Skip to content

Certificate rejection via ConnectionCertificateValidationComplete leads to connection timeout. #4132

@rzikm

Description

@rzikm

Describe the bug

I am offloading computation-heavy certificate validation to a non-MsQuic thread in System.Net.Quic, and a unit test where the cert is rejected keeps failing.

Wireshark capture of when the ConnectionCertificateValidationComplete function is invoked from inside the PEER_CERTIFICATE_RECEIVED handler:

image

Notably, the Connection Close frame is sent at the Handshake protection level. This works fine.

When the invocation is moved to be done later from another thread:

image

Note that this time, the Connection Close is sent at 1RTT level, which seems to get ignored by the server. The connection attempt times out and get's closed by the server (the last line). The capture is attached below, together with sslkeylogfile to decrypt it.

quic-cert-validation.zip

Affected OS

  • Windows
  • Linux
  • macOS
  • Other (specify below)

Additional OS information

Reproduced on Windows, didn't try other OSes

MsQuic version

main

Steps taken to reproduce bug

Use ConnectionCertificateValidationComplete to reject certificate from another thread.

Expected behavior

The server-side connection receives TLS alert which was sent by the client.

Actual outcome

The connection attempt times out

Additional details

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Area: APIArea: CoreRelated to the shared, core protocol logicPartner: .NETBy or For the .NET team

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions