Compartilhar via


3.3.5.1 Accepting an Incoming Connection

If ServerEnabled is FALSE, the server MUST NOT accept any incoming connections.

If IsMutualAuthOverQUICSupported is TRUE and the server receives a connection attempt from the client over QUIC, the server MUST send a certificate chain to the client to be authenticated. The server MUST look up a ServerCertificateMappingEntry in the ServerCertificateMappingTable with ServerCertificateMappingEntry.ServerName matching the server name that QUIC is connected to. If the entry is not found, the server MUST terminate the connection. If the entry is found, the server MUST send ServerCertificateMappingEntry.Certificate and ServerCertificateMappingEntry.RequireClientAuthentication to QUIC and accept the QUIC connection.

If ServerCertificateMappingEntry.RequireClientAuthentication is TRUE, the server MUST authenticate the client in addition to the client authenticating the server. QUIC will not allow the connection to be established unless the client presents a valid and trusted certificate chain to the server.

During a connection attempt over QUIC, QUIC notifies SMB server of the client certificate validation results. If the validation fails, the server MUST terminate the connection. If the validation succeeds and ServerCertificateMappingEntry.SkipClientCertificateAccessCheck is TRUE, the server MUST notify QUIC that the connection MUST be established. If the validation succeeds and ServerCertificateMappingEntry.SkipClientCertificateAccessCheck is FALSE, the server MUST perform the access check algorithm specified in section 3.3.1.18. If the client is denied access to the server, the server MUST pass the access_denied(49) TLS alert code, as specified in [RFC8446], to QUIC and MUST terminate the connection. If the access check fails, the server MUST pass the internal_error(80) TLS alert code to QUIC and MUST terminate the connection. If the access check succeeds, the server MUST establish a connection over QUIC.

When the server accepts an incoming connection from any of its registered transports, it MUST allocate a Connection object for it. The Connection object is initialized as described here.

Connection.CommandSequenceWindow is set to a sequence window, as specified in section 3.3.1.1, with a starting receive sequence of 0 and a window size of 1.

Connection.AsyncCommandList is set to an empty list.

Connection.RequestList is set to an empty list.

Connection.ClientCapabilities is set to 0.

Connection.NegotiateDialect is set to 0xFFFF.

Connection.Dialect is set to "Unknown".

Connection.ShouldSign is set to FALSE.

Connection.ClientName is set to be a null-terminated Unicode string of an IP address if the connection is on TCP port 445, or a NetBIOS host name if the connection is on TCP port 139.

Connection.MaxTransactSize is set to 0.

Connection.SupportsMultiCredit is set to FALSE.

Connection.TransportName is set to the implementation-specific name of the transport used by this connection <250> as obtained by implementation-specific means from the transport that indicated the incoming connection.

Connection.SessionTable MUST be set to an empty table.

Connection.CreationTime is set to the current time.

Connection.ConstrainedConnection, if implemented, MUST be set to TRUE.

Connection.CompressionIds, if implemented, MUST be set to an empty list.

Connection.ServerCertificateMappingEntry MUST be set to ServerCertificateMappingEntry used in QUIC connection establishment.

The server MUST invoke the event specified in [MS-SRVS] section 3.1.6.16 to update the connection count by providing the tuple <Connection.TransportName,TRUE>.

This connection MUST be inserted into the global ConnectionList.