The server side can panic

[xmh0511]

ERROR quincy_server: A critical error occurred: aborted by peer: the application or application protocol caused the connection to be closed during the handshake

which cause the whole sever side program terminated.

[M0dEx]

Under what circumstances does this occur?

[xmh0511]

On Linux, specifically, is Ubuntu 20. The example cannot work with the provided certification in the example.

[M0dEx]

I see, it might be an improperly handled error during certificate verification.

If this is truly the case, this seems to be the culprit: https://github.com/M0dEx/quincy/blob/c8240300da742624ae2fd9b1d5a7795c27c21c37/src/server.rs#L116

This error should not be propagated and kill the entire server, it should just be logged and processed correctly.

[M0dEx]

Could you install Quincy with the following command and try it again?

cargo install quincy --git https://github.com/M0dEx/quincy.git --branch '#52/server-handshake-error'

[xmh0511]

After the patch, the server side won't crash and will give the warning

Connection handshake with client 'x.x.x.x' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake

However, the provided example does not work, the client side will report an error that

A critical error occurred: the cryptographic handshake failed: error 42: invalid peer certificate: NotValidForName

All used certifications are provided by the example.

[M0dEx]

After the patch, the server side won't crash and will give the warning

Connection handshake with client 'x.x.x.x' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake

However, the provided example does not work, the client side will report an error that

A critical error occurred: the cryptographic handshake failed: error 42: invalid peer certificate: NotValidForName

All used certifications are provided by the example.

Yes, this is due to the example certificate being generated for the hostname quincy. You can either add a record to /etc/hosts with the correct IP address, or generate your own certificate using the steps in the README.

[M0dEx]

Did you manage to get the example running with either the correct hostname or with a new certificate?

[xmh0511]

Did you manage to get the example running with either the correct hostname or with a new certificate?

Does that mean the value of the connection_string in client.toml must be the form domain:port? I tried to generate the certification on my server but it cannot generate the certification.

[M0dEx]

Did you manage to get the example running with either the correct hostname or with a new certificate?

Does that mean the value of the connection_string in client.toml must be the form domain:port? I tried to generate the certification on my server but it cannot generate the certification.

Yes, the connection_string is in the format hostname:port, where the hostname must be present in the Subject Alternative Name section of the server certificate.

[xmh0511]

It still does not work. I used mkcert to generate the certification for the domain xxx.xxx, then the client still reports

A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer

For example, assume my hostname is www.xxx.com, then I use mkcert to generate the certification by running the command

mkcert www.xxx.com

Then, I got two files, server_cert_.pem and server_key.pem. The server.toml is

bind_port = 8888
name = "tun0"
certificate_file = "cert/server_cert.pem"
certificate_key_file = "cert/server_key.pem"
address_tunnel = "20.0.0.1"
address_mask = "255.255.255.0"
users_file = "users"
[connection]
mtu = 1400
[log]
level = "info"

The client.toml is

connection_string = "www.xxx.com:8888"

[authentication]
username = "abc"
password = "abc"
trusted_certificates = ["cert/server_cert.pem"]
[connection]
mtu = 1400
[log]
level = "info"

The server side will report

quincy::server: Connection handshake with client 'xx.xx.xx.xx' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake

the client side will report

A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer

[M0dEx]

It still does not work. I used mkcert to generate the certification for the domain xxx.xxx, then the client still reports

A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer

For example, assume my hostname is www.xxx.com, then I use mkcert to generate the certification by running the command

mkcert www.xxx.com

Then, I got two files, server_cert_.pem and server_key.pem. The server.toml is

bind_port = 8888
name = "tun0"
certificate_file = "cert/server_cert.pem"
certificate_key_file = "cert/server_key.pem"
address_tunnel = "20.0.0.1"
address_mask = "255.255.255.0"
users_file = "users"
[connection]
mtu = 1400
[log]
level = "info"

The client.toml is

connection_string = "www.xxx.com:8888"

[authentication]
username = "abc"
password = "abc"
trusted_certificates = ["cert/server_cert.pem"]
[connection]
mtu = 1400
[log]
level = "info"

The server side will report

quincy::server: Connection handshake with client 'xx.xx.xx.xx' failed: aborted by peer: the application or application protocol caused the connection to be closed during the handshake

the client side will report

A critical error occurred: the cryptographic handshake failed: error 48: invalid peer certificate: UnknownIssuer

On the client side, you must set the trusted_certificates to the CA certificate rather than the server certificate. The issue reported by the client is that RusTLS cannot verify the server certificate, as it does not have the CA certificate in its trust store.

[M0dEx]

Closing due to inactivity.