Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use new API on new windows to get TLS13 #37888

Merged
merged 10 commits into from
Jul 15, 2020
Merged

use new API on new windows to get TLS13 #37888

merged 10 commits into from
Jul 15, 2020

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Jun 15, 2020

Update SslStream to use SCH_CREDENTIALS on new Windows builds. It does not allow to enforce EncryptionPolicy.NoEncryption so when requested, we will fall-back to legacy API and protocols.

It will negotiate TLS 1.3 on Windows insider build and it will pass all tests (but the one bellow)

fixes #1720

SslStream_StreamToStream_ClientInitiatedCloseNotify_Ok test was failing. After some experiments, it can pass if server passes some data before shutdown. This is probably OS bug and ticket was opened to track it. Completion of TLS 1.3 piggy backs on application frames but this should work IMHO. I updated the test to run with and without extra data to make it more visible. We can decided what to do when we get new windows build to CI.

@wfurt wfurt self-assigned this Jun 15, 2020
@ghost
Copy link

ghost commented Jun 15, 2020

Tagging subscribers to this area: @dotnet/ncl
Notify danmosemsft if you want to be subscribed.

@wfurt wfurt mentioned this pull request Jun 15, 2020
Merged
@wfurt
Copy link
Member Author

wfurt commented Jul 1, 2020

this is ready for another review round.

stephentoub
stephentoub reviewed Jul 3, 2020
View reviewed changes
src/libraries/Common/src/Interop/Windows/SspiCli/Interop.SSPI.cs
public int cCreds;

// This is pointer to arry of CERT_CONTEXT*
// We do not use it directly in .NET. Instead, we wrap returned OS pointer in safe handle.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this comment needed? I'm not even sure what it means; we do use it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the meaning was that we do not dereference or use CERT_CONTEXT in .NET. So it is pointer to a structure but that is hidden to PAL.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added that comment after your questions about IntPtr vs something strongly typed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the "it" in we dot not use it" is referring to CERT_CONTEXT rather than to paCred? That was my confusion.

But, even so, we are kind of using it, aren't we? X509Certificate.Handle must be a CERT_CONTEXT*; we're storing that into paCred, effectively storing a pointer to an array of one CERT_CONTEXT. So while we're not naming it as such, we are using it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes. I assumed the "directly" would be a hint but obviously it is not clear. I was also thinking about also adding CERT_CONTEXT so we can see details in debugger but that is somewhat complicated with more pointers inside.
Maybe Windbg could do cast to native but I failed so far with VS.

stephentoub
stephentoub reviewed Jul 3, 2020
View reviewed changes
src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs
credential.pTlsParameters = &tlsParameters;
}

return AcquireCredentialsHandle(direction, &credential);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This credential is storing a pointer to something on the stack. I assume that whatever AcquireCredentialsHandle returns doesn't expect that to still be alive?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not as far as I know. I can verify that as well. I expect tile time to be same as the structure.

scalablecory
scalablecory approved these changes Jul 14, 2020
View reviewed changes
Copy link
Contributor

@scalablecory scalablecory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, thanks.

src/libraries/System.Net.Security/src/System/Net/Security/SslStreamPal.Windows.cs Outdated Show resolved Hide resolved
src/libraries/Common/src/Interop/Windows/SspiCli/SecuritySafeHandles.cs Outdated Show resolved Hide resolved
@wfurt wfurt closed this Jul 15, 2020
@wfurt wfurt reopened this Jul 15, 2020
@wfurt
Copy link
Member Author

wfurt commented Jul 15, 2020

/azp run runtime-libraries

@azure-pipelines
Copy link

No pipelines are associated with this pull request.

@wfurt wfurt closed this Jul 15, 2020
@wfurt wfurt reopened this Jul 15, 2020
@wfurt
Copy link
Member Author

wfurt commented Jul 15, 2020

/azp help

@azure-pipelines
Copy link

Supported commands
  • help:
    • Get descriptions, examples and documentation about supported commands
    • Example: help "command_name"
  • list:
    • List all pipelines for this repository using a comment.
    • Example: "list"
  • run:
    • Run all pipelines or specific pipelines for this repository using a comment. Use this command by itself to trigger all related pipelines, or specify specific pipelines to run.
    • Example: "run" or "run pipeline_name, pipeline_name, pipeline_name"
  • where:
    • Report back the Azure DevOps orgs that are related to this repository and org
    • Example: "where"

See additional documentation.

@wfurt
Copy link
Member Author

wfurt commented Jul 15, 2020

/azp list

@azure-pipelines
Copy link

CI/CD Pipelines for this repository:

@safern safern closed this Jul 15, 2020
@safern safern reopened this Jul 15, 2020
@wfurt wfurt merged commit a4051a5 into dotnet:master Jul 15, 2020
@safern
Copy link
Member

safern commented Jul 15, 2020

@wfurt I know CI is acting weird. However this was merged without CI run. There was only the cla that was triggered.

@wfurt
Copy link
Member Author

wfurt commented Jul 15, 2020

oops. I let it sit and did something else and then I saw it green.

@wfurt wfurt mentioned this pull request Jul 22, 2020
Merged
@karelz karelz added this to the 5.0.0 milestone Aug 18, 2020
@ghost ghost locked as resolved and limited conversation to collaborators Dec 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bartonjs bartonjs bartonjs left review comments

@davidsh davidsh davidsh left review comments

@stephentoub stephentoub stephentoub left review comments

@scalablecory scalablecory scalablecory approved these changes

Assignees

@wfurt wfurt

Labels
area-System.Net.Security os-windows
Projects
None yet
Milestone
5.0.0
Development

Successfully merging this pull request may close these issues.

TLS1.3 does not work on Windows
7 participants
@wfurt @safern @stephentoub @scalablecory @davidsh @bartonjs @karelz