A valid certificate for quic toy server to run

[Xuefeng Zhu]

The latest QUIC toy server requires a public certificate and private key to run. I generate one with openssl tool, but when I run Quic server with my key, the toy server crashes. 

The following is my command and output

"""

./out/Debug/quic_server --quic_in_memory_cache_dir=/home/xuefeng/quic_build/temp   --certificate_file=/home/xuefeng/quic_build/cert.pem --key_file=/home/xuefeng/quic_build/key.pkcs8

[0917/231843:FATAL:proof_source_chromium_openssl.cc(40)] No certificates.

#0 0x0000004eb2fe base::debug::StackTrace::StackTrace()

#1 0x000000424cff logging::LogMessage::~LogMessage()

#2 0x000000592e6e net::ProofSourceChromium::Initialize()

#3 0x000000409f1c CreateProofSource()

#4 0x00000040a67c main

#5 0x7f0d4494cec5 __libc_start_main

#6 0x000000409de4 <unknown>

Aborted (core dumped)

"""

Thank you

[Ryan Hamilton]

So this error happens before the key is loaded. It means that no certificates were loaded from the certificate file. What does /home/xuefeng/quic_build/cert.pem look like?

--
You received this message because you are subscribed to the Google Groups "QUIC Prototype Protocol Discussion group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proto-quic+...@chromium.org.
To post to this group, send email to proto...@chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[Xuefeng Zhu]

Hi Ryan,

The following is the content in cert.pem, which is generate by openssl.

"-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUzU3MBVrOqTsdM4qw9z

vLX80jtIifxhr0u1DociUeFrKkNesbQTq9oM6K+P3C4jZkUrEDrSCuP3Lt4M1kRZ

QdKaoPyS9EhiYaVAJJ81gqHVgNKG6t6XSIl40a194jO0fqX1o7cFkzkGyn7OH3mf

hDNfy07192eS6inBBbAx3zu4Uv+jpflDft+8cm1MtcyBSOqT/lQc6Tywq9v0nqBv

wZtKtwkUwTfHppFasaTHb3QXJ7q7xm7SEIcqDI55Hg687nqlG1y5gq44NHj87Frr

AChVY6ibdXDCJ/3gd9VoYY6IeNTGxZWqR+84bfwoUKI/4elyyVqlXu1zVIcnO2aW

DQIDAQAB

-----END PUBLIC KEY-----"

If it is not correct, could you please provide me the correct way to generate private and public key. Thank you.

[Adam Langley]

On Fri, Sep 18, 2015 at 6:46 AM, Xuefeng Zhu <frank...@gmail.com> wrote:
>
> Hi Ryan,
> The following is the content in cert.pem, which is generate by openssl.
> "-----BEGIN PUBLIC KEY-----
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArUzU3MBVrOqTsdM4qw9z
> vLX80jtIifxhr0u1DociUeFrKkNesbQTq9oM6K+P3C4jZkUrEDrSCuP3Lt4M1kRZ
> QdKaoPyS9EhiYaVAJJ81gqHVgNKG6t6XSIl40a194jO0fqX1o7cFkzkGyn7OH3mf
> hDNfy07192eS6inBBbAx3zu4Uv+jpflDft+8cm1MtcyBSOqT/lQc6Tywq9v0nqBv
> wZtKtwkUwTfHppFasaTHb3QXJ7q7xm7SEIcqDI55Hg687nqlG1y5gq44NHj87Frr
> AChVY6ibdXDCJ/3gd9VoYY6IeNTGxZWqR+84bfwoUKI/4elyyVqlXu1zVIcnO2aW
> DQIDAQAB
> -----END PUBLIC KEY-----"
>
> If it is not correct, could you please provide me the correct way to generate private and public key. Thank you.

That's a public-key, not a certificate.

To generate a key and cert, try something like:

openssl req -newkey rsa:2048 -nodes -keyout test.key -x509 -days 365
-out test.crt



Cheers

AGL

[Xuefeng Zhu]

Hi Adam,

Thanks for your reply. Could you please also provide me the correct way to generate key_file for quic server? Thank you.

[Ryan Hamilton]

This CL should be landing soon. It contains a script to generate a test cert and key. You can look in the script for the precise openssl commands to run.

https://codereview.chromium.org/1330223003/

Cheers,

Ryan

[Xuefeng Zhu]

Hi Ryan,

Thanks for reply. I generated the cert with the script, but I still got some errors. 

"""

xuefeng@xuefeng-virtual-machine:~/chrome/src$ ./out/Debug/quic_client --host=127.0.01 --port=6121 http://www.google.com/

[0919/235605:WARNING:quic_framer.cc(592)] Unable to process packet header.  Stopping parsing.

[0919/235605:ERROR:cert_verify_proc_nss.cc(922)] CERT_PKIXVerifyCert for 127.0.01 failed err=-8179

[0919/235605:WARNING:proof_verifier_chromium.cc(286)] Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

Failed to connect to 127.0.0.1:6121. Error: QUIC_PROOF_INVALID

"""

[Ryan Hamilton]

​This is the key message:

[0919/235605:WARNING:proof_verifier_chromium.cc(286)] Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

This means the CA certificate is not trusted by your operating system. You will need to install the root certificate into your OS's root certificate store.

Cheers,

Ryan​

[Lyndon Fawcett]

Hi guys,

I have the exact same problem as show above with "net::ERR_CERT_AUTHORITY_INVALID" when running the example from "Playing with QUIC" using the reference server and client (either the toy one or google chrome)

Since you last replied there has been a change to the guide and "./generate-certs.sh" script has been added to generate the certificates. I installed the .pem files generated by the script by coping them /usr/share/ca-certificates/extra/ and running "sudo dpkg-reconfigure ca-certificates". However, this does not make a difference and I still get the same error:

ubuntu@ubuntu:~/chromium/src$ ./out/Debug/quic_client --host=127.0.0.1 --port=6121 https://www.example.com/

[0923/165118:ERROR:cert_verify_proc_nss.cc(922)] CERT_PKIXVerifyCert for 127.0.0.1 failed err=-8179

[0923/165118:WARNING:proof_verifier_chromium.cc(286)] Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

Failed to connect to 127.0.0.1:6121. Error: QUIC_PROOF_INVALID

I am using Ubuntu 14.04.

Thanks,

Lyndon

[Ryan Hamilton]

Ah! Here are the right instructions to use. I forgot that on linux, chrome use an NSS certificate database and the root cert needs to be added to that.

--

[David Marchant]

What cert do you add to the NSS certificate database? Is it the 2048-sha256-root.pem or leaf_cert.pem?

[Ryan Hamilton]

The root certificate.

[Ryan Hamilton]

I've also updated the instructions at https://www.chromium.org/quic/playing-with-quic to mention the linux-specific instructions.

[David Marchant]

I still can't get the toy client/server to work on Ubuntu. I installed the root cert using the certutil command below and by coping it to /usr/share/ca-certificates/extra/ and running "sudo dpkg-reconfigure ca-certificates"  Is there anything else you need to do? The error I am getting is below.

certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "TestRoot" -i net/tools/quic/certs/out/2048-sha256-root.pem

[0923/215723:WARNING:proof_verifier_chromium.cc(286)] Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

[0923/215723:VERBOSE1:quic_connection.cc(1946)] Client: Force closing 2880494839385808647 with error QUIC_PROOF_INVALID (42) Proof invalid: Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID

[0923/215723:VERBOSE1:quic_connection.cc(2186)] Entering Batch Mode.

[0923/215723:VERBOSE1:quic_connection.cc(2194)] Bundling ack with outgoing packet.

[0923/215723:VERBOSE1:quic_packet_creator.cc(600)] Adding frame: type { ACK_FRAME } entropy_hash: 2 largest_observed: 2 delta_time_largest_observed: 10730 missing_packets: [  ] is_truncated: 0 revived_packets: [  ] received_packets: [  ]

[0923/215723:VERBOSE1:quic_packet_creator.cc(600)] Adding frame: type { STOP_WAITING_FRAME } entropy_hash: 0 least_unacked: 1

[0923/215723:VERBOSE1:quic_packet_creator.cc(600)] Adding frame: type { CONNECTION_CLOSE_FRAME } error_code { 42 } error_details { Proof invalid: Failed to verify certificate chain: net::ERR_CERT_AUTHORITY_INVALID }

[0923/215723:VERBOSE1:quic_framer.cc(710)] Appending header: { connection_id: 2880494839385808647, connection_id_length:8, packet_number_length:1, reset_flag: 0, version_flag: 0, fec_flag: 0, entropy_flag: 1, entropy hash: 0, packet_number: 3, is_in_fec_group:0, fec_group: 0}

[0923/215723:VERBOSE1:quic_connection.cc(1540)] Client: Sending packet 3 : data bearing , encryption level: ENCRYPTION_NONE, encrypted length:121

[0923/215723:VERBOSE1:quic_connection.cc(1587)] Client: time we began writing last sent packet: 23411410677

[0923/215723:VERBOSE1:quic_connection.cc(2205)] Leaving Batch Mode.

[Ryan Hamilton]

​​I hate computers, some days! The generated certificate works fine on OS X, but not on linux. I have a change pending to remove the name constraints from the certificate:

https://codereview.chromium.org/1366693003/

If you apply this manually and re-follow the instructions it should work. I verified that it works on my local linux box. It should land soon, in which case you can simply re-sync.

Sorry for the headache,

Ryan

--

[Shivanand P.B.]

Hello, 

I'm new to QUIC.

I followed the instructions given in "Playing with QUIC" page. 

I'm able to get quic_client and quic_server work on localhost.

However when I tried to connect to this quic_server from a different machine in the same network, quic_client throws the following error.

    Failed to connect to 192.24.53.98:6121. Error: QUIC_PROOF_INVALID

Have I missed anything ? 

Any pointers on this issue will be very helpful.

Thanks,

Shiva

[Ryan Hamilton]

Can you show the command that you used?

[Shivanand P.B.]

Hi Ryan,

following combination works

quic_server --quic_in_memory_cache_dir=/root/mydocroot.net/  --certificate_file=/root/out/leaf_cert.pem --key_file=/root/out/leaf_cert.pkcs8

quic_client --host=127.0.0.1 --port=6121 https://mydocroot.net/file.bin

***

however when I try to connect to the server from different machine. I get error.

quic_client --host=192.24.53.98 --port=6121 https://mydocroot.net/file.bin

I get QUIC_PROOF_INVALID error.

Cheers,
Shivanand

--
You received this message because you are subscribed to a topic in the Google Groups "QUIC Prototype Protocol Discussion group" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/proto-quic/nDbnX3_AxPA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to proto-quic+...@chromium.org.

[Ryan Hamilton]

The URL you are requesting has a host "mydocroot.net". Is your certificate valid for that? In any case, --v=1 output would be helpful.

[Fatima Zarinni]

Hi All,

I am facing the same issue of "QUIC_PROOF_INVALID" error with Android chrome version 48.0.2543.0, and the quic server code that is fetched on October 24th.

I have generated the certificates and the key using the script provided. Also, I installed the root certificate on the phone. I now don't get the " net::ERR_CERT_AUTHORITY_INVALID" error, but I get the following error:

"server: CONNECTION_CLOSE_FRAME received for connection: 8119938777658202506 with error: QUIC_PROOF_INVALID Proof invalid: Failed to verify certificate chain: net::ERR_CERT_COMMON_NAME_INVALID"

Also, the --ignore-certificate-errors flag does not seem to work with the latest chrome browser.  I will appreicate any help in this regards.

I am also attaching the server output.

Thank you,

Fatima

[Ryan Hamilton]

On Mon, Oct 26, 2015 at 2:54 PM, Fatima Zarinni <fatimah...@gmail.com> wrote:

Hi All,

I am facing the same issue of "QUIC_PROOF_INVALID" error with Android chrome version 48.0.2543.0, and the quic server code that is fetched on October 24th.

I have generated the certificates and the key using the script provided. Also, I installed the root certificate on the phone. I now don't get the " net::ERR_CERT_AUTHORITY_INVALID" error, but I get the following error:

"server: CONNECTION_CLOSE_FRAME received for connection: 8119938777658202506 with error: QUIC_PROOF_INVALID Proof invalid: Failed to verify certificate chain: net::ERR_CERT_COMMON_NAME_INVALID"

​This means that the hostname you are connecting to is not valid for the certificate.​

 

​What hostname are you connecting to?​

Also, the --ignore-certificate-errors flag does not seem to work with the latest chrome browser.  I will appreicate any help in this regards.

​Long story, but --ignore-certificate-errors does not work with QUIC.​

 

I am also attaching the server output.

​I don't see any output?​

 

[Fatima Zarinni]

Hi Ryan,

Thank you for your input on the hostname not being valid for the certificate. This was indeed the case. This time I generated the keys with the proper hostname that I had, and now everything is working.

I appreciate it.

Best regards,

Fatima

[Xuefeng Zhu]

Hi Ryan,

Sorry for bothering again. The instruction on https://www.chromium.org/quic/playing-with-quic works for local testing. However, when I try to test the toy server and client on separate machine, I got the QUIC_PROOF_INVALID error at client even though I have added the root certificate on both server and client. Could you please provide the instruction to fix this issue? Thank you.

Best,

Xuefeng

[Jing Xu]

Hi,Ryan

    I am new to QUIC, when I try the prototype in http://www.chromium.org/quic/playing-with-quic , it works well as expected. What should I fix when I try to test the server and client on separate machine ,what's  the command on client an how to configure the root certificate? Could you help me? Thanks.

    

Jing

在 2015年10月27日星期二 UTC+8上午7:37:56，r...@chromium.org写道：

[Ryan Hamilton]

Hi Jing,

It depends on the OS of your client. But you need to install the server's root certificate (net/tools/quic/certs/out/2048-sha256-root.pem) on the client. For example, on linux you'll follow these instructions. On OS X, you need to double click on the .pem file and use Keychain Manager to trust the certificate. In any case, it should be the same process you used to make the certificate trusted on the server, just this time you run in on the client (but using the .pem file from the server, not generate a new one on the client).

Cheers,

Ryan 

[Jing Xu]

Hi Ryan,

Thanks for your replying. It helps me a lot, and I still have some other problems: 

1. I would like to test the performance of the quic, and the output in quic-client really influence the test results, what can I fix?  or is there some tools to measure the performance?

2. Could that quic_client run on the Windows system? if yes then how to ?

Cheers.

Jing

[Ryan Hamilton]

On Tue, Mar 15, 2016 at 12:58 AM, Jing Xu <jxu...@gmail.com> wrote:

Hi Ryan,

Thanks for your replying. It helps me a lot, and I still have some other problems: 

1. I would like to test the performance of the quic, and the output in quic-client really influence the test results, what can I fix?  or is there some tools to measure the performance?

​Interesting! You might need to make some code changes to disable the quic_client output.​ What kind of performance testing are you interested in performing.

 

2. Could that quic_client run on the Windows system? if yes then how to ?

​Yes, if you build quic_client on Windows, it will work on Windows.

Cheers,

Ryan

[Jing Xu]

Hi,Ryan

Sorry for my replying on the mailbox.

Then I would like to test the performance such as packet loss rate, transmission speed, and some other indicators.  I got the quic-client just by the command "ninja -c out/Debug quic-client" after checking  out the chromium source. To disable the output influence, would you mind tell me which files can i fix the code or how to get those performance indicators?

Regards

Jing

在 2016年3月16日星期三 UTC+8上午1:47:45，r...@chromium.org写道：

[Ryan Hamilton]

I suspect you'll want to look at QuicSpdyClientStream::OnDataAvailable. Possibly, you'll want to skip the data_.append() call.

Cheers,

Ryan

--