-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[HTTP/3] Certificate name validation different than HTTP/1.1? #55193
Comments
Tagging subscribers to this area: @dotnet/ncl Issue DetailsI have a Kestrel server configured to serve HTTP/1.1 and HTTP/3 on the same port with the same certificate. The certificate is the ASP.NET Core development certificate.
I need to setup a handler with Meanwhile,
|
I assume this is on Windows? Can you please post your dev certificate? I would not expect differences but this would help with investigation. |
Yes, this is Windows. Password is "quic" btw my test has the client calling 127.0.0.1. Dev cert is for localhost. |
Is the certificate trusted @JamesNK ? I used code from #55192 without the validation callback and it works fine for me:
Now the mapping |
I think the cert is trusted. The issue isn't that HttpClient failed to make an HTTP/3 call. It succeeds on my computer. The issue is that HttpClient gets a validation error for HTTP/1.1 and HTTP/2. Why are they different? Why doesn't HTTP/3 complain that the host name and certificate name are different? |
I understand but I was not able to reproduce it. I assume it works if you use the |
Repo is in dotnet/aspnetcore#34104 Test: |
I get it now. The complain is that QICK/H3 work but it should not. I know what the problem is. |
I have a Kestrel server configured to serve HTTP/1.1 and HTTP/3 on the same port with the same certificate. The certificate is the ASP.NET Core development certificate.
HttpClient
throws this error when calling with HTTP/1.1:I need to setup a handler with
ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
to successfully call it.Meanwhile,
HttpClient
calling HTTP/3 doesn't need the validation callback. It happily accepts the dev certificate as trusted.Should HTTP/1.1 and HTTP/2 have different certificate validation behavior than HTTP/3?
The text was updated successfully, but these errors were encountered: