-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ignore validation failures with NO_CERTIFICATE_VALIDATION #1728
Conversation
@wfurt can you reproduce the issue? I'd like to have schannel take a look if possible to make sure they don't have a bug instead of working around (though we'd probably also take the work around). |
I can. reproduce it with test added in dotnet/runtime#54302. But I don't know how easy it is for others to run. I'm planing to do also more investigation and possibly follow-up with Schannel about the case when client certificate is requested but client does not provide one. It would be nice if that behaves same as ssl. |
Let's start an email thread with Schannel folks, along with their logs. If you use our log.ps1 with |
here is the answer
That make sense to me. I updated the change accordingly. It also make sense why this works for MsQuic as the tests do not seems to use the If this looks good, can you please also get this to the 1.5 branch @nibanks? |
I bump to this while working on dotnet/runtime#54302.
I'm not 100% sure what is exactly happening but when using custom client certificate the
QueryContextAttributesW
would fail. It is somewhat curious it fails withSEC_E_INVALID_HANDLE
but since we are not asking to do validation at all, I decided to just ignore the error and move one.In my test setup the peer certificate can still be retrieved and passed to validation callback
So when MsQuic/OS is not asked to do validation we would just log the error and move one.
I'm not sure if it make sense to even call the
QueryContextAttributesW
but since we pass result of it to the validation callback one can see it as pre-validation.