Skip to content

Server app managed custom resumption tickets/Client app managed resumption tickets over SChannel #5371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Server app managed custom resumption tickets/Client app managed resumption tickets over SChannel #5371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
d5b8e97
Bump up default windows sdk version used in Windows builds
sm-msft Jul 18, 2025
9ac6c8e
Add WinSDK version requirement to Build doc.
sm-msft Jul 18, 2025
d82b5ed
- Code to push/retrieve server app state in a resumption ticket over …
sm-msft Aug 1, 2025
04285f8
Merge branch 'main' into sm/msquic_schannel_resumption1
sm-msft Aug 1, 2025
2877048
- Added new QUIC_CREDENTIAL_FLAG for disabling resumption and enablin…
sm-msft Aug 13, 2025
fe6fb17
Merge branch 'main' into sm/msquic_schannel_resumption1
sm-msft Aug 13, 2025
622a9f2
- Fixed corner cases in notifying received tickets
sm-msft Aug 15, 2025
bcf69d9
- Skip an unit test on OpenSSL
sm-msft Aug 15, 2025
efc43d3
Fix OpenSSL build issue
sm-msft Aug 15, 2025
78394f4
- Add documentation for the newly added credential flags under previe…
sm-msft Aug 15, 2025
88fd266
- Clean up CxPlatTlsWriteDataToSchannel and other related refactoring
sm-msft Aug 16, 2025
9a2c2c2
- Restore default rx ticket notification to prior location
sm-msft Aug 16, 2025
3cef739
Rearrange when empty tickets are indicated on the client and server
sm-msft Aug 16, 2025
6038a0d
- Update rust bindings
sm-msft Aug 16, 2025
6961f27
- Apply rust bindings patch
sm-msft Aug 17, 2025
8b09d50
- Allocate client/server specific TLS Schannel buffers only in the ap…
sm-msft Aug 19, 2025
2543239
- Fix build errors in kernel test code
sm-msft Aug 20, 2025
fe962d3
Fix build break
sm-msft Aug 20, 2025
8239307
- Address more test build failures
sm-msft Aug 20, 2025
33ae9db
- Empty tickets will not be indicated on SChannel client/server due t…
sm-msft Aug 20, 2025
93cd305
Merge branch 'main' into sm/msquic_schannel_resumption1
sm-msft Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion docs/api/QUIC_CREDENTIAL_CONFIG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,23 @@ Enable CA certificate file provided in the `CaCertificateFile` member.

`QUIC_CREDENTIAL_FLAG_DISABLE_AIA`

The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows.
Explicitly disable AIA retrievals. Only valid on Windows.

`QUIC_CREDENTIAL_FLAG_DISABLE_RESUMPTION`

**Preview feature**: This flag is in [preview](../PreviewFeatures.md). It should be considered unstable and can be subject to breaking changes.

Disables TLS session resumption. Only valid on Windows with SChannel.
Copy link
Collaborator

@guhetier guhetier Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Disables TLS session resumption. Only valid on Windows with SChannel.
Disables TLS session resumption. Only supported on Windows with SChannel.


`QUIC_CREDENTIAL_FLAG_ALLOW_RESUMPTION_TICKET_MANAGEMENT`

**Preview feature**: This flag is in [preview](../PreviewFeatures.md). It should be considered unstable and can be subject to breaking changes.

Enables exclusive application management of TLS session resumption tickets and disables any automatic resumption ticket management in the underlying TLS library. Only valid on Windows Server 2025 or newer OS, with SChannel TLS.
Copy link
Collaborator

@guhetier guhetier Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Enables exclusive application management of TLS session resumption tickets and disables any automatic resumption ticket management in the underlying TLS library. Only valid on Windows Server 2025 or newer OS, with SChannel TLS.
Enables exclusive application management of TLS session resumption tickets and disables any automatic resumption ticket management in the underlying TLS library. Only supported on Windows Server 2025 or newer OS, with SChannel TLS.

Copy link
Collaborator

@guhetier guhetier Aug 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think that some expension of "exclusive application management" would be helpful, it is pretty vague.
Maybe something along the line of "when set, MsQuic will use the TLS session resumption tickets provided by the app and forward any TLS resumption ticket received directly to the app"?


When enabled on a server application, resumption tickets must be issued by the server using the [ConnectionSendResumptionTicket](ConnectionSendResumptionTicket.md) API and incoming application state tickets are received through the [QUIC_CONNECTION_EVENT_RESUMED](QUIC_CONNECTION_EVENT.md) notification.

When enabled on a client application, incoming session resumption tickets are received through [QUIC_CONNECTION_EVENT_RESUMPTION_TICKET_RECEIVED](QUIC_CONNECTION_EVENT.md) notification. A subsequent resuming client connection must apply the latest session resumption ticket to the connection through the [QUIC_PARAM_CONN_RESUMPTION_TICKET](../Settings.md) connection setting.

#### `CertificateHash`

Expand Down
176 changes: 146 additions & 30 deletions src/generated/linux/tls_schannel.c.clog.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@
#include "tls_schannel.c.clog.h.lttng.h"
#endif
#include <lttng/tracepoint-event.h>
#ifndef _clog_MACRO_QuicTraceLogWarning
#define _clog_MACRO_QuicTraceLogWarning 1
#define QuicTraceLogWarning(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__)))
#endif
#ifndef _clog_MACRO_QuicTraceLogVerbose
#define _clog_MACRO_QuicTraceLogVerbose 1
#define QuicTraceLogVerbose(a, ...) _clog_CAT(_clog_ARGN_SELECTOR(__VA_ARGS__), _clog_CAT(_,a(#a, __VA_ARGS__)))
Expand All @@ -33,6 +37,22 @@
#ifdef __cplusplus
extern "C" {
#endif
/*----------------------------------------------------------
// Decoder Ring for SchannelTlsInitWarning
// [ tls] Explicit resumption ticket management enabled, but the feature is not supported on this platform
// QuicTraceLogWarning(
SchannelTlsInitWarning,
"[ tls] Explicit resumption ticket management enabled, but the feature is not supported on this platform");
----------------------------------------------------------*/
#ifndef _clog_2_ARGS_TRACE_SchannelTlsInitWarning
#define _clog_2_ARGS_TRACE_SchannelTlsInitWarning(uniqueId, encoded_arg_string)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelTlsInitWarning );\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelAchAsync
// [ tls] Calling SspiAcquireCredentialsHandleAsyncW
Expand All @@ -49,6 +69,22 @@ tracepoint(CLOG_TLS_SCHANNEL_C, SchannelAchAsync );\



/*----------------------------------------------------------
// Decoder Ring for SchannelTlsInitVerbose
// [ tls] Explicit resumption ticket management enabled
// QuicTraceLogVerbose(
SchannelTlsInitVerbose,
"[ tls] Explicit resumption ticket management enabled");
----------------------------------------------------------*/
#ifndef _clog_2_ARGS_TRACE_SchannelTlsInitVerbose
#define _clog_2_ARGS_TRACE_SchannelTlsInitVerbose(uniqueId, encoded_arg_string)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelTlsInitVerbose );\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelAchWorkerStart
// [ tls] Starting ACH worker
Expand Down Expand Up @@ -277,18 +313,18 @@ tracepoint(CLOG_TLS_SCHANNEL_C, SchannelMissingData , arg1, arg3);\
// Decoder Ring for SchannelTransParamsBufferTooSmall
// [conn][%p] Peer TP too large for available buffer (%u vs. %u)
// QuicTraceLogConnInfo(
SchannelTransParamsBufferTooSmall,
TlsContext->Connection,
"Peer TP too large for available buffer (%u vs. %u)",
OutSecBufferDesc.pBuffers[i].cbBuffer,
(TlsContext->PeerTransportParams != NULL) ?
TlsContext->PeerTransportParamsLength :
*InBufferLength);
SchannelTransParamsBufferTooSmall,
TlsContext->Connection,
"Peer TP too large for available buffer (%u vs. %u)",
OutSecBufferDesc.pBuffers[i].cbBuffer,
(TlsContext->PeerTransportParams != NULL) ?
TlsContext->PeerTransportParamsLength :
*InBufferLength);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = OutSecBufferDesc.pBuffers[i].cbBuffer = arg3
// arg4 = arg4 = (TlsContext->PeerTransportParams != NULL) ?
TlsContext->PeerTransportParamsLength :
*InBufferLength = arg4
TlsContext->PeerTransportParamsLength :
*InBufferLength = arg4
----------------------------------------------------------*/
#ifndef _clog_5_ARGS_TRACE_SchannelTransParamsBufferTooSmall
#define _clog_5_ARGS_TRACE_SchannelTransParamsBufferTooSmall(uniqueId, arg1, encoded_arg_string, arg3, arg4)\
Expand All @@ -299,6 +335,46 @@ tracepoint(CLOG_TLS_SCHANNEL_C, SchannelTransParamsBufferTooSmall , arg1, arg3,



/*----------------------------------------------------------
// Decoder Ring for SchannelServerIgnoringTicket
// [conn][%p] Server app resumption state rejected. Proceeding with the connection. State size: %u bytes
// QuicTraceLogConnInfo(
SchannelServerIgnoringTicket,
TlsContext->Connection,
"Server app resumption state rejected. Proceeding with the connection. State size: %u bytes",
TlsContext->RxAppSessionState->AppSessionStateSize);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = TlsContext->RxAppSessionState->AppSessionStateSize = arg3
----------------------------------------------------------*/
#ifndef _clog_4_ARGS_TRACE_SchannelServerIgnoringTicket
#define _clog_4_ARGS_TRACE_SchannelServerIgnoringTicket(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelServerIgnoringTicket , arg1, arg3);\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelClientIgnoringTicket
// [conn][%p] Client app rejected session ticket. Proceeding with the connection. Ticket size: %u bytes
// QuicTraceLogConnInfo(
SchannelClientIgnoringTicket,
TlsContext->Connection,
"Client app rejected session ticket. Proceeding with the connection. Ticket size: %u bytes",
TlsContext->RxSessionTicket->SessionTicketSize);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = TlsContext->RxSessionTicket->SessionTicketSize = arg3
----------------------------------------------------------*/
#ifndef _clog_4_ARGS_TRACE_SchannelClientIgnoringTicket
#define _clog_4_ARGS_TRACE_SchannelClientIgnoringTicket(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelClientIgnoringTicket , arg1, arg3);\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelContextCreated
// [conn][%p] TLS context Created
Expand Down Expand Up @@ -360,39 +436,79 @@ tracepoint(CLOG_TLS_SCHANNEL_C, SchannelKeyReady , arg1, arg3, arg4, arg5);\


/*----------------------------------------------------------
// Decoder Ring for SchannelIgnoringTicket
// [conn][%p] Ignoring %u ticket bytes
// Decoder Ring for SchannelServerTxTicket
// [conn][%p] Sending managed resumption ticket data, %u bytes
// QuicTraceLogConnVerbose(
SchannelIgnoringTicket,
TlsContext->Connection,
"Ignoring %u ticket bytes",
*BufferLength);
SchannelServerTxTicket,
TlsContext->Connection,
"Sending managed resumption ticket data, %u bytes",
*BufferLength);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = *BufferLength = arg3
----------------------------------------------------------*/
#ifndef _clog_4_ARGS_TRACE_SchannelIgnoringTicket
#define _clog_4_ARGS_TRACE_SchannelIgnoringTicket(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelIgnoringTicket , arg1, arg3);\
#ifndef _clog_4_ARGS_TRACE_SchannelServerTxTicket
#define _clog_4_ARGS_TRACE_SchannelServerTxTicket(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelServerTxTicket , arg1, arg3);\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelProcessingData
// [conn][%p] Processing %u received bytes
// Decoder Ring for SchannelTlsProcessingData
// [conn][%p] Processing %u TX or RX bytes
// QuicTraceLogConnVerbose(
SchannelProcessingData,
SchannelTlsProcessingData,
TlsContext->Connection,
"Processing %u received bytes",
"Processing %u TX or RX bytes",
*BufferLength);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = *BufferLength = arg3
----------------------------------------------------------*/
#ifndef _clog_4_ARGS_TRACE_SchannelProcessingData
#define _clog_4_ARGS_TRACE_SchannelProcessingData(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelProcessingData , arg1, arg3);\
#ifndef _clog_4_ARGS_TRACE_SchannelTlsProcessingData
#define _clog_4_ARGS_TRACE_SchannelTlsProcessingData(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelTlsProcessingData , arg1, arg3);\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelServerRxTicket
// [conn][%p] Server app resumption state delivered. State size: %u bytes
// QuicTraceLogConnVerbose(
SchannelServerRxTicket,
TlsContext->Connection,
"Server app resumption state delivered. State size: %u bytes",
TlsContext->RxAppSessionState->AppSessionStateSize);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = TlsContext->RxAppSessionState->AppSessionStateSize = arg3
----------------------------------------------------------*/
#ifndef _clog_4_ARGS_TRACE_SchannelServerRxTicket
#define _clog_4_ARGS_TRACE_SchannelServerRxTicket(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelServerRxTicket , arg1, arg3);\

#endif




/*----------------------------------------------------------
// Decoder Ring for SchannelClientRxTicket
// [conn][%p] Resumption session ticket delivered. Ticket size: %u bytes
// QuicTraceLogConnVerbose(
SchannelClientRxTicket,
TlsContext->Connection,
"Resumption session ticket delivered. Ticket size: %u bytes",
TlsContext->RxSessionTicket->SessionTicketSize);
// arg1 = arg1 = TlsContext->Connection = arg1
// arg3 = arg3 = TlsContext->RxSessionTicket->SessionTicketSize = arg3
----------------------------------------------------------*/
#ifndef _clog_4_ARGS_TRACE_SchannelClientRxTicket
#define _clog_4_ARGS_TRACE_SchannelClientRxTicket(uniqueId, arg1, encoded_arg_string, arg3)\
tracepoint(CLOG_TLS_SCHANNEL_C, SchannelClientRxTicket , arg1, arg3);\

#endif

Expand Down Expand Up @@ -481,11 +597,11 @@ tracepoint(CLOG_TLS_SCHANNEL_C, TlsError , arg2, arg3);\
// Decoder Ring for TlsErrorStatus
// [ tls][%p] ERROR, %u, %s.
// QuicTraceEvent(
TlsErrorStatus,
"[ tls][%p] ERROR, %u, %s.",
TlsContext->Connection,
Status,
"Convert SNI to unicode");
TlsErrorStatus,
"[ tls][%p] ERROR, %u, %s.",
TlsContext->Connection,
Status,
"Convert SNI to unicode");
// arg2 = arg2 = TlsContext->Connection = arg2
// arg3 = arg3 = Status = arg3
// arg4 = arg4 = "Convert SNI to unicode" = arg4
Expand Down
Loading
Loading