-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SslStream.AuthenticateAsClientAsync behaves wrong with TLS 1.3 #69315
Comments
Tagging subscribers to this area: @dotnet/ncl, @vcsjones Issue DetailsDescriptionI need to connect to a server via My scenario: Server is configured to require a client certificate but my client calls Client environment:
Reproduction StepsNone Expected behaviorThe method This works as expected on Win10 20H2 with TLS 1.2.
Actual behavior
Regression?TLS 1.2: Correct behavior Known WorkaroundsNo response ConfigurationNo response Other informationNo response
|
Can you post simple repro @jbe2277? There was Windows bug where it would fail with 0x80090317 in scenario like yours. That should be fixed if you are running with all updates.
|
When the client does not provide the client certificate the
Use case: I need to get the information on the client side that the TLS mutual authentication failed because of a missing or wrong client certificate. In such case we will show how the user can solve it. But with a generic Expected: I would expect that Here is the output of my simple repo. Changing from Tls12 to Tls13 shows the same behavior here:
|
I think I understand now more what is happening. This is running TLS 12 on W11: The peers exchange secrets in packets 62 & 64. That makes the handshake complete & successful. Then the server sends It is certainly possible the exchange or timing is different with OpenSSL. I don't think this is generally fixable as it depends on timing and particular stack behavior. I put up some mixup code to SslStream to recognize the alter but that will not work with Tls 1.3 as everything after is visible only as application data (and SslStream does not have access the the session encryption key) You could possible use |
Triage: we should improve the error messages, and see if we can do better. |
I know. But as I mentioned I don't see anything we can do to force the exception to |
I understand. A better error would help as well. Thanks. |
Description
I need to connect to a server via
TcpClient
andSslStream
which requires TLS >= 1.2. The server can be configured to require a valid client certificate (TLS mutual authentication).My scenario: Server is configured to require a client certificate but my client calls
SslStream.AuthenticateAsClientAsync
without any client certificates.Client environment:
Reproduction Steps
None
Expected behavior
The method
AuthenticateAsClientAsync
throws anAuthenticationException
because the server requires a valid client certificate, but none is provided.This works as expected on Win10 20H2 with TLS 1.2.
Actual behavior
AuthenticateAsClientAsync
method returns successfully and theSslStream.IsAuthenticated
property returns true.SslStream
is used the following exception is thrown:Regression?
TLS 1.2: Correct behavior
TLS 1.3: Wrong behavior
Known Workarounds
No response
Configuration
No response
Other information
No response
The text was updated successfully, but these errors were encountered: