Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for multiple server certificates #3141

Open
Techwolfy opened this issue Oct 12, 2022 · 5 comments · May be fixed by #4096
Open

Support for multiple server certificates #3141

Techwolfy opened this issue Oct 12, 2022 · 5 comments · May be fixed by #4096
Labels
Area: API feature request A request for new functionality good first issue Good for newcomers TLS: OpenSSL TLS: Schannel
Milestone
Future

Comments

@Techwolfy
Copy link
Contributor

Describe the feature you'd like supported

Currently MsQuic only supports a single QUIC_CERTIFICATE_HASH_STORE in QUIC_CREDENTIAL_CONFIG, so servers cannot offer both RSA-based and ECDSA-based ciphers. As certificate protocols evolve it would be useful to support multiple types of certificates simultaneously.

Proposed solution

QUIC_CREDENTIAL_CONFIG.CertificateHashStore is already a pointer type. Either accept an array length via the Reserved parameter, or create a new QUIC_CERTIFICATE_MULTI_HASH_STORE type to handle an array of hash store objects.

Additional context

No response
@Techwolfy Techwolfy added the feature request A request for new functionality label Oct 12, 2022
@nibanks
Copy link
Member

nibanks commented Oct 12, 2022

How does Schannel/OpenSSL expose/support this?

@nibanks nibanks added this to the Future milestone Oct 12, 2022
@Techwolfy
Copy link
Contributor Author

Schannel accepts an array of SCHANNEL_CERT_HASH_STORE in the ACH call via SCH_CREDENTIALS.{paCred,cCreds}. MsQuic already uses this but cCreds is currently always set to 1. I'm not familiar with OpenSSL unfortunately.

@anrossi
Copy link
Contributor

anrossi commented Oct 12, 2022

I think from the Envoy work I did, I saw a BoringSSL API for setting multiple certificates. It might also exist and behave the same in OpenSSL. So I might have an idea there

@nibanks
Copy link
Member

nibanks commented Oct 13, 2022

Thanks @Techwolfy. Is there a significant priority around this ask? Also, I'd recommend simply going with the QUIC_CERTIFICATE_MULTI_HASH_STORE proposal (indicated by a new QUIC_CREDENTIAL_FLAGS). Should be pretty easy to wire up.

@Techwolfy
Copy link
Contributor Author

I'm currently working on a new feature that uses this. It's not too urgent, but we'd like to get it done in the current semester.

@nibanks nibanks added the good first issue Good for newcomers label Oct 17, 2022
@nibanks nibanks linked a pull request Jan 29, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: API feature request A request for new functionality good first issue Good for newcomers TLS: OpenSSL TLS: Schannel
Projects
MsQuic Walkthroughs
Status: Should be written
Milestone
Future
Development

Successfully merging a pull request may close this issue.

Support Multiple Credentials in Kernel Mode Schannel microsoft/msquic
3 participants
@Techwolfy @nibanks @anrossi