[QUIC] Fix flags usage on Linux

[ManickaP]

#69603 (comment)

cc @anrossi

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

#69603 (comment)

Author:	ManickaP
Assignees:	-
Labels:	area-System.Net.Quic
Milestone:	-

[wfurt]

I'm not sure it is needed. My understanding was that the flags may be used on Windows. I did tests on Windows and all tests passes after updating msquic manually.

[anrossi]

On Schannel, USE_SUPPLIED_CREDENTIALS forces the client to send an empty certificate_list back to the server when the server requests client authentication and the client has no certificate to send, so the server may decide whether to terminate the connection or not.
Without USE_SUPPLIED_CREDENTIALS, Schannel client will end the handshake if it cannot find a certificate to send to the server when the server requests client authentication.

[wfurt]

It is unfortunate that the flag is platform specific. It feels like it would be better to ignore it on Linux if Linux can provide same functionality.

[rzikm]

LGTM, thanks!

[anrossi]

as long as .NET doesn't use OpenSSL on Windows, this is fine.

[rzikm]

Do we have any way to query what backend the library uses? Otherwise having the flag produce errors with OpenSSL makes it a bit inconvenient.

[anrossi]

I don't think we have a way to query which crypto library is in use. @ThadHouse @nibanks, do you know of something?

[nibanks]

No, we don't currently expose a way to do this. We could via a global GetParam option easily enough. If you need this @rzikm please open a MsQuic issue for it.

[wfurt]

I still feel that making sure the flag does not break OpenSSL would be better option e.g. less platform code to maintain elsewhere.

[rzikm]

.NET uses the SChannel version on Windows, so unless we care that the user may somehow provide a different dll (possibly built with OpenSSL), then we don't need it.

[nibanks]

We have had asks to support OpenSSL MsQuic on Windows with .NET, so would prefer not to make assumptions of using Schannel on Windows.

[wfurt]

agreed. While we may not support it we may take community contributions. Requirement for S2022 or W11 seems pretty steep for many users.

[ManickaP]

We also tie to OperatingSystem.IsWindows() (non) usage of portable certs. I assume that is also rather thing of OpenSSL and following would not work with it:

runtime/src/libraries/System.Net.Quic/src/System/Net/Quic/Implementations/MsQuic/Interop/SafeMsQuicConfigurationHandle.cs

Lines 178 to 183 in cb1fd54

	if (OperatingSystem.IsWindows())
	{
	config.Type = QUIC_CREDENTIAL_TYPE.CERTIFICATE_CONTEXT;
	config.CertificateContext = (void*)certificate.Handle;
	status = MsQuicApi.Api.ApiTable->ConfigurationLoadCredential(configurationHandle.QuicHandle, &config);
	}

Unless, I'm mistaken here, I wouldn't put too much effort into distinguishing Windows from SChannel atm.

[rzikm]

I filed microsoft/msquic#2761, it is not urgent, but it would be nice to have it in place when somebody eventually asks for support of OpenSSL-MsQuic on Windows.

[ManickaP]

Failing QUIC test is System.Net.Quic.Functional.Tests: [Long Running Test] 'System.Net.Quic.Tests.MsQuicTests.ConnectWithClientCertificate', Elapsed: 00:02:05
Which is cover by #69792