[release/7.0] Fix SslStream.IsMutuallyAuthenticated#95733
Merged
rzikm merged 5 commits intodotnet:release/7.0-stagingfrom Jan 10, 2024
Merged
[release/7.0] Fix SslStream.IsMutuallyAuthenticated#95733rzikm merged 5 commits intodotnet:release/7.0-stagingfrom
rzikm merged 5 commits intodotnet:release/7.0-stagingfrom
Conversation
…#79128) * fix SslStream.IsMutuallyAuthenticated with cached credentials * nano * protocol * fix test * Apply suggestions from code review Co-authored-by: Radek Zikmund <32671551+rzikm@users.noreply.github.com> Co-authored-by: Simon Rozsival <simon@rozsival.com> * fix CertificateValidationClientServer_EndToEnd_Ok test Co-authored-by: Radek Zikmund <32671551+rzikm@users.noreply.github.com> Co-authored-by: Simon Rozsival <simon@rozsival.com>
ghost
added
the
|
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones Issue Detailsnull
|
rzikm
changed the title
Member
Author
|
/azp run runtime-libraries-coreclr outerloop |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Member
Author
|
/azp run runtime-extra-platforms |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This was referenced Dec 7, 2023
Closed
wfurt
approved these changes
Dec 7, 2023
stephentoub
reviewed
Jan 2, 2024
src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs
Show resolved
Hide resolved
stephentoub
reviewed
Jan 2, 2024
src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
Show resolved
Hide resolved
stephentoub
reviewed
Jan 2, 2024
src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
Outdated
Show resolved
Hide resolved
…lidationPal.Windows.cs Co-authored-by: Stephen Toub <stoub@microsoft.com>
stephentoub
reviewed
Jan 9, 2024
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Unix.cs
Show resolved
Hide resolved
stephentoub
reviewed
Jan 9, 2024
stephentoub
approved these changes
Jan 9, 2024
Member
|
Approved by Tactics (@SteveMCarroll) on 1/9 via email. Adding Servicing-approved label accordingly. |
karelz
added
Servicing-approved
Member
Author
|
Build failures are either known or unrelated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is essentially the same as 6.0 PR #92684, but for 7.0.
This is backport of PR #88488 and PR #79128 and parts of PR #63945.
It also brings spirit of test-only PR #68009 to get test coverage for TLS 1.3.
This only covers Windows to minimize the code delta i.e. it does not bring all the changes from PR #63945 to cover Linux & macOS.
Customer Impact
The property
IsMutuallyAuthenticatedonSslStreamindicates if mutual TLS authentication is performed with client certificate. Current 6.0 implementation can get confused in several cases, so the value is unreliable for security audits.Testing
This brings all the current tests from 8.0 branch.
Customer validated on private bits in production - neither functional, nor perf regression.
Risk
Medium.
While the change is quite large, it should be specific just to that property i.e. it should not impact TLS handshake or any other I/O on
SslStream. Since theIsMutuallyAuthenticatedis already unreliable this should bring it up to 8.0 code base to fix all known cases when it is incorrect. To reduce complexity, this fixes only Windows as macOS & Linux changes from PR #68009 had more significant impact on functionality and flow.