
using System.Net.Quic;
using System.Net;
using System.Text;
using System.Net.Security;

var cert = CreateSelfSignedCertificate();

var listener = await QuicListener.ListenAsync(new QuicListenerOptions
{
    ApplicationProtocols = new List<SslApplicationProtocol>
    {
        new SslApplicationProtocol("test")
    },
    ListenEndPoint = IPEndPoint.Parse("127.0.0.1:19999"),
    ConnectionOptionsCallback = (con, hello, token) => ValueTask.FromResult(new QuicServerConnectionOptions
    {
        DefaultStreamErrorCode = 123456,
        DefaultCloseErrorCode = 654321,
        ServerAuthenticationOptions = new SslServerAuthenticationOptions
        {
            ServerCertificate = cert,
            ClientCertificateRequired = false,
            RemoteCertificateValidationCallback = (sender, chain, certificate, errors) => true
        },
    }),
});


_ = Task.Run(async () =>
{
    var con = await listener.AcceptConnectionAsync();
    var stream = await con.AcceptInboundStreamAsync();
    var reader = new StreamReader(stream);
    while (true)
    {
        var data = await reader.ReadLineAsync();
        Console.WriteLine(data);
        await stream.WriteAsync(Encoding.UTF8.GetBytes("World"));
    }
});

try
{

    var value = await QuicConnection.ConnectAsync(new QuicClientConnectionOptions
    {
        RemoteEndPoint = IPEndPoint.Parse("127.0.0.1:19999"),
        DefaultCloseErrorCode = 789,
        DefaultStreamErrorCode = 987,
        ClientAuthenticationOptions = new SslClientAuthenticationOptions
        {
            ClientCertificates = new X509CertificateCollection { cert },
            ApplicationProtocols = new List<SslApplicationProtocol>
        {
            new SslApplicationProtocol("test")
        },
            TargetHost = "localhost",
            RemoteCertificateValidationCallback = (sender, chain, certificate, errors) => true
        }
    });
    var st = await value.OpenOutboundStreamAsync(QuicStreamType.Bidirectional);
    await st.WriteAsync(Encoding.UTF8.GetBytes("hello"));
    using var reader = new StreamReader(st);
    Console.WriteLine(await reader.ReadLineAsync());
}
catch (Exception e)
{
    Console.WriteLine(e);
}


X509Certificate2 CreateSelfSignedCertificate()
{
    var ecdsa = ECDsa.Create();
    var certificateRequest = new CertificateRequest("CN=localhost", ecdsa, HashAlgorithmName.SHA256);
    certificateRequest.CertificateExtensions.Add(
        new X509BasicConstraintsExtension(
            certificateAuthority: false,
            hasPathLengthConstraint: false,
            pathLengthConstraint: 0,
            critical: true
        )
    );
    certificateRequest.CertificateExtensions.Add(
        new X509KeyUsageExtension(
            keyUsages:
                X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment |
                X509KeyUsageFlags.CrlSign | X509KeyUsageFlags.KeyCertSign,
            critical: false
        )
    );
    certificateRequest.CertificateExtensions.Add(
        new X509EnhancedKeyUsageExtension(
            new OidCollection {
                    new Oid("1.3.6.1.5.5.7.3.2"), // TLS Client auth
                    new Oid("1.3.6.1.5.5.7.3.1")  // TLS Server auth
            },
            false));

    certificateRequest.CertificateExtensions.Add(
        new X509SubjectKeyIdentifierExtension(
            key: certificateRequest.PublicKey,
            critical: false
        )
    );

    var sanBuilder = new SubjectAlternativeNameBuilder();
    sanBuilder.AddDnsName("localhost");
    certificateRequest.CertificateExtensions.Add(sanBuilder.Build());

    return certificateRequest.CreateSelfSigned(DateTimeOffset.Now.AddDays(-1), DateTimeOffset.Now.AddYears(5));
}

When I'm trying to run that, I'm getting this error:

System.Security.Authentication.AuthenticationException: Authentication failed. ConfigurationLoadCredential failed: QUIC_STATUS_CERT_NO_CERT
   at System.Net.Quic.ThrowHelper.ThrowIfMsQuicError(Int32 status, String message)
   at System.Net.Quic.MsQuicConfiguration.Create(QuicConnectionOptions options, QUIC_CREDENTIAL_FLAGS flags, X509Certificate certificate, X509Certificate[] intermediates, List`1 alpnProtocols, CipherSuitesPolicy cipherSuitesPolicy, EncryptionPolicy encryptionPolicy)

I'm passing the certificate, obviously, but I believe that this is related to (unstated) requirements in the certificate.
I found that this is likely the command to generate an appropriate certificate:

https://github.com/microsoft/msquic/blob/3e89ddcf94210edd2fe21b7c15310922de55142f/src/tools/sample/sample.c#L26

Using that (with):

X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
                           X509FindType.FindByThumbprint, "8B9F76CD64DBB6FFBD76C57FCC208677213A427E",
                           false);

var cert = certCollection[0];

Gives a different error:

System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'UserCanceled'.
   at System.Net.Quic.QuicConnection.HandleEventShutdownInitiatedByTransport(_SHUTDOWN_INITIATED_BY_TRANSPORT_e__Struct& data)
   at System.Net.Quic.QuicConnection.HandleConnectionEvent(QUIC_CONNECTION_EVENT& connectionEvent)
   at System.Net.Quic.QuicConnection.NativeCallback(QUIC_HANDLE* connection, Void* context, QUIC_CONNECTION_EVENT* connectionEvent)

At this point, I'm not sure what is going on and looking at the Quic tests, it looks like I'm doing the right thing.

[4gsim]

Maybe you should not use the certificate on the client side. Try without this:
ClientCertificates = new X509CertificateCollection { cert },

[ayende]

No, that also gives UserCanceled error

[ayende]

I also tried this with a Let's Encrypt certificate (so presumed valid), same results.

[timiskhakov]

Hey @ayende, I'm not sure if you've already resolved the issue, but I recently encountered a similar problem. It turns out that I was doing something wrong with the way I obtained the certificate. I switched to using certificates created with OpenSSL, and that solved the problem. If you have OpenSSL installed, you can generate the certificate and export it to a PKCS12 file:

openssl genrsa 2048 > private.key
openssl req -new -x509 -nodes -sha1 -days 1000 -key private.key > public.cer
openssl pkcs12 -export -in public.cer -inkey private.key -out cert_key.p12

Then you can then use the file in your code:

private static X509Certificate CreateCertificate()
{
    var certFile = Path.Combine(Directory.GetCurrentDirectory(), "cert_key.p12");
    return X509Certificate.CreateFromCertFile(certFile);
}

At least, this approach worked for me.

[ayende]

Hi,
This does not work for me, when I tried that, I got:

System.Security.Authentication.AuthenticationException: Authentication failed because the remote party sent a TLS alert: 'UserCanceled'.
   at System.Net.Quic.QuicConnection.HandleEventShutdownInitiatedByTransport(_SHUTDOWN_INITIATED_BY_TRANSPORT_e__Struct& data)
   at System.Net.Quic.QuicConnection.HandleConnectionEvent(QUIC_CONNECTION_EVENT& connectionEvent)
   at System.Net.Quic.QuicConnection.NativeCallback(QUIC_HANDLE* connection, Void* context, QUIC_CONNECTION_EVENT* connectionEvent)
--- End of stack trace from previous location ---
   at System.Net.Quic.ValueTaskSource.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Quic.QuicConnection.FinishConnectAsync(QuicClientConnectionOptions options, CancellationToken cancellationToken)
   at System.Net.Quic.QuicConnection.ConnectAsync(QuicClientConnectionOptions options, CancellationToken cancellationToken)
   at System.Net.Quic.QuicConnection.ConnectAsync(QuicClientConnectionOptions options, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in C:\Work\0318a7de1288b94681bec28fbb7118af\ConsoleApp3\ConsoleApp3\Program.cs:line 50

Using: OpenSSL 1.1.1s 1 Nov 2022, but don't think it matters.

It would be really useful to even get out of the gate if we can get any configuration on what sort of certificate / options is acceptable here.

[timiskhakov]

I apologize for the delay in my response. I have created a simple client-server application that uses an OpenSSL-generated certificate and facilitates two-way messaging: https://github.com/timiskhakov/QuicExample. If you could spare a moment, would you mind checking if it throws any exceptions on your machine? To be honest, I haven't tested other certificate options, such as Let's Encrypt, but perhaps this example can help in further investigating the issue.

[ayende]

Looks like a problem with the API itself on Windows, see: #88298