Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose TLS details for QUIC connection #93014

Closed
wants to merge 3 commits into from

Conversation

rzikm
Copy link
Member

@rzikm rzikm commented Oct 4, 2023

Implements #70184.

test program:

using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.Net;
using System.Net.Quic;

using X509Certificate2 serverCert = new X509Certificate2("./contoso.com.pfx", "testcertificate");

var listener = await QuicListener.ListenAsync(new QuicListenerOptions{
    ApplicationProtocols = new List<SslApplicationProtocol> { new SslApplicationProtocol("test") },
    ListenEndPoint = new IPEndPoint(IPAddress.Any, 9999),
    ConnectionOptionsCallback = delegate {
        return ValueTask.FromResult(new QuicServerConnectionOptions {
            ServerAuthenticationOptions = new SslServerAuthenticationOptions {
                ServerCertificate = serverCert,
                ApplicationProtocols = new List<SslApplicationProtocol> { new SslApplicationProtocol("test") },
                ClientCertificateRequired = false,
                EnabledSslProtocols = SslProtocols.Tls13,
                RemoteCertificateValidationCallback = delegate { return true; },
            },
            DefaultCloseErrorCode = 0,
            DefaultStreamErrorCode = 0,
        });
    }
});

await using var client = await QuicConnection.ConnectAsync(new QuicClientConnectionOptions{
    ClientAuthenticationOptions = new SslClientAuthenticationOptions {
        ApplicationProtocols = new List<SslApplicationProtocol> { new SslApplicationProtocol("test") },
        RemoteCertificateValidationCallback = delegate { return true; },
    },
    DefaultCloseErrorCode = 0,
    DefaultStreamErrorCode = 0,
    RemoteEndPoint = new IPEndPoint(IPAddress.Loopback, 9999),
});

await using var server = await listener.AcceptConnectionAsync();

DumpTlsData(client, "client");
Console.WriteLine();
DumpTlsData(server, "server");

void DumpTlsData(QuicConnection connection, string tag)
{
    Console.WriteLine($"{tag}.NegotiatedCipherSuite: {connection.NegotiatedCipherSuite}");
    Console.WriteLine($"{tag}.CipherAlgorithm: {connection.CipherAlgorithm}");
    Console.WriteLine($"{tag}.CipherStrength: {connection.CipherStrength}");
    Console.WriteLine($"{tag}.HashAlgorithm: {connection.HashAlgorithm}");
    Console.WriteLine($"{tag}.HashStrength: {connection.HashStrength}");
    Console.WriteLine($"{tag}.KeyExchangeAlgorithm: {connection.KeyExchangeAlgorithm}");
    Console.WriteLine($"{tag}.KeyExchangeStrength: {connection.KeyExchangeStrength}");
}

Output (windows)

client.NegotiatedCipherSuite: TLS_AES_256_GCM_SHA384
client.CipherAlgorithm: Aes256
client.CipherStrength: 256
client.HashAlgorithm: Sha384
client.HashStrength: 0
client.KeyExchangeAlgorithm: None
client.KeyExchangeStrength: 0

server.NegotiatedCipherSuite: TLS_AES_256_GCM_SHA384
server.CipherAlgorithm: Aes256
server.CipherStrength: 256
server.HashAlgorithm: Sha384
server.HashStrength: 0
server.KeyExchangeAlgorithm: None
server.KeyExchangeStrength: 0

@dotnet-issue-labeler
Copy link

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

@ghost ghost assigned rzikm Oct 4, 2023
@ghost
Copy link

ghost commented Oct 4, 2023

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Implements #70184.

test program:

using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.Net;
using System.Net.Quic;

using X509Certificate2 serverCert = new X509Certificate2("./contoso.com.pfx", "testcertificate");

var listener = await QuicListener.ListenAsync(new QuicListenerOptions{
    ApplicationProtocols = new List<SslApplicationProtocol> { new SslApplicationProtocol("test") },
    ListenEndPoint = new IPEndPoint(IPAddress.Any, 9999),
    ConnectionOptionsCallback = delegate {
        return ValueTask.FromResult(new QuicServerConnectionOptions {
            ServerAuthenticationOptions = new SslServerAuthenticationOptions {
                ServerCertificate = serverCert,
                ApplicationProtocols = new List<SslApplicationProtocol> { new SslApplicationProtocol("test") },
                ClientCertificateRequired = false,
                EnabledSslProtocols = SslProtocols.Tls13,
                RemoteCertificateValidationCallback = delegate { return true; },
            },
            DefaultCloseErrorCode = 0,
            DefaultStreamErrorCode = 0,
        });
    }
});

await using var client = await QuicConnection.ConnectAsync(new QuicClientConnectionOptions{
    ClientAuthenticationOptions = new SslClientAuthenticationOptions {
        ApplicationProtocols = new List<SslApplicationProtocol> { new SslApplicationProtocol("test") },
        RemoteCertificateValidationCallback = delegate { return true; },
    },
    DefaultCloseErrorCode = 0,
    DefaultStreamErrorCode = 0,
    RemoteEndPoint = new IPEndPoint(IPAddress.Loopback, 9999),
});

await using var server = await listener.AcceptConnectionAsync();

DumpTlsData(client, "client");
Console.WriteLine();
DumpTlsData(server, "server");

void DumpTlsData(QuicConnection connection, string tag)
{
    Console.WriteLine($"{tag}.NegotiatedCipherSuite: {connection.NegotiatedCipherSuite}");
    Console.WriteLine($"{tag}.CipherAlgorithm: {connection.CipherAlgorithm}");
    Console.WriteLine($"{tag}.CipherStrength: {connection.CipherStrength}");
    Console.WriteLine($"{tag}.HashAlgorithm: {connection.HashAlgorithm}");
    Console.WriteLine($"{tag}.HashStrength: {connection.HashStrength}");
    Console.WriteLine($"{tag}.KeyExchangeAlgorithm: {connection.KeyExchangeAlgorithm}");
    Console.WriteLine($"{tag}.KeyExchangeStrength: {connection.KeyExchangeStrength}");
}

Output (windows)

client.NegotiatedCipherSuite: TLS_AES_256_GCM_SHA384
client.CipherAlgorithm: Aes256
client.CipherStrength: 256
client.HashAlgorithm: Sha384
client.HashStrength: 0
client.KeyExchangeAlgorithm: None
client.KeyExchangeStrength: 0

server.NegotiatedCipherSuite: TLS_AES_256_GCM_SHA384
server.CipherAlgorithm: Aes256
server.CipherStrength: 256
server.HashAlgorithm: Sha384
server.HashStrength: 0
server.KeyExchangeAlgorithm: None
server.KeyExchangeStrength: 0

main PR

Description

Customer Impact

Regression

Testing

Risk

Package authoring signed off?

IMPORTANT: If this change touches code that ships in a NuGet package, please make certain that you have added any necessary package authoring and gotten it explicitly reviewed.

Author: rzikm
Assignees: rzikm
Labels:

area-System.Net, new-api-needs-documentation

Milestone: -

@karelz karelz added this to the 9.0.0 milestone Oct 24, 2023
@ghost ghost closed this Nov 23, 2023
@ghost
Copy link

ghost commented Nov 23, 2023

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.

@rzikm rzikm reopened this Nov 24, 2023
@ghost ghost closed this Dec 24, 2023
@ghost
Copy link

ghost commented Dec 24, 2023

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.

@rzikm rzikm reopened this Jan 2, 2024
@ghost ghost closed this Feb 1, 2024
@ghost
Copy link

ghost commented Feb 1, 2024

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.

@rzikm
Copy link
Member Author

rzikm commented Feb 1, 2024

This time I promise I will make time to finish this :D

@rzikm rzikm reopened this Feb 1, 2024
@rzikm rzikm force-pushed the 70184-quic-tls-details branch from e7e088b to 0ea016b Compare February 28, 2024 16:16
@rzikm rzikm force-pushed the 70184-quic-tls-details branch from 0ea016b to 6265bb1 Compare February 28, 2024 16:17
@rzikm
Copy link
Member Author

rzikm commented May 3, 2024

Waiting for the decision in #100361 to see if it makes sense to expose everything.

@dotnet-policy-service dotnet-policy-service bot removed this from the 9.0.0 milestone Jun 2, 2024
Copy link
Contributor

Draft Pull Request was automatically closed for 30 days of inactivity. Please let us know if you'd like to reopen it.

@karelz karelz added this to the 9.0.0 milestone Jun 24, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants