Support optional client certificates

[Tratcher]

Description

SslServerAuthenticationOptions.ClientCertificateRequired = true is needed to prompt the client to send a certificate. SslStream will invoke RemoteCertificateValidationCallback with the result, even if it's null, and the server can choose if it wants to accept the connection. QuicListener however will terminate the connection without invoking RemoteCertificateValidationCallback. This is feature gap for quic that should be filled if possible.

            var listenerOptions = new QuicListenerOptions()
            {
                MaxBidirectionalStreams = 100,
                MaxUnidirectionalStreams = 100,
                ServerAuthenticationOptions = new SslServerAuthenticationOptions()
                {
                    ServerCertificate = TestResources.GetTestCertificate(),
                    ApplicationProtocols = new List<SslApplicationProtocol>() { new SslApplicationProtocol("h3") },
                    ClientCertificateRequired = true,
                    RemoteCertificateValidationCallback = RemoteCertificateValidationCallback,
                },
                ListenEndPoint = new IPEndPoint(IPAddress.Loopback, 0),
            };
            var listener = new QuicListener(listenerOptions);
            var acceptConnection = listener.AcceptConnectionAsync();

            var clientOptions = new QuicClientConnectionOptions
            {
                MaxBidirectionalStreams = 200,
                MaxUnidirectionalStreams = 200,
                RemoteEndPoint = listener.ListenEndPoint,
                ClientAuthenticationOptions = new SslClientAuthenticationOptions
                {
                    ApplicationProtocols = new List<SslApplicationProtocol>
                    {
                        new SslApplicationProtocol("h3")
                    },
                    RemoteCertificateValidationCallback = RemoteCertificateValidationCallback
                }
            };
            var testCert = TestResources.GetTestCertificate();
            // clientOptions.ClientAuthenticationOptions.ClientCertificates = new X509CertificateCollection { testCert };

            using var clientConnection = new QuicConnection(clientOptions);
            await clientConnection.ConnectAsync();

            var serverConnection = await acceptConnection;

            var clientStreamAccept = clientConnection.AcceptStreamAsync();

            var serverStream = serverConnection.OpenUnidirectionalStream();
            await serverStream.WriteAsync(TestData);

            var clientStream = await clientStreamAccept;

            static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
            {
                return true;
            }

The client's call to ConnectAsync fails with:

    | System.Net.Quic.QuicException: Connection has been shutdown by transport. Error Code: 0x80410100
    |    at System.Net.Quic.Implementations.MsQuic.MsQuicConnection.HandleEventShutdownInitiatedByTransport(State state, ConnectionEvent& connectionEvent)
    |    at System.Net.Quic.Implementations.MsQuic.MsQuicConnection.NativeCallbackHandler(IntPtr connection, IntPtr context, ConnectionEvent& connectionEvent)

I can't tell if the termination is happening on the client or server. The server logs show it did accept the connection before failing (see #57246).

Recommendation: .NET 7

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

SslServerAuthenticationOptions.ClientCertificateRequired = true is needed to prompt the client to send a certificate. SslStream will invoke RemoteCertificateValidationCallback with the result, even if it's null, and the server can choose if it wants to accept the connection. QuicListener however will terminate the connection without invoking RemoteCertificateValidationCallback. This is feature gap for quic that should be filled if possible.

            var listenerOptions = new QuicListenerOptions()
            {
                MaxBidirectionalStreams = 100,
                MaxUnidirectionalStreams = 100,
                ServerAuthenticationOptions = new SslServerAuthenticationOptions()
                {
                    ServerCertificate = TestResources.GetTestCertificate(),
                    ApplicationProtocols = new List<SslApplicationProtocol>() { new SslApplicationProtocol("h3") },
                    ClientCertificateRequired = true,
                    RemoteCertificateValidationCallback = RemoteCertificateValidationCallback,
                },
                ListenEndPoint = new IPEndPoint(IPAddress.Loopback, 0),
            };
            var listener = new QuicListener(listenerOptions);
            var acceptConnection = listener.AcceptConnectionAsync();

            var clientOptions = new QuicClientConnectionOptions
            {
                MaxBidirectionalStreams = 200,
                MaxUnidirectionalStreams = 200,
                RemoteEndPoint = listener.ListenEndPoint,
                ClientAuthenticationOptions = new SslClientAuthenticationOptions
                {
                    ApplicationProtocols = new List<SslApplicationProtocol>
                    {
                        new SslApplicationProtocol("h3")
                    },
                    RemoteCertificateValidationCallback = RemoteCertificateValidationCallback
                }
            };
            var testCert = TestResources.GetTestCertificate();
            // clientOptions.ClientAuthenticationOptions.ClientCertificates = new X509CertificateCollection { testCert };

            using var clientConnection = new QuicConnection(clientOptions);
            await clientConnection.ConnectAsync();

            var serverConnection = await acceptConnection;

            var clientStreamAccept = clientConnection.AcceptStreamAsync();

            var serverStream = serverConnection.OpenUnidirectionalStream();
            await serverStream.WriteAsync(TestData);

            var clientStream = await clientStreamAccept;

            static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
            {
                return true;
            }

The client's call to ConnectAsync fails with:

    | System.Net.Quic.QuicException: Connection has been shutdown by transport. Error Code: 0x80410100
    |    at System.Net.Quic.Implementations.MsQuic.MsQuicConnection.HandleEventShutdownInitiatedByTransport(State state, ConnectionEvent& connectionEvent)
    |    at System.Net.Quic.Implementations.MsQuic.MsQuicConnection.NativeCallbackHandler(IntPtr connection, IntPtr context, ConnectionEvent& connectionEvent)

I can't tell if the termination is happening on the client or server. The server logs show it did accept the connection before failing (see #57246).

Recommendation: .NET 7

Author:	Tratcher
Assignees:	-
Labels:	feature request, area-System.Net.Quic
Milestone:	-

[wfurt]

It seems like in that case we don't even get callback from MsQuic and it fails internally. I will take a look to at least understand.

[karelz]

Triage: We need to double check if msquic now supports all we need.
Consistency with HTTP/2 and HTTP/1.1

[ManickaP]

This should functionally work. But we do have duplicated logic for building the chain and evaluating client cert validity from SslStream in MsQuicConnection. We might consider some refactorings.
However, I don't think we're missing any functionality atm, @wfurt ?

[wfurt]

this was failing within msquic last time I check @ManickaP e.g. if certificate was not provided it would always fail.

[ManickaP]

So need to retest and potentially file an issue in msquic?