During a client connect handshake, wait for Frame::HandshakeDone before considering the connection established #1887
Conversation
|
Do you have a reference to the RFC section that describes this requirement? |
|
@djc The specific section I see is in the QUIC-TLS rfc: https://www.rfc-editor.org/rfc/rfc9001.html#name-handshake-confirmed
|
|
That section also has this:
Maybe that is applicable to our earlier implementation? |
|
@djc, I don't believe quinn implements that section / behavior because the precipitating issue that led to this investigation is in a situation where a client attempts to connect with a server and the server rejects the TLS keys. In that case, the client considers itself established and then later fails once the client receives the close message - however if quinn was properly waiting for a 1-rtt ACK during the handshake I don't believe it would get to that point? |
billylindeman
force-pushed
the
fix-client-connect-await-handshake-done
branch
from
2c4ba16
to
93841a3
Compare
|
Thanks for the PR! It is by design that Quinn yields the Still, I appreciate that it's awkward for there not to be a well-defined location for clients to detect authentication failures when communicating with servers that require client authentication. Would it be sufficient to expose a new method on |
|
@Ralith Thanks for the explanation! I re-read that part of the spec and that makes sense to me. Having a well-defined place to await handshake confirmation would be great |
Do you want to change this PR to address that? |
|
Closing in favor of #1944. |
As it stands today, a quinn client will consider itself established/connected prior to receving the HandshakeDone frame.
If a connection fails because the server rejects the client (such as a tls certificate issue, or some other reason), the client will have already resolved the connecting.await? into a valid Connection.