Open tegefaulkes opened 1 year ago
Digging through the code, is_established
gets it's value from self.handshake_completed
which is set at
https://github.com/cloudflare/quiche/blob/0b37da1cc564e40749ba650febd40586a4355be4/quiche/src/lib.rs#L6431
This is getting the value from https://github.com/cloudflare/quiche/blob/0b37da1cc564e40749ba650febd40586a4355be4/quiche/src/tls.rs#L784
Acording to https://www.openssl.org/docs/man1.1.1/man3/SSL_in_init.html
SSL_in_init() returns 1 if the SSL/TLS state machine is currently processing or awaiting handshake messages, or 0 otherwise.
This seems to be the wrong thing to be using here? If we're still processing the handshake then the handshake isn't done yet. Shouldn't it use SSL_is_init_finished
instead?
SSL_is_init_finished() returns 1 if the SSL/TLS connection is in a state where fully protected application data can be transferred or 0 otherwise.
And the handshake only completes once the HANDSHAKE_DONE frame (shown as DONE in the packet logs) has been sent.
Nope, per RFC9001, Section 4.1.1:
In this document, the TLS handshake is considered complete when the TLS stack has reported that the handshake is complete.
Which is what SSL_in_init()
does.
HANDSHAKE_DONE
is used for handshake confirmation... they are different things.
Shouldn't it use SSL_is_init_finished instead?
I don't think it would make any difference, since in BoringSSL that just calls SSL_in_init()
https://github.com/google/boringssl/blob/master/ssl/ssl_lib.cc#L2787-L2789
Ah, sorry for my misunderstanding, I'm pretty new to this library. If this is intended behaviour then I had a bad assumption about when a connection is considered established.
Digging deeper into my problem. In my code to avoid an TlsFail
error after I consider the connection fully established. I need to know on the client side when the connection has fully completed the TLS
handshake or if the HANDSHAKE_DONE
frame has been received.
Is there a way to know when this stage in the connection has been reached?
For reference https://github.com/MatrixAI/js-quic/issues/9#issuecomment-1519298781.
For context, I have a test in our code that checks if a connection fails if the server fails to authenticate the client. My expectation here is that the server will end up with a
TlsFail
error and close the connection. The client should see the closing frame with theTLS
error BEFORE the handshake has completed andis_established()
returns true.What I am seeing is that the client's
is_established()
is returning true very early in the handshake procedure.It is my understanding that
is_established()
should only return true once the handshake has completed. And the handshake only completes once theHANDSHAKE_DONE
frame (shown asDONE
in the packet logs) has been sent.For reference, here are the packet logs for a connection that succeeds.
Here we see that the client is established far before the
DONE
frame is sent in packet 7.So is this a bug with
quiche
?