[Android] Investigate support for SSLStream below API Level 24

[steveisok]

The block below will throw a PNSE because SNIHostName and SSLEngine.setServerNames are only supported on API level 24 and above.

Here is a sample that can throw the PNSE:

using var client = new TcpClient("login.sequrix.com", 443);
            using var stream = new SslStream(client.GetStream(), false);
            stream.AuthenticateAsClient(new SslClientAuthenticationOptions()
            {
                TargetHost = "login.sequrix.com"
            });
            stream.Read(new byte[100], 0, 100);

We should investigate if there are any alternative approaches.

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The block below will throw a PNSE because SNIHostName and setServerNames are only supported on API level 24 and above.

Here is a sample that can throw the PNSE:

using var client = new TcpClient("login.sequrix.com", 443);
            using var stream = new SslStream(client.GetStream(), false);
            stream.AuthenticateAsClient(new SslClientAuthenticationOptions()
            {
                TargetHost = "login.sequrix.com"
            });
            stream.Read(new byte[100], 0, 100);

We should investigate if there are any alternative approaches.

Author:	steveisok
Assignees:	-
Labels:	area-System.Net, untriaged
Milestone:	8.0.0

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The block below will throw a PNSE because SNIHostName and setServerNames are only supported on API level 24 and above.

Here is a sample that can throw the PNSE:

using var client = new TcpClient("login.sequrix.com", 443);
            using var stream = new SslStream(client.GetStream(), false);
            stream.AuthenticateAsClient(new SslClientAuthenticationOptions()
            {
                TargetHost = "login.sequrix.com"
            });
            stream.Read(new byte[100], 0, 100);

We should investigate if there are any alternative approaches.

Author:	steveisok
Assignees:	-
Labels:	area-System.Net, area-System.Net.Security, untriaged
Milestone:	8.0.0

[steveisok]

After looking at this again, it does seem returning UNSUPPORTED_API_LEVEL is heavy handed.

runtime/src/native/libs/System.Security.Cryptography.Native.Android/pal_sslstream.c

Lines 484 to 488 in 563297d

	if (g_SNIHostName == NULL || g_SSLParametersSetServerNames == NULL)
	{
	// SSL not supported below API Level 24
	return UNSUPPORTED_API_LEVEL;
	}

It does appear that the java SSLEngine can be created with a host name and a port. Not sure how much of the interop we would have to shuffle to accommodate.

[rgroenewoudt]

This also effects SocketsHttpHandler and ClientWebSocket usage with HTTPS.

For example:

var client = new HttpClient(new SocketsHttpHandler());
await client.GetStringAsync("https://google.com");

[simonrozsival]

I digged into it and it seems that we can force APIs 21-23 to do what we want, although it's not very clean. I'll try to open a draft PR so that we can have a discussion if those code changes are acceptable or not.

[marek-safar]

API23 is 5+ years out of supported version, do we need to support that in net8?

[simonrozsival]

There are still quite a few devices running APIs 21-23 in the wild, around 6.1%. It would be easier to drop support for them, but it should be possible to keep supporting them with relatively little effort.

[steveisok]

API23 is 5+ years out of supported version, do we need to support that in net8?

I'll raise that with the larger team and see if there's a desire to bump the min version. I think this definitely needs to be fixed for .NET 6/7.

[karelz]

Fixed in main (8.0) in PR #78918 and in 7.0.3 in PR #79280 and in 6.0.14 in PR #79277.