Comments (5)
jethrogb
commented on August 30, 2024
This can be fixed by passing in winapi::ISC_REQ_USE_SUPPLIED_CREDS to InitializeSecurityContextW in TlsStream::step_initialize. Possibly in a second call in response to the SEC_I_INCOMPLETE_CREDENTIALS error. Is its non-use intentional? Not setting the flag will automatically use the system's client certificates without programmer interaction.
from schannel-rs.
steffengy
commented on August 30, 2024
AFAIK there isn't a reason it is not passed in.
(except maybe suboptimal documentation)
1.)
The only thing I was worried about is that we guarantee
that added certificates are considered for client authentication.
After reading some nested layers of documentation, the only thing this flag seems to change
for that is that it reduces the search scope to the certificates linked to the handle
acquired by AcquireCredentialsHandle.
So in my opinion this exactly does what we want.
2.)
From a users perspective it might be strange to get a terminated connection
from the server (when it requires a certificate but none was specified).
Not sure about a good way to improve the ergonomics here.
from schannel-rs.
jethrogb
commented on August 30, 2024
From a users perspective it might be strange to get a terminated connection
from the server (when it requires a certificate but none was specified).
It is up to the server to terminate the connection. If it asked for a cert, but didn't get one, the server can decide to proceed as normal or abort.
from schannel-rs.
steffengy
commented on August 30, 2024
It is up to the server to terminate the connection. If it asked for a cert, but didn't get one, the server can decide to proceed as normal or abort.
That's exactly the point.
A user of this library in this case cannot determine that the server aborted
because of a missing certificate (and mitigate that by specifying one and retrying).
It could presume that but the server going offline, a firewall dropping the request, ...
would look the same.
To recap: The issue is an issue of ergonomics: It might happen that someone
notices a mysterious bug where the server terminates the connection.
After several hours of work and troubleshooting this someone notices that the
actual issue is a not specified client certificate.
==> The termination cause is not transparent to the user. It's hidden
and exposed as a very generic - clearly unhelpful - error for that case.
from schannel-rs.
jethrogb
commented on August 30, 2024
Technically, in such a case the server is to send a handshake_failure TLS alert. At least in principle, this would be distinguishable from other network-related failure modes. Whether this happens in practice and whether that level of error makes it back to the user, I don't know.
from schannel-rs.
Related Issues (20)
- CtlContext is not public but returned by e.g. schannel::cert_store::Memory::add_encoded_ctl()
- Needs to handle SEC_I_INCOMPLETE_CREDENTIALS from InitializeSecurityContext HOT 2
- Can read up to 5 bytes after every complete message HOT 1
- Something is wrong with TlsStream's Write implementation leading to data corruption HOT 18
- Support SCH_CRED_NO_DEFAULT_CREDS flag on AcquireCredentialsHandleA HOT 5
- TlsStream blocking indefinitely when using client cert HOT 1
- Allow hostname verification and SNI to be separately configured
- Provide access to the underlying Windows handles HOT 1
- open_local_machine & open_current_user cannot be specified as read-only HOT 7
- Question: how do I use PrivateKey? HOT 7
- Question: wincrypt APIs are now deprecated, any new crates using CNG?
- Interface changes to support RFC 5077 TLS session tickets HOT 5
- Bump version ? HOT 1
- Version bump sometime soon? HOT 1
- Switch to official Microsoft-owned windows-rs crate HOT 3
- Soundness: CertStore and CertContext `Send` and `Clone` are mutually exclusive
- Question: why NCRYPT_KEY_HANDLE is private? HOT 2
- TLS negotiation fails when `schannel` (via `native_tls`) tries to connect to an OpenSSL 3 server HOT 3
- TlsStream server is busy-waiting if TLS handshake is delayed by client
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from schannel-rs.