Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix LocalCertificateSelectionCallback on unix #63200

Merged
merged 14 commits into from
Jan 12, 2022
Merged

fix LocalCertificateSelectionCallback on unix #63200

merged 14 commits into from
Jan 12, 2022

Conversation

wfurt
Copy link
Member

@wfurt wfurt commented Dec 29, 2021

As noted in #52499, on Windows LocalCertificateSelectionCallback can be called twice (or more).
First it is called before handshake with certificate and trustedCA list empty. If server asks for client certificate, handshake will stop with 'CredentialsNeeded' and we would call the callback once again with certificate provided by the server and possibly CA list. All that logic is missing on Linux and that is main reason why the remote certificates and CA list is always empty. We already had fragments of code to deal with the CA list but they were never invoked e.g. it was just dead baggage.

Since both Linux(OpenSSL) and macOS was mechanism how to do it this change brings both to parity with Windows.
I'm not sure if the first invocation before handshake make sense but I decided to keep it for compatibility.
We may improve documentation with note about multiple invocation on single SSL session.

Unlike Windows where this is done via new credentials, both OSes needs to set the certificate on the Ssl session itself.
With OpenSSL we use SSL_set_cert_cb and SslSetBreakOnCertRequested on macOS. That will make the handshake stop with particular error. We call the callback and set certificate on the session if provided by the user.

While we still cannot set and test the CA list on Unix, I added test to verify that the callback is called with real certificate e.g. in middle of SSL handshake.

fixes #52499
contributes to #55802

@wfurt wfurt added area-System.Net.Security os-linux Linux OS (any supported distro) os-mac-os-x macOS aka OSX labels Dec 29, 2021
@wfurt wfurt requested review from stephentoub, bartonjs and a team December 29, 2021 20:53
@wfurt wfurt self-assigned this Dec 29, 2021
@ghost
Copy link

ghost commented Dec 29, 2021

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

As noted in #52499, on Windows LocalCertificateSelectionCallback can be called twice (or more).
First it is called before handshake with certificate and trustedCA list empty. If server asks for client certificate, handshake will stop with 'CredentialsNeeded' and we would call the callback once again with certificate provided by the server and possibly CA list. All that logic is missing on Linux and that is main reason why the remote certificates and CA list is always empty. We already had fragments of code to deal with the CA list but they were never invoked e.g. it was just dead baggage.

Since both Linux(OpenSSL) and macOS was mechanism how to do it this change brings both to parity with Windows.
I'm not sure if the first invocation before handshake make sense but I decided to keep it for compatibility.
We may improve documentation with note about multiple invocation on single SSL session.

Unlike Windows where this is done via new credentials, both OSes needs to set the certificate on the Ssl session itself.
With OpenSSL we use SSL_set_cert_cb and SslSetBreakOnCertRequested on macOS. That will make the handshake stop with particular error. We call the callback and set certificate on the session if provided by the user.

While we still cannot set and test the CA list on Unix, I added test to verify that the callback is called with real certificate e.g. in middle of SSL handshake.

fixes #52499
contributes to #55802

Author: wfurt
Assignees: wfurt
Labels:

area-System.Net.Security, os-linux, os-mac-os-x
Milestone: -

@runfoapp runfoapp bot mentioned this pull request Dec 30, 2021
Closed
@wfurt
Copy link
Member Author

wfurt commented Jan 4, 2022

I did more testing and it seems like the remoteCertificate is always null on Windows. We make attempt but it always fails. I open #63321 to track that and I added note to the new test.
This change brings both remoteCertificate and acceptableIssuers on macOS and Linux.
I expect more changes when we implement #55802 and we could actually test the acceptableIssuers.

Conflicts resolved, this should be good for review.

@rzikm rzikm mentioned this pull request Jan 10, 2022
Closed
@wfurt wfurt merged commit 8fef95b into dotnet:main Jan 12, 2022
@wfurt wfurt deleted the certSelect_52499 branch January 12, 2022 21:32
@rzikm rzikm mentioned this pull request Jan 18, 2022
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Feb 12, 2022
@karelz karelz added this to the 7.0.0 milestone Apr 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rzikm rzikm rzikm left review comments

@bartonjs bartonjs bartonjs approved these changes

@stephentoub stephentoub Awaiting requested review from stephentoub

Assignees

@wfurt wfurt

Labels
area-System.Net.Security os-linux Linux OS (any supported distro) os-mac-os-x macOS aka OSX
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

Unable to get acceptableIssuers from LocalCertificateSelectionCallback
4 participants
@wfurt @bartonjs @rzikm @karelz