How to validate server's certificate?

[liwass]

Hi, the client sample supplied uses unsecure configuration, that is flag QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION.
What is the proper way to make a mutual authentication, so that client validates the server's certificate?
Looks like the following
CredConfig.Type = QUIC_CREDENTIAL_TYPE_NONE;
CredConfig.Flags = QUIC_CREDENTIAL_FLAG_CLIENT;
CredConfig.Flags |= QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED | QUIC_CREDENTIAL_FLAG_DEFER_CERTIFICATE_VALIDATION;

triggers event QUIC_CONNECTION_EVENT_PEER_CERTIFICATE_RECEIVED,
then
ConnectionCertificateValidationComplete(Connection, TRUE, QUIC_TLS_ALERT_CODE_SUCCESS)
is expected to validate the received certificate?
In any case, a segmentation fault happens in ConnectionCertificateValidationComplete (didn't dig further).

Can you shed some light on how it should be done? An updated sample would be highly appreciated.

[nibanks]

Generally, client should validate server's certificate with the default behavior automatically, so long as you don't turn off validation. You only need to mess with that other stuff if you want to do something special.

You also mention "mutual authentication" which generally means client sends a certificate too, and then the server validates it. Are you looking to do that too?

[nibanks]

You're sure the server's certificate isn't self-signed and somehow the Win11 client isn't disabling server cert validation? We will likely need logs on the client to see what's going on.

[liwass]

Win11 client connects without the net use flag /skipcertcheck.
How do we check whether it's self-signed? I can't connect with openssl s_client to this server's 443 port.

[liwass]

The server does have self-signed certificate according to IT.

[nibanks]

Well, by definition self-signed certs aren't valid/trusted to another machine. So you'd have to disable validation to connect.