From 90adc590871c157c3218594092fd39be0a5d1fcc Mon Sep 17 00:00:00 2001 From: Julian Oes Date: Thu, 18 Sep 2025 20:33:19 +1200 Subject: [PATCH] Only set certificate file credentials when files are provided The quic_load_sdk_config function was unconditionally setting QUIC_CREDENTIAL_TYPE_CERTIFICATE_FILE even when certfile/keyfile were empty strings, causing ConfigurationLoadCredential to fail for client-only TLS scenarios. Per Microsoft QUIC API spec, QUIC_CREDENTIAL_TYPE_NONE should be used for client-only scenarios without client certificates. Fixes client-only QUIC TLS connections while preserving mutual TLS. --- src/supplemental/quic/quic_api.c | 41 ++++++++++++++++---------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/src/supplemental/quic/quic_api.c b/src/supplemental/quic/quic_api.c index fa54344f..b9f6c8d9 100644 --- a/src/supplemental/quic/quic_api.c +++ b/src/supplemental/quic/quic_api.c @@ -270,23 +270,27 @@ quic_load_sdk_config(BOOLEAN Unsecure) char *key_path = node->tls.keyfile; char *password = node->tls.key_password; - if (password) { - QUIC_CERTIFICATE_FILE_PROTECTED *CertFile = - (QUIC_CERTIFICATE_FILE_PROTECTED *) malloc(sizeof(QUIC_CERTIFICATE_FILE_PROTECTED)); - CertFile->CertificateFile = cert_path; - CertFile->PrivateKeyFile = key_path; - CertFile->PrivateKeyPassword = password; - CredConfig.CertificateFileProtected = CertFile; - CredConfig.Type = - QUIC_CREDENTIAL_TYPE_CERTIFICATE_FILE_PROTECTED; - } else { - QUIC_CERTIFICATE_FILE *CertFile = - (QUIC_CERTIFICATE_FILE_PROTECTED *) malloc(sizeof(QUIC_CERTIFICATE_FILE_PROTECTED)); - CertFile->CertificateFile = cert_path; - CertFile->PrivateKeyFile = key_path; - CredConfig.CertificateFile = CertFile; - CredConfig.Type = - QUIC_CREDENTIAL_TYPE_CERTIFICATE_FILE; + // Only setup certificate files if we have actual paths (not empty strings) + if (cert_path && strlen(cert_path) > 0 && key_path && strlen(key_path) > 0) { + if (password) { + QUIC_CERTIFICATE_FILE_PROTECTED *CertFile = + (QUIC_CERTIFICATE_FILE_PROTECTED *) malloc(sizeof(QUIC_CERTIFICATE_FILE_PROTECTED)); + CertFile->CertificateFile = cert_path; + CertFile->PrivateKeyFile = key_path; + CertFile->PrivateKeyPassword = password; + CredConfig.CertificateFileProtected = CertFile; + CredConfig.Type = + QUIC_CREDENTIAL_TYPE_CERTIFICATE_FILE_PROTECTED; + } else { + QUIC_CERTIFICATE_FILE *CertFile = + (QUIC_CERTIFICATE_FILE_PROTECTED *) malloc(sizeof(QUIC_CERTIFICATE_FILE_PROTECTED)); + CertFile->CertificateFile = cert_path; + CertFile->PrivateKeyFile = key_path; + CredConfig.CertificateFile = CertFile; + CredConfig.Type = + QUIC_CREDENTIAL_TYPE_CERTIFICATE_FILE; + } + CredConfig.Flags |= QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED; } BOOLEAN verify = (node->tls.verify_peer == true ? 1 : 0); @@ -298,9 +302,6 @@ quic_load_sdk_config(BOOLEAN Unsecure) CredConfig.Flags |= QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED; CredConfig.Flags |= QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION; } - - CredConfig.Type = QUIC_CREDENTIAL_TYPE_CERTIFICATE_FILE; - CredConfig.Flags |= QUIC_CREDENTIAL_FLAG_INDICATE_CERTIFICATE_RECEIVED; } else { CredConfig.Flags |= QUIC_CREDENTIAL_FLAG_NO_CERTIFICATE_VALIDATION; log_warn("No quic TLS/SSL credentials was specified.");