Closed xmh0511 closed 3 months ago
Under what circumstances does this occur?
On Linux, specifically, is Ubuntu 20. The example cannot work with the provided certification in the example.
I see, it might be an improperly handled error during certificate verification.
If this is truly the case, this seems to be the culprit: https://github.com/M0dEx/quincy/blob/c8240300da742624ae2fd9b1d5a7795c27c21c37/src/server.rs#L116
This error should not be propagated and kill the entire server, it should just be logged and processed correctly.
Could you install Quincy with the following command and try it again?
cargo install quincy --git https://github.com/M0dEx/quincy.git --branch '#52/server-handshake-error'
After the patch, the server side won't crash and will give the warning
Connection handshake with client 'x.x.x.x' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake
However, the provided example does not work, the client side will report an error that
A critical error occurred: the cryptographic handshake failed: error 42: invalid peer certificate: NotValidForName
All used certifications are provided by the example.
After the patch, the server side won't crash and will give the warning
Connection handshake with client 'x.x.x.x' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake
However, the provided example does not work, the client side will report an error that
A critical error occurred: the cryptographic handshake failed: error 42: invalid peer certificate: NotValidForName
All used certifications are provided by the example.
Yes, this is due to the example certificate being generated for the hostname quincy
. You can either add a record to /etc/hosts
with the correct IP address, or generate your own certificate using the steps in the README.
Did you manage to get the example running with either the correct hostname or with a new certificate?
Did you manage to get the example running with either the correct hostname or with a new certificate?
Does that mean the value of the connection_string
in client.toml
must be the form domain:port
? I tried to generate the certification on my server but it cannot generate the certification.
Did you manage to get the example running with either the correct hostname or with a new certificate?
Does that mean the value of the
connection_string
inclient.toml
must be the formdomain:port
? I tried to generate the certification on my server but it cannot generate the certification.
Yes, the connection_string
is in the format hostname:port
, where the hostname
must be present in the Subject Alternative Name
section of the server certificate.
It still does not work. I used mkcert
to generate the certification for the domain xxx.xxx
, then the client still reports
A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
For example, assume my hostname is www.xxx.com
, then I use mkcert
to generate the certification by running the command
mkcert www.xxx.com
Then, I got two files, server_cert_.pem
and server_key.pem
. The server.toml is
bind_port = 8888
name = "tun0"
certificate_file = "cert/server_cert.pem"
certificate_key_file = "cert/server_key.pem"
address_tunnel = "20.0.0.1"
address_mask = "255.255.255.0"
users_file = "users"
[connection]
mtu = 1400
[log]
level = "info"
The client.toml
is
connection_string = "www.xxx.com:8888"
[authentication]
username = "abc"
password = "abc"
trusted_certificates = ["cert/server_cert.pem"]
[connection]
mtu = 1400
[log]
level = "info"
The server side will report
quincy::server: Connection handshake with client 'xx.xx.xx.xx' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake
the client side will report
A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
It still does not work. I used
mkcert
to generate the certification for the domainxxx.xxx
, then the client still reportsA critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
For example, assume my hostname is
www.xxx.com
, then I usemkcert
to generate the certification by running the commandmkcert www.xxx.com
Then, I got two files,
server_cert_.pem
andserver_key.pem
. The server.toml isbind_port = 8888 name = "tun0" certificate_file = "cert/server_cert.pem" certificate_key_file = "cert/server_key.pem" address_tunnel = "20.0.0.1" address_mask = "255.255.255.0" users_file = "users" [connection] mtu = 1400 [log] level = "info"
The
client.toml
isconnection_string = "www.xxx.com:8888" [authentication] username = "abc" password = "abc" trusted_certificates = ["cert/server_cert.pem"] [connection] mtu = 1400 [log] level = "info"
The server side will report
quincy::server: Connection handshake with client 'xx.xx.xx.xx' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake
the client side will report
A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer
On the client side, you must set the trusted_certificates
to the CA certificate rather than the server certificate. The issue reported by the client is that RusTLS cannot verify the server certificate, as it does not have the CA certificate in its trust store.
Closing due to inactivity.
ERROR quincy_server: A critical error occurred: aborted by peer: the application or application protocol caused the connection to be closed during the handshake
which cause the whole sever side program terminated.