Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SslStream delayed client certificate with legacy OpenSSL #55761

Closed
wfurt opened this issue Jul 15, 2021 · 5 comments
Closed

SslStream delayed client certificate with legacy OpenSSL #55761

wfurt opened this issue Jul 15, 2021 · 5 comments
Assignees
@aik-jahoda
Labels
area-System.Net.Security enhancement Product code improvement that does NOT require public API changes/additions os-linux Linux OS (any supported distro)
Milestone
6.0.0

Comments

@wfurt
Copy link
Member

wfurt commented Jul 15, 2021

#54692 added support for NegotiateClientCertificateAsync on Linux. This seems to work reliably only with OpenSSL 1.1.1 (current LTS) We should investigate the failures on older OpenSSL versions (1.0.0 and 1.1.0) and possibly throw PNSP.

It would be nice to re-test with OpenSSL 3.0 to make sure we did not use anything marked as deprecated or missing in 3.0.
@wfurt wfurt added area-System.Net.Security os-linux Linux OS (any supported distro) labels Jul 15, 2021
@ghost
Copy link

ghost commented Jul 15, 2021

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

#54692 added support for NegotiateClientCertificateAsync on Linux. This seems to work reliably only with OpenSSL 1.1.1 (current LTS) We should investigate the failures on older OpenSSL versions (1.0.0 and 1.1.0) and possibly throw PNSP.

It would be nice to re-test with OpenSSL 3.0 to make sure we did not use anything marked as deprecated or missing in 3.0.

Author: wfurt
Assignees: -
Labels:

area-System.Net.Security, os-linux
Milestone: -

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Jul 15, 2021
@wfurt
Copy link
Member Author

wfurt commented Jul 15, 2021

related to #49346

@karelz karelz mentioned this issue Jul 15, 2021
Closed
@karelz karelz added enhancement Product code improvement that does NOT require public API changes/additions and removed untriaged New issue has not been triaged by the area owner labels Jul 15, 2021
@karelz karelz added this to the 6.0.0 milestone Jul 15, 2021
@karelz
Copy link
Member

karelz commented Jul 15, 2021

Triage: We should add the PNSE and check OpenSSL 3.0 for 6.0 release.
Then we can move it to Future or decide to close as the legacy OpenSSL versions are being pushed out of distros.

@aik-jahoda
Copy link
Contributor

aik-jahoda commented Jul 27, 2021
edited by karelz
Loading

Tested following configuration:

  • .NET SslStream authenticated as server (on OpenSsl 1.0.0t).
  • OpenSsl s_clients (non-.NET): OpenSSL 1.0.0t, OpenSSL 1.1.1k, OpenSSL 3.0.0-beta1
    The above configuration works as expected.

If we use SslStream client with OpenSSL 1.0.0/1.1.0, then it fails.
The SslStream client works only with OpenSSL 1.1.1.

SslStream authenticated as client is without change, throwing PNSE (when using openssl version smaller than 1.1.1) would

  1. be breaking change
  2. be not nice as the exception would be triggered by server (when requesting certificate) and would depends on server. Instead client shouldn't ignore server HELLO request.

@karelz
Copy link
Member

karelz commented Jul 27, 2021
edited
Loading

Triage: Given that we didn't throw PNSE in 5.0, but relied on server reaction to unsupported feature (e.g. refused connection, etc.), it is fine to keep it in 6.0 the same way for certain older OpenSSL versions (which are on older distros which in time will be out of support anyway).
If there is business demand in future, we can reconsider.

Close

@karelz karelz closed this as completed Jul 27, 2021
@wfurt wfurt mentioned this issue Aug 3, 2021
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Aug 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@aik-jahoda aik-jahoda

Labels
area-System.Net.Security enhancement Product code improvement that does NOT require public API changes/additions os-linux Linux OS (any supported distro)
Projects
None yet
Milestone
6.0.0
Development

No branches or pull requests
3 participants
@aik-jahoda @karelz @wfurt