[HTTP/3] Certificate name validation different than HTTP/1.1?

[JamesNK]

I have a Kestrel server configured to serve HTTP/1.1 and HTTP/3 on the same port with the same certificate. The certificate is the ASP.NET Core development certificate.

HttpClient throws this error when calling with HTTP/1.1:

    System.Net.Http.HttpRequestException : The SSL connection could not be established, see inner exception.
    ---- System.Security.Authentication.AuthenticationException : The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

I need to setup a handler with ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator to successfully call it.

Meanwhile, HttpClient calling HTTP/3 doesn't need the validation callback. It happily accepts the dev certificate as trusted.

Should HTTP/1.1 and HTTP/2 have different certificate validation behavior than HTTP/3?

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

I have a Kestrel server configured to serve HTTP/1.1 and HTTP/3 on the same port with the same certificate. The certificate is the ASP.NET Core development certificate.

HttpClient throws this error when calling with HTTP/1.1:

    System.Net.Http.HttpRequestException : The SSL connection could not be established, see inner exception.
    ---- System.Security.Authentication.AuthenticationException : The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

I need to setup a handler with ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator to successfully call it.

Meanwhile, HttpClient calling HTTP/3 doesn't need the validation callback. It happily accepts the dev certificate as trusted.

Author:	JamesNK
Assignees:	-
Labels:	area-System.Net.Http
Milestone:	-

[wfurt]

I assume this is on Windows? Can you please post your dev certificate? I would not expect differences but this would help with investigation.

[JamesNK]

Yes, this is Windows.

Password is "quic"
devcert.zip

btw my test has the client calling 127.0.0.1. Dev cert is for localhost.

[wfurt]

Is the certificate trusted @JamesNK ? I used code from #55192 without the validation callback and it works fine for me:

C:\Users\test\source\repos\h3> C:\Users\test\source\repos\h3\bin\Debug\net6.0\win-x64\publish\h3
Hello World! HTTP/3

Now the mapping 127.0.0.1 <-> localhost should not work IMHO unless the address is in AlternativeSubjectName.

[JamesNK]

I think the cert is trusted.

The issue isn't that HttpClient failed to make an HTTP/3 call. It succeeds on my computer. The issue is that HttpClient gets a validation error for HTTP/1.1 and HTTP/2.

Why are they different? Why doesn't HTTP/3 complain that the host name and certificate name are different?

[wfurt]

I understand but I was not able to reproduce it. I assume it works if you use the localhost? Perhaps you can create simple repro with both client & server and cert from file?

[JamesNK]

Repo is in dotnet/aspnetcore#34104

Test: Listen_Http3AndSocketsCoexistOnSameEndpoint_ClientSuccess. The CallHttp3AndHttp1EndpointsAsync method specifically. HTTP/3 call works without a callback, while HTTP/1.1 call requires it.

[wfurt]

I get it now. The complain is that QICK/H3 work but it should not. I know what the problem is.