Comments (16)
marten-seemann
commented on May 20, 2024
This is unrelated to WebTransport. You'll get exactly the same error when using crypto/tls over TCP with your certificate configuration.
from webtransport-go.
arobie1992
commented on May 20, 2024
Part of the reason I'm investigating WebTransport was because it was supposed to be able to support connections using self-signed certificates through the certhash: https://blog.libp2p.io/2022-12-19-libp2p-webtransport/#meet-webtransport
I'd also like to connect via QUIC, not TCP, and from the readme it should be opening a UDP port on 443. Is this not the case?
from webtransport-go.
marten-seemann
commented on May 20, 2024
Part of the reason I'm investigating WebTransport was because it was supposed to be able to support connections using self-signed certificates through the certhash: https://blog.libp2p.io/2022-12-19-libp2p-webtransport/#meet-webtransport
There seems to be some severe confusion here. This applies to the browser API only.
from webtransport-go.
arobie1992
commented on May 20, 2024
This doesn't appear to be specified in the RFC, and none of the documentation makes mention that this is only a browser behavior. If non-browser clients are explicitly not supported, then can this at least be reflected in the documentation?
from webtransport-go.
marten-seemann
commented on May 20, 2024
If non-browser clients are explicitly not supported, then can this at least be reflected in the documentation?
This is wrong again. Browsers are supported. We even have an explicit test for that in CI.
I encourage you to read the RFC and the W3C specification, and to familiarize yourself with crypto/tls.
from webtransport-go.
arobie1992
commented on May 20, 2024
I understand that much of the reference material discusses browsers as this is the primary targeted use case. I have not seen mention that non-browser clients are explicitly not supported though. I've reviewed these references in addition to the first link I posted:
https://www.w3.org/TR/webtransport/#certificate-hashes
https://github.com/libp2p/specs/tree/master/webtransport
https://datatracker.ietf.org/doc/draft-ietf-webtrans-http3/
The closest I've found that any come is this:
The most exciting feature for libp2p (other than the numerous performance benefits that QUIC gives us) is that the W3C added a browser API allowing browsers to establish connections to nodes with self-signed certificates
I get that it specified "browser API allowing browsers", but much of the documentation uses the terms browser and client interchangeably and prior to this conversation, I haven't seen anything differentiate between browser clients and non-browser clients. If that's the case, that's fine, and I'll look into other approaches, but could I at least propose adding a line to the readme stating that non-browser clients are not permitted to use self-signed certs?
from webtransport-go.
arobie1992
commented on May 20, 2024
This is wrong again. Browsers are supported.
I think there was some miscommunication here. I'm not saying browsers aren't supported, just that it was unclear this was a browser-only feature based on what I'd reviewed.
from webtransport-go.
marten-seemann
commented on May 20, 2024
I understand that much of the reference material discusses browsers as this is the primary targeted use case. I have not seen mention that non-browser clients are explicitly not supported though.
You haven't seen this because this is not correct. As I said before, the behavior you're seeing is equivalent to what you'd see when using crypto/tls. WebTransport isn't doing anything special regarding certificate verification, it just uses the Go standard library crypto/tls package, giving you all the flexibility that comes with that. Please refer to the documentation of the standard library.
Specifically, if you want to accept self-signed certificates, you need to set InsecureSkipVerify to true, and implement certificate verification yourself. See the go-libp2p implementation for how to verify certificate hashes.
from webtransport-go.
arobie1992
commented on May 20, 2024
Is use of the certhash endpoint a browser-only feature or not? In this reply, you state "This applies to the browser API only." But now you're saying that my statement that non-browser clients are explicitly not supported to use the certhash endpoint is incorrect.
from webtransport-go.
marten-seemann
commented on May 20, 2024
Non-browsers are free to implement whatever certificate validation logic they please.
from webtransport-go.
arobie1992
commented on May 20, 2024
But the library doesn't come with support for it and this is a conscious design choice correct? It has to be implmented on by users of the library.
from webtransport-go.
marten-seemann
commented on May 20, 2024
Support for what?
from webtransport-go.
arobie1992
commented on May 20, 2024
Using the certhash endpoint as an alternate means of validating a certificate.
from webtransport-go.
marten-seemann
commented on May 20, 2024
You're confusing the layers here. webtransport-go doesn't concern itself with certificate verification. It is simply an implementation of the IETF draft.
from webtransport-go.
arobie1992
commented on May 20, 2024
I see. I was mistaking links in the connectivity page. This appears to be what I was looking for. Apologies for the confusion.
from webtransport-go.
marten-seemann
commented on May 20, 2024
No worries, I know it's a bit confusing having one IETF and one W3C WebTransport spec.
from webtransport-go.
Related Issues (20)
- enable SETTINGS_ENABLE_CONNECT_PROTOCOL
- check for Extended Connect and WebTransport support before issuing WebTransport requests on the client side
- Error on server upgrade: "webtransport: request origin not allowed" HOT 1
- I can NOT connect Chome WT API to this implementation HOT 6
- WebTransport Stream Reset Error on Chrome Browser Reload/Disconnects HOT 2
- expose a TLS key exporter
- Firefox cannot dial webtransport-go server HOT 3
- Help with echo server HOT 4
- Memory Leaks in session manager
- Readable streams never end HOT 2
- manual release created (v0.7.0) HOT 1
- implement subprotocol negotiation
- add a Remote field to the StreamError
- allow optimistic opening of streams HOT 1
- Is it possible to share packetConn between webtransport-go server and client in similar way like in quic-go HOT 1
- update quic-go to a released version
- Is there a way to use the same port to handle both WebTransport connections, and HTTP3 request/response scheme? HOT 1
- send HTTP requests on a dialed connection
- use correct HTTP status codes when rejecting
- manual release created (v0.8.0)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webtransport-go.