Allow OpenSSL verifier to be called with NULL SNI

private-octopus / picoquic

Minimal implementation of the QUIC protocol

MIT License

544 stars 161 forks source link

Allow OpenSSL verifier to be called with NULL SNI #1673

Closed davidk-ad8 closed 5 months ago

davidk-ad8 commented 5 months ago

Removed NULL SNI check in picoquic_create_cnx

Following this recent Picotls change https://github.com/h2o/picotls/pull/520 the verifier now skips the client side SNI check if it is NULL.

This change resolves #1184

huitema commented 5 months ago

We also need to understand why the "CiTest" run is failing, with the diagnostic:

Starting test number 335, cert_verify_null_sni
picoquic_ct: /home/runner/work/picoquic/picoquic/build/_deps/picotls-src/lib/openssl.c:1560: verify_cert_chain: Assertion `server_name != NULL && "ptls_set_server_name MUST be called"' failed.
<end of output>
Test time =  30.87 sec

davidk-ad8 commented 5 months ago

I'll update the test suite. Picotls only merged the changes a few days ago so the the version pulled in by Picoquic will need to be updated too.

davidk-ad8 commented 5 months ago

I've updated tls_api_test_with_loss and Picotls has been updated to the latest commit needed to support these changes.

I've run picoquic_ct locally and all tests pass. mediatest_video2_back failed the first time with the message

Max latency expected: 600000, got 615833

but it succeeded on the next 2 runs.