Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remoteCertificate passed to LocalCertificateSelectionCallback is always null on Windows #63321

Closed
wfurt opened this issue Jan 4, 2022 · 4 comments · Fixed by #65134
Closed

remoteCertificate passed to LocalCertificateSelectionCallback is always null on Windows #63321

wfurt opened this issue Jan 4, 2022 · 4 comments · Fixed by #65134
Assignees
@rzikm
Labels
area-System.Net.Security enhancement Product code improvement that does NOT require public API changes/additions os-windows
Milestone
7.0.0

Comments

@wfurt
Copy link
Member

wfurt commented Jan 4, 2022
edited by karelz
Loading

I bump to it while working on test for #52499. While the trusted CA list is populated on Windows the remoteCertificate is not.
We try but the call we use always fails with SEC_E_INVALID_HANDLE. I confirmed with experts that the call cannot be used until handshake is done. We use same method and credentials to get the certificate after completed handshake and it works as expected. e.g. there is nothing wrong with the method or the credential handle.

It seems like there may be way how to get the certificate but it will need some exploration and more testing.
@ghost
Copy link

ghost commented Jan 4, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

I bump to it while working on test for #52499. While the trusted CA list is populated on Windows the emoteCertificate is not.
We try but the call we use always fails with SEC_E_INVALID_HANDLE. I confirmed with experts that the call cannot be used until handshake is done. We use same method and credentials to get the certificate after completed handshake and it works as expected. e.g. there is nothing wrong with the method or the credential handle.

It seems like there may be way how to get the certificate but it will need some exploration and more testing.

Author: wfurt
Assignees: -
Labels:

area-System.Net.Security, os-windows
Milestone: -

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Jan 4, 2022
@wfurt wfurt changed the title LocalCertificateSelectionCallback passed to LocalCertificateSelectionCallback is always null on Windows remoteCertificate passed to LocalCertificateSelectionCallback is always null on Windows Jan 4, 2022
@wfurt wfurt mentioned this issue Jan 4, 2022
Merged
@karelz
Copy link
Member

karelz commented Jan 4, 2022
edited
Loading

Triage: We need to call different function in Schannel to get the remoteCertificate before the handshake is done.
Not urgent.

@karelz karelz modified the milestones: 7.0.0, Future Jan 4, 2022
@karelz karelz added enhancement Product code improvement that does NOT require public API changes/additions and removed untriaged New issue has not been triaged by the area owner labels Jan 4, 2022
@rzikm rzikm self-assigned this Feb 9, 2022
@rzikm
Copy link
Member

rzikm commented Feb 9, 2022

So far, I was unable to find alternative API, however, I have some notes:

  • Chromium faced related problem(need to get server cert before handshake finishes), and they "solved" id by ditching SChannel in favor of BoringSSL
  • All examples on the internet I could find used the same API as we do, but they waited until after the handshake is completed.

Can we ask the Schannel guys to point us to the appropriate API, @wfurt? because the only way I see to solve this is to manually parse the cert from the incoming data.

@wfurt
Copy link
Member Author

wfurt commented Feb 9, 2022

we should use SECPKG_ATTR_REMOTE_CERT_CHAIN IMHO. If I remember right I did quick try while back and it did not fail event when called during handshake.
There is also newer API we can use as fallback but that would work only on some supported Windows versions ... but that may be good enough.

@rzikm rzikm mentioned this issue Feb 10, 2022
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Feb 10, 2022
rzikm added a commit to rzikm/dotnet-runtime that referenced this issue Feb 23, 2022
@rzikm
Use SECPKG_ATTR_REMOTE_CERT_CHAIN to retrieve server cert during hand…
de5f958 
…shake

Fixes dotnet#63321
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Feb 24, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Mar 26, 2022
@karelz karelz modified the milestones: Future, 7.0.0 Apr 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rzikm rzikm

Labels
area-System.Net.Security enhancement Product code improvement that does NOT require public API changes/additions os-windows
Projects
None yet
Milestone
7.0.0
Development

Successfully merging a pull request may close this issue.

Use SECPKG_ATTR_REMOTE_CERT_CHAIN to retrieve server cert during handshake rzikm/dotnet-runtime
3 participants
@karelz @wfurt @rzikm