msquic icon indicating copy to clipboard operation
msquic copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Using custom CA with TLS certificates

Open maxerz opened this issue 3 years ago • 6 comments

Describe the feature you'd like supported

Right now TLS certificate verification uses only system CA store. But in some cases custom CA certificates may be prefered (for example, non-HTTP/3 QUIC usage). For this we need to specify custom CA path(es), which should be passed to TLS backend. But MsQuic doesn't support that at this moment.

Proposed solution

Add function or struct field that will pass custom CA path(es) to TLS backend (for example, SSL_CTX_load_verify_locations for OpenSSL).

Additional context

No response

maxerz avatar Jun 14 '22 18:06 maxerz

Would you be willing to propose a more explicit change or even a PR for this?

nibanks avatar Jun 15 '22 14:06 nibanks

You can currently get this behavior if you pass the INDICATE_PEER_CERTIFICATE flag, and then in the PEER_CERTIFICATE callback, you can validate against your desired set of CAs by calling OpenSSL directly.

anrossi avatar Jun 15 '22 20:06 anrossi

In order to not introduce additional fields into credential config, I think function should be added (MsQuicConfigurationLoadVerifyLocations for example) that will call backend TLS function on CXPLAT_SEC_CONFIG, which will load custom CA certificates (in other words, call SSL_CTX_load_verify_locations for example).

ср, 15 июн. 2022 г., 17:52 Nick Banks @.***>:

Would you be willing to propose a more explicit change or even a PR for this?

— Reply to this email directly, view it on GitHub https://github.com/microsoft/msquic/issues/2820#issuecomment-1156576050, or unsubscribe https://github.com/notifications/unsubscribe-auth/AORD3RJUYEPCD4DPAHLZEWTVPHU3TANCNFSM5YYSZLVQ . You are receiving this because you authored the thread.Message ID: @.***>

maxerz avatar Jun 16 '22 09:06 maxerz

What about a SetParam on the Configuration which calls SSL_CTX_load_verify_locations? That way it's not a new field on the Configuration, and it's less work than implementing the PEER_CERTIFICATE callback.

anrossi avatar Jun 16 '22 18:06 anrossi

That's fine. It will still keep old structures and will make backend verify the certificate, avoiding possible custom certificate verification bugs.

чт, 16 июн. 2022 г., 21:25 Anthony Rossi @.***>:

What about a SetParam on the Configuration which calls SSL_CTX_load_verify_locations? That way it's not a new field on the Configuration, and it's less work than implementing the PEER_CERTIFICATE callback.

— Reply to this email directly, view it on GitHub https://github.com/microsoft/msquic/issues/2820#issuecomment-1158001554, or unsubscribe https://github.com/notifications/unsubscribe-auth/AORD3RO3RTPLKMAI22PJCLTVPNWSHANCNFSM5YYSZLVQ . You are receiving this because you authored the thread.Message ID: @.***>

maxerz avatar Jun 16 '22 22:06 maxerz

Actually i think it would be better to load custom CA certificates from memory in X.509 PEM/DER form. That way CA certificates can be easily loaded from any source without dependency on files. With OpenSSL that would require something like this (DER):

X509* x509 = NULL;
if (!d2i_X509(&x509, &buffer, bufferLen))
{
    // handle error...
}
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if(X509_STORE_add_cert(store, x509) != 1)
{
    // handle error...
}
X509_free(x509); // decrement reference counter

maxerz avatar Jun 17 '22 18:06 maxerz

BTW you can already do that using the "PORTABLE" option e.g. you can give it PKCS12 blob with intermediate certs. .NET is using that. It is somewhat different as it does nota dd new location but it allows you to be explicit.

wfurt avatar Feb 16 '23 19:02 wfurt