Graceful connection failure for failed TLS handshake

[tegefaulkes]

Specification

Currently we are seeing unintended behaviour when the connection fails a TLS handshake.

What we want to happen is, if a connection fails the TLS handshake then we close the connection.

1. The connection should gracefully end for both the server and client.
2. any further attempts to establish the connection is ended.
3. Errors are propagated and the failure condition is clearly indicated to the best of our ability. This should mainly state that the TLS failed, hopefully it will specify why the TLS failed.

We need to add tests to test these conditions. The tests should check for

1. Connection success
2. Server certs fail verification
3. Client certs fail verification
4. Both server and client certs fail verification
5. We should test RSA, EC and ED signed certs.

The main way we can trigger verification failure is to have the certs self signed. We can make the certs succeed verification by providing a CA cert that allows the self signed signature.

Additional context

• Related Create TLS cert arbitraries for testing #8

Tasks

1. Expand tests to test for the above conditions
2. Fix up the connection logic to match the expected behaviour.
3. Add text fixtures for certs. These should be included in git.

[tegefaulkes]

Still getting my head around the library right now but I think I have a good idea of the problem now.

When the client fails the TLS handshake it starts the quiche connection closing proceedure. It enters a draining state where the send and recv calls need to be flushed. That is, packets need to be processed until the connection is closed. This is required so that the quic protocol can exchange the ending frames to gracefully close the connection.

The underlying problem is in two parts.

1. The QUICConnection was trying to destroy itself during the draining state due to some bad logic.
2. The createQUICClient factory was trying to stop the underlying socket before the QUICConnection had time to drain and clean up. resulting in an error due to the existing connection.

[CMCDragonkai]

Beware that the timeout mechanism I had was just a prototype. I didn't fully understand how quiche actually times out an idle connection, so the entire flow (including the while loop) might be missing something critical.

[tegefaulkes]

The connection is failing gracefully now. I think there may be a problem with it timing out so I need to look into that.

There is an oddity as well, The client is failing to verify the server due to CONNECTION_CLOSE (Transport) Error code: CRYPTO_ERROR (Unknown CA), TLS Alert Description: Unknown CA (48). This is somewhat expected due to the cert being self signed. But setting the CA doesn't fix this. Just another thing to look into.

[CMCDragonkai]

The standard TLS verification logic should accept a cert if it is trusted and if it put into the CA, it should be trusted.

However there are details relating to how CA verification works and the chain verification procedure that I may have forgotten.

See this guideline:

https://en.m.wikipedia.org/wiki/Certification_path_validation_algorithm

Exact details is in RFC 5280

[CMCDragonkai]

Review https://datatracker.ietf.org/doc/html/rfc5280#section-6

[CMCDragonkai]

I followed that when synthesising our custom verification code back in the network domain of PK.

[CMCDragonkai]

You can always play around with actually signing certs by a CA cert. There should be a tutorial on how to do this with step-cli. I've done it before with openssl and step-cli and step-ca is lot easier.

[tegefaulkes]

Some oddities to address

1. Can't get verifying the server to work, providing the server's cert chain as the CA doesn't seem to allow it.
2. It doesn't matter what certs are provided for the client, trying to verify it always succeeds.
3. Client doesn't fail properly when using the OKP signed cert. results in a timeout error and then the test timing out.

[CMCDragonkai]

Can you also do a sanity check against quiche's bundled QUIC server/client code?

See README.md, go to the place and do cargo build --exmaples. There's a quiche-client and quiche-server.

Maybe something is wrong with the binding, and quiche actually can handle it.

[tegefaulkes]

Using certs that are signed by a local CA cert seems to work. tests with verifyPeer enabled are working now so long as we provide the CA.

From what I can tell is that trying to use the tlsConfig cert as the CA cert doesn't work. Using the CA cert for the TLS and the CA cert does not work.

Let me check a few things.

[tegefaulkes]

It seems that it doesn't like our Polykey generated certs as a CA cert. I'm still looking into why.

For comparison

// Generated polykey cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: Ed25519
        Issuer: CN=IssuerId
        Validity
            Not Before: Apr 19 06:32:15 2023 UTC
            Not After : Apr 18 06:32:15 2024 UTC
        Subject: CN=SubjectID
        Subject Public Key Info:
            Public Key Algorithm: Ed25519
                Public-Key: (32 bit)
                    74:39:84:a5:79:af:eb:81:a0:0a:1d:45:81:80:ba:
                    30:9b:6e:a4:eb:73:98:61:26:ef:b6:74:ca:ed:17:
                    4d:1a
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Digital Signature, Content Commitment, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage:
                Server Authentication, Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
            X509v3 Subject Key Identifier:
                E6:3B:87:ED:B5:7C:E1:2E:DF:5F:26:D1:71:87:55:35:A3:1F:B1:B6
    Signature Algorithm: Ed25519
         48:fa:16:f4:90:bf:e7:59:a0:4f:12:63:ff:5a:99:f5:a0:5f:
         af:d5:fe:8c:a7:21:79:35:ea:25:81:28:e5:6e:3a:1c:31:4a:
         bb:5e:3e:4e:f4:6c:7a:4c:73:39:b9:c8:6d:89:d8:37:f2:fe:
         d4:54:d1:48:5e:d1:5a:00:e5:08

// Step-cli generated CA cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 141800250074057010007996631794800602776 (0x6aadbc1a24cefc46d73eac50f3ef2e98)
    Signature Algorithm: Ed25519
        Issuer: CN=okpCA
        Validity
            Not Before: Apr 19 05:07:54 2023 UTC
            Not After : Apr 18 05:07:54 2024 UTC
        Subject: CN=okpCA
        Subject Public Key Info:
            Public Key Algorithm: Ed25519
                Public-Key: (32 bit)
                    e9:dc:22:21:c5:04:11:b6:a0:72:cc:db:53:c9:61:
                    0f:68:70:02:6e:b4:23:86:2e:08:ad:f7:2d:f2:8a:
                    d3:9d
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier:
                61:B8:9C:4A:48:7F:51:93:DB:F8:7C:24:5D:49:81:FB:20:6F:A4:9F
    Signature Algorithm: Ed25519
         03:6e:ee:65:cf:7f:1f:9a:8b:eb:cd:17:ef:9d:5b:32:60:b3:
         38:1e:bf:56:f8:ba:9c:55:dc:86:89:36:d2:d6:36:86:a8:27:
         e5:62:55:a0:1d:7d:2b:43:5a:f8:96:0c:50:69:13:38:bf:e3:
         bc:ce:dc:d6:5d:c2:e9:45:3f:06

[tegefaulkes]

I've got it to work. It was checking the issuer and subject fields when validating. I need to make sure that these match when generating the certs.

[CMCDragonkai]

Ah yes I forgot about that. That's key. Because otherwise they won't match. You should make sure that the error reporting works and properly indicates what the crypto failure is if possible.

[CMCDragonkai]

Something worth checking is if the server presents 2 certificates, one signed with Ed25519 root CA, and another signed with ECDSA root CA, will a client that does not understand Ed25519 skip over the Ed25519 cert and go up the trust path of the ECDSA cert?

If this is possible, we could potentially solve our browser problem in Polykey because browsers don't understand Ed25519 right now, and then we can present both certs.

Furthermore since the certs would be presented as a concatenated file, another question would be whether the order of this concatenation matters... it's important to make sure that the client doesn't choke on a cert using a signature it does not understand and just skips to another cert.

[tegefaulkes]

I need to review the possible errors for a failing connection. Any lower level error needs to be wrapped in a domain level error.

[tegefaulkes]

Stopping the QUICServer is kind of slow? I'll need to look into that. It may be waiting for connections to time out. I need to check that the connections are properly ending early when the TLS fails. I'll add a test condition for that.

[tegefaulkes]

Odd, the server connection takes about 3 seconds to end if the handshake fails using an OKP cert.

// failure using RSA
1	0.000000000	127.0.0.1	127.0.0.1	QUIC	1242	59513	Initial, DCID=a6b92297c965643a3451baf84736a21b, SCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, PKN: 0, CRYPTO
2	0.003068262	127.0.0.1	127.0.0.1	QUIC	250	41636	Retry, DCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, SCID=4b9c23098f7e2eff5bf4a5d4e9f84433bc74a4c2
3	0.003879451	127.0.0.1	127.0.0.1	QUIC	1242	59513	Initial, DCID=4b9c23098f7e2eff5bf4a5d4e9f84433bc74a4c2, SCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, PKN: 1, CRYPTO
4	0.006423819	127.0.0.1	127.0.0.1	QUIC	1242	41636	Handshake, DCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, SCID=4b9c23098f7e2eff5bf4a5d4e9f84433bc74a4c2, PKN: 0, CRYPTO
5	0.006530618	127.0.0.1	127.0.0.1	QUIC	412	41636	Handshake, DCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, SCID=4b9c23098f7e2eff5bf4a5d4e9f84433bc74a4c2, PKN: 1, CRYPTO
6	0.007272409	127.0.0.1	127.0.0.1	QUIC	1242	59513	Handshake, DCID=4b9c23098f7e2eff5bf4a5d4e9f84433bc74a4c2, SCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, PKN: 0, ACK
7	0.008079798	127.0.0.1	127.0.0.1	QUIC	113	59513	Handshake, DCID=4b9c23098f7e2eff5bf4a5d4e9f84433bc74a4c2, SCID=2eefeb591ecc4a01a7295a70ca4915d5433d228f, PKN: 1, CC

// Failure using OKP, takes 3 seconds to end
1	0.000000000	127.0.0.1	127.0.0.1	QUIC	1242	33749	Initial, DCID=253891e61c750c82caeb64019b69eb25, SCID=d1caa633f38242a1e03f21da7e17fc9e896903d5, PKN: 0, CRYPTO
2	0.003466857	127.0.0.1	127.0.0.1	QUIC	250	52569	Retry, DCID=d1caa633f38242a1e03f21da7e17fc9e896903d5, SCID=f1283dcb4ef1c8d3182e9ed47b6f2f6e3cbfae21
3	0.004361246	127.0.0.1	127.0.0.1	QUIC	1242	33749	Initial, DCID=f1283dcb4ef1c8d3182e9ed47b6f2f6e3cbfae21, SCID=d1caa633f38242a1e03f21da7e17fc9e896903d5, PKN: 1, CRYPTO
4	0.006490819	127.0.0.1	127.0.0.1	QUIC	1242	52569	Handshake, DCID=d1caa633f38242a1e03f21da7e17fc9e896903d5, SCID=f1283dcb4ef1c8d3182e9ed47b6f2f6e3cbfae21, PKN: 0, CRYPTO
5	0.007719804	127.0.0.1	127.0.0.1	QUIC	1242	33749	Initial, DCID=f1283dcb4ef1c8d3182e9ed47b6f2f6e3cbfae21, SCID=d1caa633f38242a1e03f21da7e17fc9e896903d5, PKN: 2, CC

Seems that the client ends the connection sooner when using OKP. This may be affecting the clean up logic.

[tegefaulkes]

Looks like there is an underlying logic problem with handling the streams. More specifically, handling streams ending.

I have a feeling it's related to the timeout() and on_timeout() handling.

I think in general I need to review and refactor the event handling for send, recv, close, timeout and on_timeout. Double check they're all called as intended when intended as described by the docs.

[tegefaulkes]

Upstream issue created at cloudflare/quiche#1489.

[tegefaulkes]

I just double checked, setting verifyPeer: true via the quiche config will not fail the TLS if no client certificate was provided. So we do have to set it via the boring::SslContext.

[tegefaulkes]

While the client not failing creation due to the client certificate failing is annoying, it's not critical. The connection will error out due to a TLS failure soon after establishment. AS such, the problem is not critical for moving forward. I'll make an issue for tracking the problem, but otherwise we can more on from it.

[tegefaulkes]

New issue created at #12

[tegefaulkes]

Ah so we ARE receiving the client certificate, it's just after the connection has 'established' due to the aforementioned bug.
I can create a peerCert promise to resolve with the cert. Might not be super useful, by default we don't send a client cert so on the server side that promise may never resolve. Client side always receives the cert.

Timing wise, I think the certs are available the moment the frame containing them is processed.

[tegefaulkes]

small todo

1. Provide common senarios and expected behavours. Server fails cert, client fails cert, client provides no cert. etc etc

[tegefaulkes]

example packet logs

Server authenticates

1	0.000000000	127.0.0.1	127.0.0.1	43777	QUIC	1242	Initial, DCID=5c4e1121b7e0463b7cb825c3b46238ff, SCID=98f94c64ca56545ff50f8764934d1e3d34840770, PKN: 0, CRYPTO
2	0.003712710	127.0.0.1	127.0.0.1	51090	QUIC	250	Retry, DCID=98f94c64ca56545ff50f8764934d1e3d34840770, SCID=d9ae3a45971cd31b1136b7e8727846844120d094
3	0.004854716	127.0.0.1	127.0.0.1	43777	QUIC	1242	Initial, DCID=d9ae3a45971cd31b1136b7e8727846844120d094, SCID=98f94c64ca56545ff50f8764934d1e3d34840770, PKN: 1, CRYPTO
4	0.007844097	127.0.0.1	127.0.0.1	51090	QUIC	1242	Handshake, DCID=98f94c64ca56545ff50f8764934d1e3d34840770, SCID=d9ae3a45971cd31b1136b7e8727846844120d094, PKN: 0, CRYPTO
5	0.009925021	127.0.0.1	127.0.0.1	43777	QUIC	1242	Handshake, DCID=d9ae3a45971cd31b1136b7e8727846844120d094, SCID=98f94c64ca56545ff50f8764934d1e3d34840770, PKN: 0, ACK, CRYPTO
6	0.010997496	127.0.0.1	127.0.0.1	51090	QUIC	529	Protected Payload (KP0), DCID=98f94c64ca56545ff50f8764934d1e3d34840770, PKN: 0, DONE, CRYPTO
7	0.012072258	127.0.0.1	127.0.0.1	43777	QUIC	85	Protected Payload (KP0), DCID=d9ae3a45971cd31b1136b7e8727846844120d094, PKN: 0, ACK
8	2.013562871	127.0.0.1	127.0.0.1	43777	QUIC	84	Protected Payload (KP0), DCID=d9ae3a45971cd31b1136b7e8727846844120d094, PKN: 1, CC

Client authenticates

1	0.000000000	127.0.0.1	127.0.0.1	33159	QUIC	1242	Initial, DCID=bc038d00a856bbd2deac451c28b7642f, SCID=b67eef3f56aa6bb33f1641d3ad2186544c80c97d, PKN: 0, CRYPTO
2	0.003743760	127.0.0.1	127.0.0.1	39747	QUIC	250	Retry, DCID=b67eef3f56aa6bb33f1641d3ad2186544c80c97d, SCID=ec3a8045de274f1ffb0232d77aad37e818af6806
3	0.005005743	127.0.0.1	127.0.0.1	33159	QUIC	1242	Initial, DCID=ec3a8045de274f1ffb0232d77aad37e818af6806, SCID=b67eef3f56aa6bb33f1641d3ad2186544c80c97d, PKN: 1, CRYPTO
4	0.007996257	127.0.0.1	127.0.0.1	39747	QUIC	1242	Handshake, DCID=b67eef3f56aa6bb33f1641d3ad2186544c80c97d, SCID=ec3a8045de274f1ffb0232d77aad37e818af6806, PKN: 0, CRYPTO
5	0.010223545	127.0.0.1	127.0.0.1	33159	QUIC	1242	Handshake, DCID=ec3a8045de274f1ffb0232d77aad37e818af6806, SCID=b67eef3f56aa6bb33f1641d3ad2186544c80c97d, PKN: 0, ACK, CRYPTO
6	0.011320861	127.0.0.1	127.0.0.1	39747	QUIC	1265	Protected Payload (KP0), DCID=b67eef3f56aa6bb33f1641d3ad2186544c80c97d, PKN: 0, DONE, CRYPTO
7	0.012516271	127.0.0.1	127.0.0.1	33159	QUIC	85	Protected Payload (KP0), DCID=ec3a8045de274f1ffb0232d77aad37e818af6806, PKN: 0, ACK
8	2.013143760	127.0.0.1	127.0.0.1	33159	QUIC	84	Protected Payload (KP0), DCID=ec3a8045de274f1ffb0232d77aad37e818af6806, PKN: 1, CC

Both succeed

1	0.000000000	127.0.0.1	127.0.0.1	46251	QUIC	1242	Initial, DCID=86e1cf0cfd9c2ee47da1e2bdb8042cc6, SCID=49d031267f90cd01dd9945c33bd57c0ec295edd3, PKN: 0, CRYPTO
2	0.003642051	127.0.0.1	127.0.0.1	53021	QUIC	250	Retry, DCID=49d031267f90cd01dd9945c33bd57c0ec295edd3, SCID=b288738a0806cdf651c00020cea8c186c32c4f7b
3	0.004839655	127.0.0.1	127.0.0.1	46251	QUIC	1242	Initial, DCID=b288738a0806cdf651c00020cea8c186c32c4f7b, SCID=49d031267f90cd01dd9945c33bd57c0ec295edd3, PKN: 1, CRYPTO
4	0.007648113	127.0.0.1	127.0.0.1	53021	QUIC	1242	Handshake, DCID=49d031267f90cd01dd9945c33bd57c0ec295edd3, SCID=b288738a0806cdf651c00020cea8c186c32c4f7b, PKN: 0, CRYPTO
5	0.009807038	127.0.0.1	127.0.0.1	46251	QUIC	1242	Handshake, DCID=b288738a0806cdf651c00020cea8c186c32c4f7b, SCID=49d031267f90cd01dd9945c33bd57c0ec295edd3, PKN: 0, ACK, CRYPTO
6	0.010900531	127.0.0.1	127.0.0.1	53021	QUIC	1265	Protected Payload (KP0), DCID=49d031267f90cd01dd9945c33bd57c0ec295edd3, PKN: 0, DONE, CRYPTO
7	0.012040109	127.0.0.1	127.0.0.1	46251	QUIC	85	Protected Payload (KP0), DCID=b288738a0806cdf651c00020cea8c186c32c4f7b, PKN: 0, ACK
8	2.013866149	127.0.0.1	127.0.0.1	46251	QUIC	84	Protected Payload (KP0), DCID=b288738a0806cdf651c00020cea8c186c32c4f7b, PKN: 1, CC

Server fails TLS

1	0.000000000	127.0.0.1	127.0.0.1	35386	QUIC	1242	Initial, DCID=288a0555c31e81f68ace9bcfe716a475, SCID=b9403ae9a9935bceb286e47c606974ea70d9faf8, PKN: 0, CRYPTO
2	0.003781434	127.0.0.1	127.0.0.1	48578	QUIC	250	Retry, DCID=b9403ae9a9935bceb286e47c606974ea70d9faf8, SCID=2d905692ed6e9ffe25ca3b4a05d5f50f66054b1f
3	0.005181244	127.0.0.1	127.0.0.1	35386	QUIC	1242	Initial, DCID=2d905692ed6e9ffe25ca3b4a05d5f50f66054b1f, SCID=b9403ae9a9935bceb286e47c606974ea70d9faf8, PKN: 1, CRYPTO
4	0.008470895	127.0.0.1	127.0.0.1	48578	QUIC	1242	Handshake, DCID=b9403ae9a9935bceb286e47c606974ea70d9faf8, SCID=2d905692ed6e9ffe25ca3b4a05d5f50f66054b1f, PKN: 0, CRYPTO
5	0.072273683	127.0.0.1	127.0.0.1	35386	QUIC	1242	Initial, DCID=2d905692ed6e9ffe25ca3b4a05d5f50f66054b1f, SCID=b9403ae9a9935bceb286e47c606974ea70d9faf8, PKN: 2, CC

Client fails TLS

1	0.000000000	127.0.0.1	127.0.0.1	43613	QUIC	1242	Initial, DCID=14f1edd18f184bd45eef8706194bdeee, SCID=0d2efac2a8f13537293b3c287ba350df125398d6, PKN: 0, CRYPTO
2	0.003729817	127.0.0.1	127.0.0.1	57027	QUIC	250	Retry, DCID=0d2efac2a8f13537293b3c287ba350df125398d6, SCID=e2de01152dd4163e93937984346849ff9c44286f
3	0.004878576	127.0.0.1	127.0.0.1	43613	QUIC	1242	Initial, DCID=e2de01152dd4163e93937984346849ff9c44286f, SCID=0d2efac2a8f13537293b3c287ba350df125398d6, PKN: 1, CRYPTO
4	0.008069057	127.0.0.1	127.0.0.1	57027	QUIC	1242	Handshake, DCID=0d2efac2a8f13537293b3c287ba350df125398d6, SCID=e2de01152dd4163e93937984346849ff9c44286f, PKN: 0, CRYPTO
5	0.068587075	127.0.0.1	127.0.0.1	43613	QUIC	1242	Handshake, DCID=e2de01152dd4163e93937984346849ff9c44286f, SCID=0d2efac2a8f13537293b3c287ba350df125398d6, PKN: 0, ACK, CRYPTO
6	0.076402952	127.0.0.1	127.0.0.1	43613	QUIC	581	Handshake, DCID=e2de01152dd4163e93937984346849ff9c44286f, SCID=0d2efac2a8f13537293b3c287ba350df125398d6, PKN: 1, ACK, CRYPTO
7	0.107512091	127.0.0.1	127.0.0.1	57027	QUIC	113	Handshake, DCID=0d2efac2a8f13537293b3c287ba350df125398d6, SCID=e2de01152dd4163e93937984346849ff9c44286f, PKN: 1, CC
8	0.108881597	127.0.0.1	127.0.0.1	43613	QUIC	581	Handshake, DCID=e2de01152dd4163e93937984346849ff9c44286f, SCID=0d2efac2a8f13537293b3c287ba350df125398d6, PKN: 2, ACK, CRYPTO
9	0.109154241	127.0.0.1	127.0.0.1	43613	QUIC	115	Handshake, DCID=e2de01152dd4163e93937984346849ff9c44286f, SCID=0d2efac2a8f13537293b3c287ba350df125398d6, PKN: 3, ACK, PING

Both fail TLS

1	0.000000000	127.0.0.1	127.0.0.1	47382	QUIC	1242	Initial, DCID=6a02b909e5208f2d8d80e05b1752e843, SCID=91b46b709b05ca483a2b24dfa431a89bfa650481, PKN: 0, CRYPTO
2	0.004604426	127.0.0.1	127.0.0.1	44551	QUIC	250	Retry, DCID=91b46b709b05ca483a2b24dfa431a89bfa650481, SCID=d4c44ca38da26213204b54ed7ccb50253a11bf2e
3	0.006025339	127.0.0.1	127.0.0.1	47382	QUIC	1242	Initial, DCID=d4c44ca38da26213204b54ed7ccb50253a11bf2e, SCID=91b46b709b05ca483a2b24dfa431a89bfa650481, PKN: 1, CRYPTO
4	0.009326331	127.0.0.1	127.0.0.1	44551	QUIC	1242	Handshake, DCID=91b46b709b05ca483a2b24dfa431a89bfa650481, SCID=d4c44ca38da26213204b54ed7ccb50253a11bf2e, PKN: 0, CRYPTO
5	0.069720954	127.0.0.1	127.0.0.1	47382	QUIC	1242	Initial, DCID=d4c44ca38da26213204b54ed7ccb50253a11bf2e, SCID=91b46b709b05ca483a2b24dfa431a89bfa650481, PKN: 2, CC

[CMCDragonkai]

Can you explain what the intended behaviour for each of the 6 situation is?