aioquic
aioquic copied to clipboard
Self-signed certs with trustme and mkcert
I am working on integrating this into Sanic. I have no problem running Sanic using a TLS cert from mkcert either with or without aioquic. Furthermore, I can also generate a cert with trustme, but it will only run properly on the HTTP/1.1 server. With aioquic and the trustme self-signed cert, it fails.
Step 1 - error_code=304
and "self signed certificate"
Initially, I was getting a self signed certificate
issue.
Logs from server of the events received:
[quic_event_received]: ProtocolNegotiated(alpn_protocol='h3')
[quic_event_received]: ConnectionTerminated(error_code=304, frame_type=0, reason_phrase='')
Logs from curl
curl3 https://localhost:8443 --http3 -vv ☸ dev (api)
* Trying 127.0.0.1:8443...
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* Connect socket 6 over QUIC to 127.0.0.1:8443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* SSL certificate problem: self signed certificate
* connect to 127.0.0.1 port 8443 failed: SSL peer certificate or SSH remote key was not OK
* Trying ::1:8443...
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* Connect socket 7 over QUIC to ::1:8443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* quiche: recvfrom() unexpectedly returned -1 (errno: 111, socket 7)
* connect to ::1 port 8443 failed: Failure when receiving data from the peer
* Failed to connect to localhost port 8443 after 45 ms: Failure when receiving data from the peer
* Closing connection 0
Step 2 - error_code=307
and "self signed certificate"
Okay, that makes sense, so I added -k
to my curl command. I am still getting the "self signed certificate" problem in curl, but the error_code
in the ConnectiontionTerminated
is not 307
.
Logs from server of the events received:
[quic_event_received]: ProtocolNegotiated(alpn_protocol='h3')
[quic_event_received]: ConnectionTerminated(error_code=307, frame_type=0, reason_phrase='')
Logs from curl
curl3 https://localhost:8443 --http3 -vv -k ☸ dev (api)
* Trying 127.0.0.1:8443...
* Connect socket 6 over QUIC to 127.0.0.1:8443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* SSL certificate problem: self signed certificate
* connect to 127.0.0.1 port 8443 failed: SSL peer certificate or SSH remote key was not OK
* Trying ::1:8443...
* Connect socket 7 over QUIC to ::1:8443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* quiche: recvfrom() unexpectedly returned -1 (errno: 111, socket 7)
* connect to ::1 port 8443 failed: Failure when receiving data from the peer
* Failed to connect to localhost port 8443 after 32 ms: Failure when receiving data from the peer
* Closing connection 0
Step 3 - error_code=307
and "self signed certificate"
Next I tried to explicitly use the certificate in curl. The "self signed certificate" problem goes away, but I still have ConnectionTerminated
with 307
Logs from server of the events received:
[quic_event_received]: ProtocolNegotiated(alpn_protocol='h3')
[quic_event_received]: ConnectionTerminated(error_code=307, frame_type=0, reason_phrase='')
Logs from curl
export CURL_CA_BUNDLE=/tmp/tmpjxggpl2g/cert.pem
curl3 https://localhost:8443 --http3 -vv ☸ dev (api)
* Trying 127.0.0.1:8443...
* CAfile: /tmp/tmpjxggpl2g/cert.pem
* CApath: none
* Connect socket 6 over QUIC to 127.0.0.1:8443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* quiche_conn_recv() == -10
* Trying ::1:8443...
* CAfile: /tmp/tmpjxggpl2g/cert.pem
* CApath: none
* Connect socket 7 over QUIC to ::1:8443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* quiche: recvfrom() unexpectedly returned -1 (errno: 111, socket 7)
* connect to ::1 port 8443 failed: Failure when receiving data from the peer
* Failed to connect to localhost port 8443 after 27 ms: Failure when receiving data from the peer
* Closing connection 0
I am not sure where to turn next. I can see that aioquic has loaded the certificate:
QuicConfiguration(
alpn_protocols=['h3', 'h3-32', 'h3-31', 'h3-30', 'h3-29', 'hq-interop', 'hq-32', 'hq-31', 'hq-30', 'hq-29', 'siduck'],
connection_id_length=8,
idle_timeout=60.0,
is_client=False,
max_data=1048576,
max_stream_data=1048576,
quic_logger=None,
secrets_log_file=None,
server_name=None,
session_ticket=None,
cadata=None,
cafile=None,
capath=None,
certificate=<Certificate(subject=<Name(O=trustme v0.9.0,OU=Testing CA #vPAN_dtzij1Np-Zo)>, ...)>,
certificate_chain=[],
cipher_suites=None,
initial_rtt=0.1,
max_datagram_frame_size=65536,
private_key=<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7fdff2951030>,
quantum_readiness_test=False,
supported_versions=[
<QuicProtocolVersion.VERSION_1: 1>,
<QuicProtocolVersion.DRAFT_32: 4278190112>,
<QuicProtocolVersion.DRAFT_31: 4278190111>,
<QuicProtocolVersion.DRAFT_30: 4278190110>,
<QuicProtocolVersion.DRAFT_29: 4278190109>
],
verify_mode=None
)
Thoughts on where else to turn?
(As a side note, it would be awesome if it were possible to populate the certificate and key without having to write them to disk.)
I don't understand what you want here: if you're telling me cURL rejects your self-signed certificate, I'd chase that up on the cURL side.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.